Commit 164d5c2d authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Sync with HEAD

parent bf637ea2
......@@ -38,6 +38,7 @@ OpenLDAP 2.3.8 Release
Fixed slapcat out-of-memory problem (ITS#4010)
Fixed slurpd unrecognized slave names bug (ITS#4012)
Fixed liblber dgram len bug (ITS#4046)
Updated contrib/ldapc++ to avoid deprecated functions
Documentation
Added slapo-valsort(5) man page (ITS#3994)
Added slap tool -F option documentation (ITS#4026)
......@@ -46,6 +47,7 @@ OpenLDAP 2.3.8 Release
Fixed --without-threads build issue (ITS#4006)
Fixed test script exit checks (ITS#4045)
Added test suite parameterized directory support
Updated contrib/ldapc++ build environment
OpenLDAP 2.3.7 Release
Updated slapd ManageDIT support
......
......@@ -244,6 +244,13 @@ the target using the "pseudorootdn" DN.
Note: cleartext credentials must be supplied here; as a consequence,
using the pseudorootdn/pseudorootpw directives is inherently unsafe.
.TP
.B pseudoroot-bind-defer {NO|yes}
This directive, when set to
.BR yes ,
causes the authentication to the remote servers with the pseudo-root
identity to be deferred until actually needed by subsequent operations.
.TP
.B rewrite* ...
The rewrite options are described in the "REWRITING" section.
......
......@@ -689,6 +689,9 @@ ldap_int_sasl_bind(
if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
rc = ld->ld_errno = sasl_err2ldap( saslrc );
#if SASL_VERSION_MAJOR >= 2
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP( sasl_errdetail( ctx ) );
#endif
goto done;
......@@ -710,11 +713,13 @@ ldap_int_sasl_bind(
}
if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
if( scred && scred->bv_len ) {
/* and server provided us with data? */
Debug( LDAP_DEBUG_TRACE,
"ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
rc, saslrc, scred->bv_len );
if( scred ) {
if ( scred->bv_len ) {
/* and server provided us with data? */
Debug( LDAP_DEBUG_TRACE,
"ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
rc, saslrc, scred->bv_len );
}
ber_bvfree( scred );
}
rc = ld->ld_errno;
......@@ -723,11 +728,13 @@ ldap_int_sasl_bind(
if( rc == LDAP_SUCCESS && saslrc == SASL_OK ) {
/* we're done, no need to step */
if( scred && scred->bv_len ) {
/* but server provided us with data! */
Debug( LDAP_DEBUG_TRACE,
"ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
rc, saslrc, scred->bv_len );
if( scred ) {
if ( scred->bv_len ) {
/* but server provided us with data! */
Debug( LDAP_DEBUG_TRACE,
"ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
rc, saslrc, scred->bv_len );
}
ber_bvfree( scred );
rc = ld->ld_errno = LDAP_LOCAL_ERROR;
goto done;
......@@ -760,6 +767,9 @@ ldap_int_sasl_bind(
if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
ld->ld_errno = sasl_err2ldap( saslrc );
#if SASL_VERSION_MAJOR >= 2
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP( sasl_errdetail( ctx ) );
#endif
rc = ld->ld_errno;
......@@ -771,6 +781,9 @@ ldap_int_sasl_bind(
if ( saslrc != SASL_OK ) {
#if SASL_VERSION_MAJOR >= 2
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP( sasl_errdetail( ctx ) );
#endif
rc = ld->ld_errno = sasl_err2ldap( saslrc );
......
......@@ -753,6 +753,10 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
if ((err = ERR_peek_error())) {
char buf[256];
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf));
#ifdef HAVE_EBCDIC
if ( ld->ld_error ) __etoa(ld->ld_error);
......@@ -1036,7 +1040,10 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get common name from peer certificate.\n",
0, 0, 0 );
ret = LDAP_CONNECT_ERROR;
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: unable to get CN from peer certificate"));
......@@ -1061,12 +1068,15 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
}
if( ret == LDAP_LOCAL_ERROR ) {
Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
"common name in certificate (%s).\n",
name, buf, 0 );
ret = LDAP_CONNECT_ERROR;
ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match CN in peer certificate"));
Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
"common name in certificate (%s).\n",
name, buf, 0 );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match CN in peer certificate"));
}
}
X509_free(x);
......
