Commit bd7675b5 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

Merge remote-tracking branch 'origin/master' into OPENLDAP_REL_ENG_2_5

parents 8eb5d579 05e07805
......@@ -1451,7 +1451,7 @@ dnssrv_free:;
ldap_get_option( ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*)&msg);
tool_perror( "ldap_start_tls", rc, NULL, NULL, msg, NULL );
ldap_memfree(msg);
if ( use_tls > 1 ) {
if ( use_tls > 1 || rc < 0 ) {
tool_exit( ld, EXIT_FAILURE );
}
}
......
#! /bin/sh
# From configure.in Id: c4f9dbe3dd538f85d7a57f40fe1d492df83dfb4a .
# From configure.in Id: 0bbce5af379c511773e159a09a441aacf8a15fe7 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69.
#
......@@ -854,6 +854,7 @@ BUILD_SLAPI
BUILD_SLAPD
BUILD_LIBS_DYNAMIC
BUILD_THREAD
BUILD_REWRITE
WITH_ACI_ENABLED
WITH_MODULES_ENABLED
WITH_TLS
......@@ -5118,6 +5119,7 @@ SLAPD_LIBS=
 
BUILD_SLAPD=no
 
BUILD_REWRITE=no
BUILD_THREAD=no
 
BUILD_SLAPI=no
......@@ -6956,7 +6958,7 @@ ia64-*-hpux*)
;;
*-*-irix6*)
# Find out which ABI we are using.
echo '#line 6959 "configure"' > conftest.$ac_ext
echo '#line 6961 "configure"' > conftest.$ac_ext
if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
(eval $ac_compile) 2>&5
ac_status=$?
......@@ -8636,11 +8638,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:8639: $lt_compile\"" >&5)
(eval echo "\"\$as_me:8641: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:8643: \$? = $ac_status" >&5
echo "$as_me:8645: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
......@@ -8898,11 +8900,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:8901: $lt_compile\"" >&5)
(eval echo "\"\$as_me:8903: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:8905: \$? = $ac_status" >&5
echo "$as_me:8907: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
......@@ -8960,11 +8962,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:8963: $lt_compile\"" >&5)
(eval echo "\"\$as_me:8965: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
echo "$as_me:8967: \$? = $ac_status" >&5
echo "$as_me:8969: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
......@@ -10832,7 +10834,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
#line 10835 "configure"
#line 10837 "configure"
#include "confdefs.h"
 
#if HAVE_DLFCN_H
......@@ -10930,7 +10932,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
#line 10933 "configure"
#line 10935 "configure"
#include "confdefs.h"
 
#if HAVE_DLFCN_H
......@@ -23718,6 +23720,7 @@ fi
 
 
 
 
 
