Changes

Updated libldap TLS certificate checking Updated client tool argument handling Updated test suite Updated liblutil detach handling Added libldap ldap_whoami routines Added liblber ber_flatten2 routine Added liblutil passwd sanity checks Fixed liblber PROTOS bugs Fixed ber_flush debug level Fixed libldap NULL cred bug Build Environment Check back-bdb requirement for BDB 4.1

Changes
Updated libldap TLS certificate checking Updated client tool argument handling Updated test suite Updated liblutil detach handling Added libldap ldap_whoami routines Added liblber ber_flatten2 routine Added liblutil passwd sanity checks Fixed liblber PROTOS bugs Fixed ber_flush debug level Fixed libldap NULL cred bug Build Environment Check back-bdb requirement for BDB 4.1
96e453e9 · Kurt Zeilenga · 626e7bb9 · 96e453e9 · 96e453e9 · 96e453e9
Commit 96e453e9 authored Feb 09, 2003 by Kurt Zeilenga
--- a/CHANGES
+++ b/CHANGES
 OpenLDAP 2.1 Change Log

+OpenLDAP 2.1.13 Engineering
+	Updated libldap TLS certificate checking
+	Updated client tool argument handling
+	Updated test suite
+	Updated liblutil detach handling
+	Added libldap ldap_whoami routines
+	Added liblber ber_flatten2 routine
+	Added liblutil passwd sanity checks
+	Fixed liblber PROTOS bugs
+	Fixed ber_flush debug level
+	Fixed libldap NULL cred bug
+	Build Environment
+		Check back-bdb requirement for BDB 4.1
+
 OpenLDAP 2.1.12 Release
 	Build Environment
 		Update version number

--- a/acconfig.h
+++ b/acconfig.h
@@ -88,12 +88,17 @@
 #	include <stddef.h>
 #endif

+#ifndef LDAP_REL_ENG
+#if (LDAP_VENDOR_VERSION == 000000) && !defined(LDAP_DEVEL)
+#define LDAP_DEVEL
+#endif
 #if defined(LDAP_DEVEL) && !defined(LDAP_TEST)
 #define LDAP_TEST
 #endif
 #if defined(LDAP_TEST) && !defined(LDAP_DEBUG)
 #define LDAP_DEBUG
 #endif
+#endif

 #ifdef HAVE_EBCDIC 
 /* ASCII/EBCDIC converting replacements for stdio funcs

--- a/build/openldap.m4
+++ b/build/openldap.m4
@@ -312,6 +312,8 @@ dnl Try to locate appropriate library
 AC_DEFUN([OL_BERKELEY_DB_LINK],
 [ol_cv_lib_db=no
 OL_BERKELEY_DB_TRY(ol_cv_db_none)
+OL_BERKELEY_DB_TRY(ol_cv_db_db41,[-ldb41])
+OL_BERKELEY_DB_TRY(ol_cv_db_db_41,[-ldb-41])
 OL_BERKELEY_DB_TRY(ol_cv_db_db4,[-ldb4])
 OL_BERKELEY_DB_TRY(ol_cv_db_db_4,[-ldb-4])
 OL_BERKELEY_DB_TRY(ol_cv_db_db,[-ldb])
@@ -433,9 +435,12 @@ AC_DEFUN([OL_BDB_COMPAT],
 #ifndef DB_VERSION_MAJOR
 #	define DB_VERSION_MAJOR 1
 #endif
+#ifndef DB_VERSION_MINOR
+#	define DB_VERSION_MINOR 0
+#endif

 /* require 4.0 or later */
-#if DB_VERSION_MAJOR >= 4 
+#if (DB_VERSION_MAJOR >= 4) && (DB_VERSION_MINOR >= 1)
 	__db_version_compat
 #endif
 	], [ol_cv_bdb_compat=yes], [ol_cv_bdb_compat=no])])

--- a/clients/tools/Makefile.in
+++ b/clients/tools/Makefile.in
@@ -3,13 +3,15 @@
 ## Makefile for LDAP tools
 ##
 SRCS	= ldapsearch.c ldapmodify.c ldapdelete.c ldapmodrdn.c \
-		ldappasswd.c ldapwhoami.c ldapcompare.c
+		ldappasswd.c ldapwhoami.c ldapcompare.c common.c
 OBJS	= ldapsearch.o ldapmodify.o ldapdelete.o ldapmodrdn.o \
-		ldappasswd.o ldapwhoami.o ldapcompare.o
+		ldappasswd.o ldapwhoami.o ldapcompare.o common.o