......@@ -140,6 +140,13 @@ ldap_ld_free(
ld->ld_options.ldo_defludp = NULL;
}
#ifdef LDAP_CONNECTIONLESS
if ( ld->ld_options.ldo_peer != NULL ) {
LDAP_FREE( ld->ld_options.ldo_peer );
ld->ld_options.ldo_peer = NULL;
}
#endif
if ( ld->ld_options.ldo_tm_api != NULL ) {
LDAP_FREE( ld->ld_options.ldo_tm_api );
ld->ld_options.ldo_tm_api = NULL;
......
......@@ -67,7 +67,7 @@ lutil_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
csntime = t;
csnop = 0;
}
op = ++csnop;
op = csnop++;
#ifdef HAVE_GMTIME_R
ltm = gmtime_r( &t, &ltm_buf );
......
......@@ -312,14 +312,17 @@ meta_back_retry(
extern void
meta_back_conn_free(
metaconn_t *mc );
void *v_mc );
extern int
meta_back_init_one_conn(
Operation *op,
SlapReply *rs,
metatarget_t *mt,
metaconn_t *mc,
metasingleconn_t *msc,
int ispriv,
int isauthz,
ldap_back_send_t sendok );
extern int
......
......@@ -391,7 +391,9 @@ retry:;
/* mc here must be the regular mc,
* reset and ready for init */
rc = meta_back_init_one_conn( op, rs,
mt, msc, LDAP_BACK_DONTSEND );
mt, mc, msc, LDAP_BACK_CONN_ISPRIV( mc ),
candidate == mc->mc_authz_target,
LDAP_BACK_DONTSEND );
} else {
/* can't do anything about it */
......@@ -567,7 +569,10 @@ retry:;
/* mc here must be the regular mc,
* reset and ready for init */
rc = meta_back_init_one_conn( op, rs,
mt, msc, LDAP_BACK_DONTSEND );
mt, mc, msc,
LDAP_BACK_CONN_ISPRIV( mc ),
candidate == mc->mc_authz_target,
LDAP_BACK_DONTSEND );
} else {
......
......@@ -176,27 +176,6 @@ metaconn_alloc(
return mc;
}
/*
* meta_back_conn_free
*
* clears a metaconn
*/
void
meta_back_conn_free(
metaconn_t *mc )
{
assert( mc != NULL );
assert( mc->mc_refcnt == 0 );
if ( !BER_BVISNULL( &mc->mc_local_ndn ) ) {
free( mc->mc_local_ndn.bv_val );
}
ldap_pvt_thread_mutex_destroy( &mc->mc_mutex );
free( mc );
}
static void
meta_back_freeconn(
Operation *op,
......@@ -225,7 +204,10 @@ meta_back_init_one_conn(
Operation *op,
SlapReply *rs,
metatarget_t *mt,
metaconn_t *mc,
metasingleconn_t *msc,
int ispriv,
int isauthz,
ldap_back_send_t sendok )
{
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
......@@ -367,32 +349,54 @@ retry:;
/*
* If the connection DN is not null, an attempt to rewrite it is made
*/
if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
dc.target = mt;
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "bindDN";
/*
* Rewrite the bind dn if needed
*/
if ( ldap_back_dn_massage( &dc, &op->o_conn->c_dn,
&msc->msc_bound_ndn ) )
{
goto error_return;
}
/* copy the DN idf needed */
if ( msc->msc_bound_ndn.bv_val == op->o_conn->c_dn.bv_val ) {
ber_dupbv( &msc->msc_bound_ndn, &op->o_conn->c_dn );
if ( ispriv ) {
if ( !BER_BVISNULL( &mt->mt_pseudorootdn ) ) {
ber_dupbv( &msc->msc_bound_ndn, &mt->mt_pseudorootdn );
if ( !BER_BVISNULL( &mt->mt_pseudorootpw ) ) {
ber_dupbv( &msc->msc_cred, &mt->mt_pseudorootpw );
}
} else {
ber_str2bv( "", 0, 1, &msc->msc_bound_ndn );
}