# Check whether --with-xxinstall was given.
......
......@@ -528,6 +528,7 @@ SLAPD_LIBS=
BUILD_SLAPD=no
BUILD_REWRITE=no
BUILD_THREAD=no
BUILD_SLAPI=no
......@@ -3042,6 +3043,7 @@ AC_SUBST(WITH_SASL)
AC_SUBST(WITH_TLS)
AC_SUBST(WITH_MODULES_ENABLED)
AC_SUBST(WITH_ACI_ENABLED)
AC_SUBST(BUILD_REWRITE)
AC_SUBST(BUILD_THREAD)
AC_SUBST(BUILD_LIBS_DYNAMIC)
......
......@@ -12,8 +12,11 @@ CC = gcc
OPT = -g -O2 -Wall
#DEFS = -DSLAPD_PBKDF2_DEBUG
INCS = $(LDAP_INC)
LIBS = $(LDAP_LIB) -lcrypto
SSL_INC =
SSL_LIB = -lcrypto
INCS = $(LDAP_INC) $(SSL_INC)
LIBS = $(LDAP_LIB) $(SSL_LIB)
PROGRAMS = pw-pbkdf2.la
MANPAGES = slapd-pw-pbkdf2.5
......
.TH SLAPO-PW-PBKDF2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.TH SLAPD-PW-PBKDF2 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2015-2020 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
slapo-pw-pbkdf2 \- PBKDF2 password module to slapd
slapd-pw-pbkdf2 \- PBKDF2 password module to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.RS
......
......@@ -203,14 +203,16 @@ if defined, selects what
identities are authorized to exploit the identity assertion feature.
The string
.B <authz-regexp>
follows the rules defined for the
mostly follows the rules defined for the
.I authzFrom
attribute.
See
.BR slapd.conf (5),
section related to
.BR authz\-policy ,
for details on the syntax of this field.
for details on the syntax of this field. This parameter differs from
the documented behavior in relation to the meaning of *, which in this
case allows anonymous rather than denies.
.HP
.hy 0
......
......@@ -149,9 +149,17 @@ tlsg_getfile( const char *path, gnutls_datum_t *buf )
{
int rc = -1, fd;
struct stat st;
char ebuf[128];
fd = open( path, O_RDONLY );
if ( fd >= 0 && fstat( fd, &st ) == 0 ) {
if ( fd < 0 ) {
Debug2( LDAP_DEBUG_ANY,
"TLS: opening `%s' failed: %s\n",
path,
AC_STRERROR_R( errno, ebuf, sizeof ebuf ));
return -1;
}
if ( fstat( fd, &st ) == 0 ) {
buf->size = st.st_size;
buf->data = LDAP_MALLOC( st.st_size + 1 );
if ( buf->data ) {
......@@ -196,8 +204,21 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
ctx->cred,
lt->lt_cacertfile,
GNUTLS_X509_FMT_PEM );
if ( rc < 0 ) return -1;
if ( rc < 0 ) {
Debug3( LDAP_DEBUG_ANY,
"TLS: could not use CA certificate file `%s': %s (%d)\n",
lo->ldo_tls_cacertfile,
gnutls_strerror( rc ),
rc );
return -1;
} else if ( rc == 0 ) {
Debug1( LDAP_DEBUG_ANY,
"TLS: warning: no certificate loaded from CA certificate file `%s'.\n",
lo->ldo_tls_cacertfile );
/* only warn, no return */
}
}
if (lo->ldo_tls_cacert.bv_val != NULL ) {
gnutls_datum_t buf;
buf.data = (unsigned char *)lo->ldo_tls_cacert.bv_val;
......@@ -206,7 +227,13 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
ctx->cred,
&buf,
GNUTLS_X509_FMT_DER );
if ( rc < 0 ) return -1;
if ( rc < 0 ) {
Debug2( LDAP_DEBUG_ANY,
"TLS: could not use CA certificate: %s (%d)\n",
gnutls_strerror( rc ),
rc );
return -1;
}
}
if (( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) ||
......@@ -231,12 +258,23 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
GNUTLS_X509_FMT_DER );
} else {
rc = tlsg_getfile( lt->lt_keyfile, &buf );
if ( rc ) return -1;
if ( rc ) {
Debug1( LDAP_DEBUG_ANY,
"TLS: could not use private key file `%s`.\n",
lt->lt_keyfile);
return -1;
}
rc = gnutls_x509_privkey_import( key, &buf,
GNUTLS_X509_FMT_PEM );
LDAP_FREE( buf.data );
}
if ( rc < 0 ) return rc;
if ( rc < 0 ) {
Debug2( LDAP_DEBUG_ANY,
"TLS: could not use private key: %s (%d)\n",
gnutls_strerror( rc ),
rc );
return rc;
}
if ( lo->ldo_tls_cert.bv_val ) {
buf.data = (unsigned char *)lo->ldo_tls_cert.bv_val;
......@@ -245,12 +283,23 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
GNUTLS_X509_FMT_DER, 0 );