 LDAP_INCDIR= ../../include       
 LDAP_LIBDIR= ../../libraries

+MKVOPTS = -s
+
 XLIBS =  $(LDAP_LIBLDIF_A) $(LDAP_L)
 XXLIBS	= $(SECURITY_LIBS) $(LDIF_LIBS) $(LUTIL_LIBS)

@@ -21,58 +23,58 @@ PROGRAMS = ldapsearch ldapmodify ldapdelete ldapmodrdn ldapadd \


 ldapsearch:	ldsversion.o
-	$(LTLINK) -o $@ ldapsearch.o ldsversion.o $(LIBS)
+	$(LTLINK) -o $@ ldapsearch.o common.o ldsversion.o $(LIBS)

 ldapmodify:	ldmversion.o
-	$(LTLINK) -o $@ ldapmodify.o ldmversion.o $(LIBS)
+	$(LTLINK) -o $@ ldapmodify.o common.o ldmversion.o $(LIBS)

 ldapdelete:	lddversion.o
-	$(LTLINK) -o $@ ldapdelete.o lddversion.o $(LIBS)
+	$(LTLINK) -o $@ ldapdelete.o common.o lddversion.o $(LIBS)

 ldapmodrdn:	ldrversion.o
-	$(LTLINK) -o $@ ldapmodrdn.o ldrversion.o $(LIBS)
+	$(LTLINK) -o $@ ldapmodrdn.o common.o ldrversion.o $(LIBS)

 ldappasswd:	ldpversion.o
-	$(LTLINK) -o $@ ldappasswd.o ldpversion.o $(LIBS)
+	$(LTLINK) -o $@ ldappasswd.o common.o ldpversion.o $(LIBS)

 ldapwhoami:	ldwversion.o
-	$(LTLINK) -o $@ ldapwhoami.o ldwversion.o $(LIBS)
+	$(LTLINK) -o $@ ldapwhoami.o common.o ldwversion.o $(LIBS)

 ldapcompare: ldcversion.o
-	$(LTLINK) -o $@ ldapcompare.o ldcversion.o $(LIBS)
+	$(LTLINK) -o $@ ldapcompare.o common.o ldcversion.o $(LIBS)

 ldapadd:	ldapmodify
 	@-$(RM) $@$(EXEEXT)
 	$(LN_H) ldapmodify$(EXEEXT) ldapadd$(EXEEXT)


-ldsversion.c: ldapsearch.o $(XLIBS)
+ldsversion.c: ldapsearch.o common.o $(XLIBS)
 	@-$(RM) $@
-	$(MKVERSION) ldapsearch > $@
+	$(MKVERSION) $(MKVOPTS) ldapsearch > $@

-ldmversion.c: ldapmodify.o $(XLIBS)
+ldmversion.c: ldapmodify.o common.o $(XLIBS)
 	@-$(RM) $@
-	$(MKVERSION) ldapmodify > $@
+	$(MKVERSION) $(MKVOPTS) ldapmodify > $@

-lddversion.c: ldapdelete.o $(XLIBS)
+lddversion.c: ldapdelete.o common.o $(XLIBS)
 	@-$(RM) $@
-	$(MKVERSION) ldapdelete > $@
+	$(MKVERSION) $(MKVOPTS) ldapdelete > $@

-ldpversion.c: ldappasswd.o $(XLIBS)
+ldpversion.c: ldappasswd.o common.o $(XLIBS)
 	@-$(RM) $@
-	$(MKVERSION) ldappasswd > $@
+	$(MKVERSION) $(MKVOPTS) ldappasswd > $@

-ldrversion.c: ldapmodrdn.o $(XLIBS)
+ldrversion.c: ldapmodrdn.o common.o $(XLIBS)
 	@-$(RM) $@
-	$(MKVERSION) ldapmodrdn > $@
+	$(MKVERSION) $(MKVOPTS) ldapmodrdn > $@

-ldwversion.c: ldapwhoami.o $(XLIBS)
+ldwversion.c: ldapwhoami.o common.o $(XLIBS)
 	@-$(RM) $@
-	$(MKVERSION) ldapwhoami > $@
+	$(MKVERSION) $(MKVOPTS) ldapwhoami > $@