assert( !BER_BVISNULL( &msc->msc_bound_ndn ) );
LDAP_BACK_CONN_ISPRIV_SET( msc );
} else {
ber_str2bv( "", 0, 1, &msc->msc_bound_ndn );
BER_BVZERO( &msc->msc_cred );
BER_BVZERO( &msc->msc_bound_ndn );
if ( !BER_BVISEMPTY( &op->o_ndn )
&& SLAP_IS_AUTHZ_BACKEND( op )
&& isauthz )
{
dc.target = mt;
dc.conn = op->o_conn;
dc.rs = rs;
dc.ctx = "bindDN";
/*
* Rewrite the bind dn if needed
*/
if ( ldap_back_dn_massage( &dc, &op->o_conn->c_dn,
&msc->msc_bound_ndn ) )
{
ldap_unbind_ext_s( msc->msc_ld, NULL, NULL );
goto error_return;
}
/* copy the DN idf needed */
if ( msc->msc_bound_ndn.bv_val == op->o_conn->c_dn.bv_val ) {
ber_dupbv( &msc->msc_bound_ndn, &op->o_conn->c_dn );
}
} else {
ber_str2bv( "", 0, 1, &msc->msc_bound_ndn );
}
}
assert( !BER_BVISNULL( &msc->msc_bound_ndn ) );
LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
error_return:;
......@@ -450,7 +454,9 @@ retry_lock:;
( void )rewrite_session_delete( mt->mt_rwmap.rwm_rw, op->o_conn );
/* mc here must be the regular mc, reset and ready for init */
rc = meta_back_init_one_conn( op, rs, mt, msc, sendok );
rc = meta_back_init_one_conn( op, rs, mt, mc, msc,
LDAP_BACK_CONN_ISPRIV( mc ),
candidate == mc->mc_authz_target, sendok );
if ( rc == LDAP_SUCCESS ) {
rc = meta_back_single_dobind( op, rs, mc, candidate,
......@@ -781,27 +787,13 @@ meta_back_getconn(
* also init'd
*/
candidates[ i ].sr_err = meta_back_init_one_conn( op,
rs, mt, msc, sendok );
rs, mt, mc, msc,
LDAP_BACK_CONN_ISPRIV( &mc_curr ),
i == mc->mc_authz_target, sendok );
if ( candidates[ i ].sr_err == LDAP_SUCCESS ) {
candidates[ i ].sr_tag = META_CANDIDATE;
ncandidates++;
if ( LDAP_BACK_CONN_ISPRIV( &mc_curr ) ) {
ber_dupbv( &msc->msc_cred, &mt->mt_pseudorootpw );
ber_dupbv( &msc->msc_bound_ndn, &mt->mt_pseudorootdn );
LDAP_BACK_CONN_ISPRIV_SET( msc );
} else {
BER_BVZERO( &msc->msc_cred );
BER_BVZERO( &msc->msc_bound_ndn );
if ( !BER_BVISEMPTY( &op->o_ndn )
&& SLAP_IS_AUTHZ_BACKEND( op )
&& i == mc->mc_authz_target )
{
ber_dupbv( &msc->msc_bound_ndn, &op->o_ndn );
}
}
} else {
/*
......@@ -941,7 +933,9 @@ meta_back_getconn(
* also init'd. In case of error, meta_back_init_one_conn
* sends the appropriate result.
*/
err = meta_back_init_one_conn( op, rs, mt, msc, sendok );
err = meta_back_init_one_conn( op, rs, mt, mc, msc,
LDAP_BACK_CONN_ISPRIV( &mc_curr ),
i == mc->mc_authz_target, sendok );
if ( err != LDAP_SUCCESS ) {
/*
* FIXME: in case one target cannot
......@@ -967,22 +961,6 @@ meta_back_getconn(
*candidate = i;
}
if ( LDAP_BACK_CONN_ISPRIV( &mc_curr ) ) {
ber_dupbv( &msc->msc_cred, &mt->mt_pseudorootpw );
ber_dupbv( &msc->msc_bound_ndn, &mt->mt_pseudorootdn );
LDAP_BACK_CONN_ISPRIV_SET( msc );
} else {
BER_BVZERO( &msc->msc_cred );
BER_BVZERO( &msc->msc_bound_ndn );
if ( !BER_BVISEMPTY( &op->o_ndn )
&& SLAP_IS_AUTHZ_BACKEND( op )
&& i == mc->mc_authz_target )
{
ber_dupbv( &msc->msc_bound_ndn, &op->o_ndn );
}
}
/*
* if no unique candidate ...