} else {
rc = tlsg_getfile( lt->lt_certfile, &buf );
if ( rc ) return -1;
if ( rc ) {
Debug1( LDAP_DEBUG_ANY,
"TLS: could not use certificate file `%s`.\n",
lt->lt_certfile);
return -1;
}
rc = gnutls_x509_crt_list_import( certs, &max, &buf,
GNUTLS_X509_FMT_PEM, 0 );
LDAP_FREE( buf.data );
}
if ( rc < 0 ) return rc;
if ( rc < 0 ) {
Debug2( LDAP_DEBUG_ANY,
"TLS: could not use certificate: %s (%d)\n",
gnutls_strerror( rc ),
rc );
return rc;
}
/* If there's only one cert and it's not self-signed,
* then we have to build the cert chain.
......@@ -267,7 +316,13 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
}
}
rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
if ( rc ) return -1;
if ( rc ) {
Debug2( LDAP_DEBUG_ANY,
"TLS: could not use certificate with key: %s (%d)\n",
gnutls_strerror( rc ),
rc );
return -1;
}
} else if (( lo->ldo_tls_certfile || lo->ldo_tls_keyfile )) {
Debug0( LDAP_DEBUG_ANY,
"TLS: only one of certfile and keyfile specified\n" );
......
......@@ -14,6 +14,8 @@
* <http://www.OpenLDAP.org/license.html>.
*/
#define _XOPEN_SOURCE 500 /* For pthread_setconcurrency() on glibc */
#include "portable.h"
#if defined( HAVE_PTHREADS )
......
......@@ -1282,7 +1282,7 @@ static ConfigOCs chainocs[] = {
"NAME 'olcChainDatabase' "
"DESC 'Chain remote server configuration' "
"AUXILIARY )",
Cft_Misc, olcDatabaseDummy, chain_ldadd
Cft_Misc, NULL, chain_ldadd
#ifdef SLAP_CONFIG_DELETE
, NULL, chain_lddel
#endif
......@@ -2318,6 +2318,12 @@ chain_initialize( void )
/* Make sure we don't exceed the bits reserved for userland */
config_check_userland( CH_LAST );
/* olcDatabaseDummy is defined in slapd, and Windows
will not let us initialize a struct element with a data pointer
from another library, so we have to initialize this element
"by hand". */
chainocs[1].co_table = olcDatabaseDummy;
#ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR
rc = register_supported_control( LDAP_CONTROL_X_CHAINING_BEHAVIOR,
/* SLAP_CTRL_GLOBAL| */ SLAP_CTRL_ACCESS|SLAP_CTRL_HIDE, NULL,
......
......@@ -696,47 +696,6 @@ meta_suffixm_config(
return rc;
}
static int
slap_bv_x_ordered_unparse( BerVarray in, BerVarray *out )
{
int i;
BerVarray bva = NULL;
char ibuf[32], *ptr;
struct berval idx;
assert( in != NULL );
for ( i = 0; !BER_BVISNULL( &in[i] ); i++ )
/* count'em */ ;
if ( i == 0 ) {
return 1;
}
idx.bv_val = ibuf;
bva = ch_malloc( ( i + 1 ) * sizeof(struct berval) );
BER_BVZERO( &bva[ 0 ] );
for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
if ( idx.bv_len >= sizeof( ibuf ) ) {
ber_bvarray_free( bva );
return 1;
}
bva[i].bv_len = idx.bv_len + in[i].bv_len;
bva[i].bv_val = ch_malloc( bva[i].bv_len + 1 );
ptr = lutil_strcopy( bva[i].bv_val, ibuf );
ptr = lutil_strcopy( ptr, in[i].bv_val );
*ptr = '\0';
BER_BVZERO( &bva[ i + 1 ] );
}
*out = bva;
return 0;
}
int
meta_subtree_free( metasubtree_t *ms )
{
......
......@@ -81,9 +81,6 @@ static CfBackInfo cfBackInfo;
static char *passwd_salt;
static FILE *logfile;
static char *logfileName;
#ifdef SLAP_AUTH_REWRITE
static BerVarray authz_rewrites;
#endif
static AccessControl *defacl_parsed = NULL;
static struct berval cfdir;
......@@ -333,9 +330,9 @@ static ConfigTable config_back_cf_table[] = {
"SUBSTR caseIgnoreSubstringsMatch "
"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )",
NULL, NULL },
{ "authid-rewrite", NULL, 2, 0, STRLENOF( "authid-rewrite" ),
{ "authid-rewrite", "rewrite", 2, 0, STRLENOF( "authid-rewrite" ),
#ifdef SLAP_AUTH_REWRITE
ARG_MAGIC|CFG_REWRITE|ARG_NO_INSERT, &config_generic,
ARG_MAGIC|CFG_REWRITE, &config_generic,
#else
ARG_IGNORED, NULL,
#endif
......@@ -346,7 +343,7 @@ static ConfigTable config_back_cf_table[] = {
&config_generic, "( OLcfgGlAt:7 NAME 'olcAuthzPolicy' "