-ldcversion.c: ldapcompare.o $(XLIBS)
+ldcversion.c: ldapcompare.o common.o $(XLIBS)
 	@-$(RM) $@
-	$(MKVERSION) ldapcompare > $@
+	$(MKVERSION) $(MKVOPTS) ldapcompare > $@


 install-local:	FORCE

--- a/clients/tools/common.c
+++ b/clients/tools/common.c
+/* $OpenLDAP$ */
+/*
+ * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+/* common.c - common routines for the ldap client tools */
+
+#include "portable.h"
+
+#include <stdio.h>
+
+#include <ac/stdlib.h>
+#include <ac/signal.h>
+#include <ac/string.h>
+#include <ac/unistd.h>
+#include <ac/errno.h>
+
+#include <ldap.h>
+
+#include "lutil_ldap.h"
+
+#include "common.h"
+
+
+int   authmethod = -1;
+char *binddn = NULL;
+int   contoper = 0;
+int   debug = 0;
+char *infile = NULL;
+char *ldapuri = NULL;
+char *ldaphost = NULL;
+int   ldapport = 0;
+#ifdef HAVE_CYRUS_SASL
+unsigned sasl_flags = LDAP_SASL_AUTOMATIC;
+char	*sasl_realm = NULL;
+char	*sasl_authc_id = NULL;
+char	*sasl_authz_id = NULL;
+char	*sasl_mech = NULL;
+char	*sasl_secprops = NULL;
+#endif
+int   use_tls = 0;
+
+char *authzid = NULL;
+int   manageDSAit = 0;
+int   noop = 0;
+
+int   not = 0;
+int   want_bindpw = 0;
+struct berval passwd = { 0, NULL };
+char *pw_file = NULL;
+int   referrals = 0;
+int   protocol = -1;
+int   verbose = 0;
+int   version = 0;
+
+/* Set in main() */
+char *prog = NULL;
+
+void
+tool_common_usage( void )
+{
+	static const char *const descriptions[] = {
+"  -c         continuous operation mode (do not stop on errors)\n",
+"  -C         chase referrals\n",
+"  -d level   set LDAP debugging level to `level'\n",
+"  -D binddn  bind DN\n",
+"  -e [!]<ctrl>[=<ctrlparam>] general controls (! indicates criticality)\n"
+"             [!]authzid=<authzid> (\"dn:<dn>\" or \"u:<user>\")\n"
+"             [!]manageDSAit       (alternate form, see -M)\n"
+"             [!]noop\n",
+"  -f file    read operations from `file'\n",
+"  -h host    LDAP server\n",
+"  -H URI     LDAP Uniform Resource Indentifier(s)\n",
+"  -I         use SASL Interactive mode\n",
+"  -k         use Kerberos authentication\n",
+"  -K         like -k, but do only step 1 of the Kerberos bind\n",
+"  -M         enable Manage DSA IT control (-MM to make critical)\n",
+"  -n         show what would be done but don't actually do it\n",
+"  -O props   SASL security properties\n",
+"  -p port    port on LDAP server\n",
+"  -P version procotol version (default: 3)\n",
+"  -Q         use SASL Quiet mode\n",
+"  -R realm   SASL realm\n",
+"  -U authcid SASL authentication identity\n",
+"  -v         run in verbose mode (diagnostics to standard output)\n",
+"  -V         print version info (-VV only)\n",
+"  -w passwd  bind passwd (for simple authentication)\n",
+"  -W         prompt for bind passwd\n",
+"  -x         Simple authentication\n",
+"  -X authzid SASL authorization identity (\"dn:<dn>\" or \"u:<user>\")\n",
+"  -y file    Read passwd from file\n",
+"  -Y mech    SASL mechanism\n",
+"  -Z         Start TLS request (-ZZ to require successful response)\n",
+NULL
+	};
+	const char *const *cpp;
+
+	fputs( "Common options:\n", stderr );
+	for( cpp = descriptions; *cpp != NULL; cpp++ ) {
+		if( strchr( options, (*cpp)[3] ) ) {
+			fputs( *cpp, stderr );
+		}
+	}
+}
+
+
+void
+tool_args( int argc, char **argv )
+{
+	int i;
+    while (( i = getopt( argc, argv, options )) != EOF )
+	{
+		int crit;
+		char *control, *cvalue;
+		switch( i ) {
+		case 'c':	/* continuous operation mode */
+			contoper = 1;
+			break;
+		case 'C':
+			referrals = 1;
+			break;
+		case 'd':
+			debug |= atoi( optarg );
+			break;
+		case 'D':	/* bind DN */
+			if( binddn != NULL ) {
+				fprintf( stderr, "%s: -D previously specified\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			binddn = ber_strdup( optarg );
+			break;
+		case 'e': /* general controls */
+			/* should be extended to support comma separated list of
+			 *	[!]key[=value] parameters, e.g.  -e !foo,bar=567
+			 */
+
+			crit = 0;
+			cvalue = NULL;
+			if( optarg[0] == '!' ) {
+				crit = 1;
+				optarg++;
+			}
+
+			control = ber_strdup( optarg );