*/
......@@ -1012,28 +990,15 @@ meta_back_getconn(
* also init'd
*/
int lerr = meta_back_init_one_conn( op, rs,
mt, msc, sendok );
mt, mc, msc,
LDAP_BACK_CONN_ISPRIV( &mc_curr ),
i == mc->mc_authz_target,
sendok );
if ( lerr == LDAP_SUCCESS ) {
candidates[ i ].sr_tag = META_CANDIDATE;
candidates[ i ].sr_err = LDAP_SUCCESS;
ncandidates++;
if ( LDAP_BACK_CONN_ISPRIV( &mc_curr ) ) {
ber_dupbv( &msc->msc_cred, &mt->mt_pseudorootpw );
ber_dupbv( &msc->msc_bound_ndn, &mt->mt_pseudorootdn );
LDAP_BACK_CONN_ISPRIV_SET( msc );
} else {
BER_BVZERO( &msc->msc_cred );
BER_BVZERO( &msc->msc_bound_ndn );
if ( !BER_BVISEMPTY( &op->o_ndn )
&& SLAP_IS_AUTHZ_BACKEND( op )
&& i == mc->mc_authz_target )
{
ber_dupbv( &msc->msc_bound_ndn, &op->o_ndn );
}
}
Debug( LDAP_DEBUG_TRACE, "%s: meta_back_init_one_conn(%d)\n",
op->o_log_prefix, i, 0 );
......
......@@ -126,13 +126,20 @@ meta_back_db_open(
return 0;
}
static void
conn_free(
void
meta_back_conn_free(
void *v_mc )
{
metaconn_t *mc = v_mc;
int i, ntargets;
assert( mc != NULL );
assert( mc->mc_refcnt == 0 );
if ( !BER_BVISNULL( &mc->mc_local_ndn ) ) {
free( mc->mc_local_ndn.bv_val );
}
assert( mc->mc_conns != NULL );
/* at least one must be present... */
......@@ -156,6 +163,7 @@ conn_free(
}
}
ldap_pvt_thread_mutex_destroy( &mc->mc_mutex );
free( mc );
}
......@@ -220,7 +228,7 @@ meta_back_db_destroy(
ldap_pvt_thread_mutex_lock( &mi->mi_conn_mutex );
if ( mi->mi_conntree ) {
avl_free( mi->mi_conntree, conn_free );
avl_free( mi->mi_conntree, meta_back_conn_free );
}
/*
......
......@@ -231,7 +231,7 @@ backsql_add_sysmaps( backsql_info *bi, backsql_oc_map_rec *oc_map )
snprintf( tmp, sizeof(tmp),
"DELETE FROM ldap_entry_objclasses "
"WHERE entry_id=(SELECT id FROM ldap_entries "
"WHERE oc_map_id=%lu"
"WHERE oc_map_id=%lu "
"AND keyval=?) AND oc_name=?",
oc_map->bom_id );
at_map->bam_delete_proc = ch_strdup( tmp );
......
......@@ -614,7 +614,13 @@ select_backend(
continue;
}
} else {
b2 = be;
/* If any parts of the tree are glued, use the first
* match regardless of manageDSAit. Otherwise use the
* last match.
*/
if( !( SLAP_DBFLAGS( be ) & ( SLAP_DBFLAG_GLUE_INSTANCE |
SLAP_DBFLAG_GLUE_SUBORDINATE )))
b2 = be;
}
return b2;
}
......
......@@ -868,6 +868,7 @@ overlay_config( BackendDB *be, const char *ov )
oi = ch_malloc( sizeof( slap_overinfo ) );
oi->oi_orig = be->bd_info;
oi->oi_bi = *be->bd_info;
oi->oi_origdb = be;
/* NOTE: the first time a global overlay is configured,
* frontendDB gets this flag; it is used later by overlays
......