+			if ( (cvalue = strchr( control, '=' )) != NULL ) {
+				*cvalue++ = '\0';
+			}
+
+			if ( strcasecmp( control, "authzid" ) == 0 ) {
+				if( authzid != NULL ) {
+					fprintf( stderr, "authzid control previously specified\n");
+					exit( EXIT_FAILURE );
+				}
+				if( cvalue == NULL ) {
+					fprintf( stderr, "authzid: control value expected\n" );
+					usage();
+				}
+				if( !crit ) {
+					fprintf( stderr, "authzid: must be marked critical\n" );
+					usage();
+				}
+
+				assert( authzid == NULL );
+				authzid = cvalue;
+
+			} else if ( strcasecmp( control, "manageDSAit" ) == 0 ) {
+				if( manageDSAit ) {
+					fprintf( stderr,
+					         "manageDSAit control previously specified\n");
+					exit( EXIT_FAILURE );
+				}
+				if( cvalue != NULL ) {
+					fprintf( stderr,
+					         "manageDSAit: no control value expected\n" );
+					usage();
+				}
+
+				manageDSAit = 1 + crit;
+
+			} else if ( strcasecmp( control, "noop" ) == 0 ) {
+				if( noop ) {
+					fprintf( stderr, "noop control previously specified\n");
+					exit( EXIT_FAILURE );
+				}
+				if( cvalue != NULL ) {
+					fprintf( stderr, "noop: no control value expected\n" );
+					usage();
+				}
+
+				noop = 1 + crit;
+
+			} else {
+				fprintf( stderr, "Invalid general control name: %s\n",
+				         control );
+				usage();
+			}
+			break;
+		case 'f':	/* read from file */
+			if( infile != NULL ) {
+				fprintf( stderr, "%s: -f previously specified\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			infile = ber_strdup( optarg );
+			break;
+		case 'h':	/* ldap host */
+			if( ldaphost != NULL ) {
+				fprintf( stderr, "%s: -h previously specified\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			ldaphost = ber_strdup( optarg );
+			break;
+		case 'H':	/* ldap URI */
+			if( ldapuri != NULL ) {
+				fprintf( stderr, "%s: -H previously specified\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			ldapuri = ber_strdup( optarg );
+			break;
+		case 'I':
+#ifdef HAVE_CYRUS_SASL
+			if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+				fprintf( stderr, "%s: incompatible previous "
+						 "authentication choice\n",
+						 prog );
+				exit( EXIT_FAILURE );
+			}
+			authmethod = LDAP_AUTH_SASL;
+			sasl_flags = LDAP_SASL_INTERACTIVE;
+			break;
+#else
+			fprintf( stderr, "%s: was not compiled with SASL support\n",
+					 prog );
+			exit( EXIT_FAILURE );
+#endif
+		case 'k':	/* kerberos bind */
+#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
+			if( authmethod != -1 ) {
+				fprintf( stderr, "%s: -k incompatible with previous "
+						 "authentication choice\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			authmethod = LDAP_AUTH_KRBV4;
+#else
+			fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
+			exit( EXIT_FAILURE );
+#endif
+			break;
+		case 'K':	/* kerberos bind, part one only */
+#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
+			if( authmethod != -1 ) {
+				fprintf( stderr, "%s: incompatible with previous "
+						 "authentication choice\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			authmethod = LDAP_AUTH_KRBV41;
+#else
+			fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
+			exit( EXIT_FAILURE );
+#endif
+			break;
+		case 'M':
+			/* enable Manage DSA IT */
+			manageDSAit = 1;
+			break;
+		case 'n':	/* print operations, don't actually do them */
+			not = 1;
+			break;
+		case 'O':
+#ifdef HAVE_CYRUS_SASL
+			if( sasl_secprops != NULL ) {
+				fprintf( stderr, "%s: -O previously specified\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+				fprintf( stderr, "%s: incompatible previous "
+						 "authentication choice\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			authmethod = LDAP_AUTH_SASL;
+			sasl_secprops = ber_strdup( optarg );
+#else
+			fprintf( stderr, "%s: not compiled with SASL support\n",
+					 prog );
+			exit( EXIT_FAILURE );
+#endif
+			break;
+		case 'p':
+			if( ldapport ) {
+				fprintf( stderr, "%s: -p previously specified\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			ldapport = atoi( optarg );
+			break;
+		case 'P':
+			switch( atoi(optarg) ) {
+			case 2:
+				if( protocol == LDAP_VERSION3 ) {
+					fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
+							 prog, protocol );
+					exit( EXIT_FAILURE );
+				}
+				protocol = LDAP_VERSION2;
+				break;
+			case 3:
+				if( protocol == LDAP_VERSION2 ) {
+					fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
+							 prog, protocol );
+					exit( EXIT_FAILURE );
+				}
+				protocol = LDAP_VERSION3;
+				break;
+			default:
+				fprintf( stderr, "%s: protocol version should be 2 or 3\n",
+						 prog );
+				usage();
+			}
+			break;
+		case 'Q':
+#ifdef HAVE_CYRUS_SASL
+			if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+				fprintf( stderr, "%s: incompatible previous "
+						 "authentication choice\n",
+						 prog );
+				exit( EXIT_FAILURE );
+			}
+			authmethod = LDAP_AUTH_SASL;
+			sasl_flags = LDAP_SASL_QUIET;
+			break;
+#else
+			fprintf( stderr, "%s: not compiled with SASL support\n",
+					 prog );
+			exit( EXIT_FAILURE );
+#endif
+		case 'R':
+#ifdef HAVE_CYRUS_SASL
+			if( sasl_realm != NULL ) {
+				fprintf( stderr, "%s: -R previously specified\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+				fprintf( stderr, "%s: incompatible previous "
+						 "authentication choice\n",
+						 prog );
+				exit( EXIT_FAILURE );
+			}
+			authmethod = LDAP_AUTH_SASL;
+			sasl_realm = ber_strdup( optarg );
+#else
+			fprintf( stderr, "%s: not compiled with SASL support\n",
+					 prog );
+			exit( EXIT_FAILURE );
+#endif
+			break;
+		case 'U':
+#ifdef HAVE_CYRUS_SASL
+			if( sasl_authc_id != NULL ) {
+				fprintf( stderr, "%s: -U previously specified\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+				fprintf( stderr, "%s: incompatible previous "
+						 "authentication choice\n",
+						 prog );
+				exit( EXIT_FAILURE );
+			}
+			authmethod = LDAP_AUTH_SASL;
+			sasl_authc_id = ber_strdup( optarg );
+#else
+			fprintf( stderr, "%s: not compiled with SASL support\n",
+					 prog );
+			exit( EXIT_FAILURE );
+#endif
+			break;
+		case 'v':	/* verbose mode */
+			verbose = 1;
+			break;
+		case 'V':	/* version */
+			version++;
+			break;
+		case 'w':	/* password */
+			passwd.bv_val = ber_strdup( optarg );
+			{
+				char* p;
+
+				for( p = optarg; *p != '\0'; p++ ) {
+					*p = '\0';
+				}
+			}
+			passwd.bv_len = strlen( passwd.bv_val );
+			break;
+		case 'W':
+			want_bindpw = 1;
+			break;
+		case 'y':
+			pw_file = optarg;
+			break;
+		case 'Y':
+#ifdef HAVE_CYRUS_SASL
+			if( sasl_mech != NULL ) {
+				fprintf( stderr, "%s: -Y previously specified\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+				fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			authmethod = LDAP_AUTH_SASL;
+			sasl_mech = ber_strdup( optarg );
+#else
+			fprintf( stderr, "%s: not compiled with SASL support\n",
+					 prog );
+			exit( EXIT_FAILURE );
+#endif
+			break;
+		case 'x':
+			if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) {
+				fprintf( stderr, "%s: incompatible with previous "
+						 "authentication choice\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			authmethod = LDAP_AUTH_SIMPLE;
+			break;
+		case 'X':
+#ifdef HAVE_CYRUS_SASL
+			if( sasl_authz_id != NULL ) {
+				fprintf( stderr, "%s: -X previously specified\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+				fprintf( stderr, "%s: -X incompatible with "
+						 "authentication choice\n", prog );
+				exit( EXIT_FAILURE );
+			}
+			authmethod = LDAP_AUTH_SASL;
+			sasl_authz_id = ber_strdup( optarg );
+#else
+			fprintf( stderr, "%s: not compiled with SASL support\n", prog );
+			exit( EXIT_FAILURE );
+#endif
+			break;
+		case 'Z':
+#ifdef HAVE_TLS
+			use_tls = 1;
+#else
+			fprintf( stderr, "%s: not compiled with TLS support\n", prog );
+			exit( EXIT_FAILURE );
+#endif
+			break;
+		default:
+			if( handle_private_option( i ) )
+				break;
+			fprintf( stderr, "%s: unrecognized option -%c\n",
+					 prog, optopt );
+			usage();
+		}
+    }
+
+	if (version) {
+		fprintf( stderr, "%s: %s", prog, __Version );
+		if (version > 1) exit( EXIT_SUCCESS );
+	}
+
+	if (protocol == -1)