......@@ -654,30 +654,41 @@ static Entry *accesslog_entry( Operation *op, int logop ) {
log_info *li = on->on_bi.bi_private;
char rdnbuf[STRLENOF(RDNEQ)+LDAP_LUTIL_GENTIME_BUFSIZE+8];
struct berval rdn, timestamp, bv;
char nrdnbuf[STRLENOF(RDNEQ)+LDAP_LUTIL_GENTIME_BUFSIZE+8];
struct berval rdn, nrdn, timestamp, ntimestamp, bv;
slap_verbmasks *lo = logops+logop+EN_OFFSET;
Entry *e = ch_calloc( 1, sizeof(Entry) );
strcpy( rdnbuf, RDNEQ );
rdn.bv_val = rdnbuf;
strcpy( nrdnbuf, RDNEQ );
nrdn.bv_val = nrdnbuf;
timestamp.bv_val = rdnbuf+STRLENOF(RDNEQ);
timestamp.bv_len = sizeof(rdnbuf) - STRLENOF(RDNEQ);
slap_timestamp( &op->o_time, &timestamp );
if ( op->o_tincr ) {
sprintf( timestamp.bv_val + timestamp.bv_len-1, ".%06dZ", op->o_tincr );
timestamp.bv_len += 7;
}
sprintf( timestamp.bv_val + timestamp.bv_len-1, ".%06dZ", op->o_tincr );
timestamp.bv_len += 7;
rdn.bv_len = STRLENOF(RDNEQ)+timestamp.bv_len;
ad_reqStart->ad_type->sat_equality->smr_normalize(
SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, ad_reqStart->ad_type->sat_syntax,
ad_reqStart->ad_type->sat_equality, &timestamp, &ntimestamp,
op->o_tmpmemctx );
strcpy( nrdn.bv_val + STRLENOF(RDNEQ), ntimestamp.bv_val );
nrdn.bv_len += ntimestamp.bv_len;
build_new_dn( &e->e_name, li->li_db->be_suffix, &rdn, NULL );
build_new_dn( &e->e_nname, li->li_db->be_nsuffix, &rdn, NULL );
build_new_dn( &e->e_nname, li->li_db->be_nsuffix, &nrdn, NULL );
attr_merge_one( e, slap_schema.si_ad_objectClass,
&log_ocs[logop]->soc_cname, NULL );
attr_merge_one( e, slap_schema.si_ad_structuralObjectClass,
&log_ocs[logop]->soc_cname, NULL );
attr_merge_one( e, ad_reqStart, &timestamp, NULL );
attr_merge_one( e, ad_reqStart, &timestamp, &ntimestamp );
op->o_tmpfree( ntimestamp.bv_val, op->o_tmpmemctx );
/* Exops have OID appended */
if ( logop == LOG_EN_EXTENDED ) {
......
This diff is collapsed.
......@@ -347,6 +347,7 @@ static int unique_search(
nop->o_req_ndn = ud->dn;
nop->o_ndn = op->o_bd->be_rootndn;
nop->o_bd = on->on_info->oi_origdb;
rc = nop->o_bd->be_search(nop, &nrs);
filter_free_x(nop, nop->ors_filter);
ch_free( key );
......@@ -384,21 +385,8 @@ static int unique_add(
Debug(LDAP_DEBUG_TRACE, "==> unique_add <%s>\n", op->o_req_dn.bv_val, 0, 0);
/* validate backend. Should have already been done, but whatever */
nop.o_bd = select_backend(&ud->dn, 0, 1);
if(nop.o_bd) {
if (!nop.o_bd->be_search) {
op->o_bd->bd_info = (BackendInfo *) on->on_info;
send_ldap_error(op, rs, LDAP_UNWILLING_TO_PERFORM,
"backend missing search function");
return(rs->sr_err);
}
} else {
op->o_bd->bd_info = (BackendInfo *) on->on_info;
send_ldap_error(op, rs, LDAP_OTHER,
"no known backend? this shouldn't be happening!");
return(rs->sr_err);
}
if ( !dnIsSuffix( &op->o_req_ndn, &ud->dn ))
return SLAP_CB_CONTINUE;
/*
** count everything first;
......@@ -447,20 +435,8 @@ static int unique_modify(
Debug(LDAP_DEBUG_TRACE, "==> unique_modify <%s>\n", op->o_req_dn.bv_val, 0, 0);
nop.o_bd = select_backend(&ud->dn, 0, 1);
if(nop.o_bd) {
if (!nop.o_bd->be_search) {
op->o_bd->bd_info = (BackendInfo *) on->on_info;
send_ldap_error(op, rs, LDAP_UNWILLING_TO_PERFORM,
"backend missing search function");
return(rs->sr_err);
}
} else {
op->o_bd->bd_info = (BackendInfo *) on->on_info;
send_ldap_error(op, rs, LDAP_OTHER,
"no known backend? this shouldn't be happening!");
return(rs->sr_err);
}
if ( !dnIsSuffix( &op->o_req_ndn, &ud->dn ))
return SLAP_CB_CONTINUE;
/*
** count everything first;
......@@ -513,20 +489,9 @@ static int unique_modrdn(