"EQUALITY caseIgnoreMatch "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "authz-regexp", "regexp> <DN", 3, 3, 0, ARG_MAGIC|CFG_AZREGEXP|ARG_NO_INSERT,
{ "authz-regexp", "regexp> <DN", 3, 3, 0, ARG_MAGIC|CFG_AZREGEXP,
&config_generic, "( OLcfgGlAt:8 NAME 'olcAuthzRegexp' "
"EQUALITY caseIgnoreMatch "
"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL },
......@@ -1401,29 +1398,7 @@ config_generic(ConfigArgs *c) {
#endif
#ifdef SLAP_AUTH_REWRITE
case CFG_REWRITE:
if ( authz_rewrites ) {
struct berval bv, idx;
char ibuf[32];
int i;
idx.bv_val = ibuf;
for ( i=0; !BER_BVISNULL( &authz_rewrites[i] ); i++ ) {
idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
if ( idx.bv_len >= sizeof( ibuf ) ) {
ber_bvarray_free_x( c->rvalue_vals, NULL );
c->rvalue_vals = NULL;
break;
}
bv.bv_len = idx.bv_len + authz_rewrites[i].bv_len;
bv.bv_val = ch_malloc( bv.bv_len + 1 );
AC_MEMCPY( bv.bv_val, idx.bv_val, idx.bv_len );
AC_MEMCPY( &bv.bv_val[ idx.bv_len ],
authz_rewrites[i].bv_val,
authz_rewrites[i].bv_len + 1 );
ber_bvarray_add( &c->rvalue_vals, &bv );
}
}
if ( !c->rvalue_vals ) rc = 1;
rc = slap_sasl_rewrite_unparse( &c->rvalue_vals );
break;
#endif
default:
......@@ -1455,8 +1430,6 @@ config_generic(ConfigArgs *c) {
/* no-ops, requires slapd restart */
case CFG_PLUGIN:
case CFG_MODLOAD:
case CFG_AZREGEXP:
case CFG_REWRITE:
snprintf(c->log, sizeof( c->log ), "change requires slapd restart");
break;
......@@ -1495,6 +1468,17 @@ config_generic(ConfigArgs *c) {
}
break;
#endif /* SLAP_AUXPROP_DONTUSECOPY */
case CFG_AZREGEXP:
rc = slap_sasl_regexp_delete( c->valx );
break;
#ifdef SLAP_AUTH_REWRITE
case CFG_REWRITE:
rc = slap_sasl_rewrite_delete( c->valx );
break;
#endif /* SLAP_AUTH_REWRITE */
case CFG_SALT:
ch_free( passwd_salt );
passwd_salt = NULL;
......@@ -1884,7 +1868,7 @@ config_generic(ConfigArgs *c) {
break;
case CFG_AZREGEXP:
if (slap_sasl_regexp_config( c->argv[1], c->argv[2] ))
if (slap_sasl_regexp_config( c->argv[1], c->argv[2], c->valx ))
return(1);
break;
......@@ -2444,36 +2428,13 @@ sortval_reject:
#ifdef SLAP_AUTH_REWRITE
case CFG_REWRITE: {
struct berval bv;
char *line;
int rc = 0;
int rc;
if ( c->op == LDAP_MOD_ADD ) {
c->argv++;
c->argc--;
}
if(slap_sasl_rewrite_config(c->fname, c->lineno, c->argc, c->argv))
rc = 1;
if ( rc == 0 ) {
if ( c->argc > 1 ) {
char *s;
/* quote all args but the first */
line = ldap_charray2str( c->argv, "\" \"" );
ber_str2bv( line, 0, 0, &bv );
s = ber_bvchr( &bv, '"' );
assert( s != NULL );
/* move the trailing quote of argv[0] to the end */
AC_MEMCPY( s, s + 1, bv.bv_len - ( s - bv.bv_val ) );
bv.bv_val[ bv.bv_len - 1 ] = '"';
} else {
ber_str2bv( c->argv[ 0 ], 0, 1, &bv );
}
ber_bvarray_add( &authz_rewrites, &bv );
}
rc = slap_sasl_rewrite_config(c->fname, c->lineno, c->argc, c->argv, c->valx);
if ( c->op == LDAP_MOD_ADD ) {
c->argv--;
c->argc++;
......@@ -3988,6 +3949,47 @@ anlist_unparse( AttributeName *an, char *ptr, ber_len_t buflen ) {
return ptr;
}
int
slap_bv_x_ordered_unparse( BerVarray in, BerVarray *out )
{
int i;
BerVarray bva = NULL;
char ibuf[32], *ptr;
struct berval idx;
assert( in != NULL );
for ( i = 0; !BER_BVISNULL( &in[i] ); i++ )
/* count'em */ ;
if ( i == 0 ) {
return 1;
}
idx.bv_val = ibuf;
bva = ch_malloc( ( i + 1 ) * sizeof(struct berval) );
BER_BVZERO( &bva[ 0 ] );
for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
if ( idx.bv_len >= sizeof( ibuf ) ) {
ber_bvarray_free( bva );
return 1;
}
bva[i].bv_len = idx.bv_len + in[i].bv_len;
bva[i].bv_val = ch_malloc( bva[i].bv_len + 1 );
ptr = lutil_strcopy( bva[i].bv_val, ibuf );
ptr = lutil_strcopy( ptr, in[i].bv_val );
*ptr = '\0';
BER_BVZERO( &bva[ i + 1 ] );
}
*out = bva;
return 0;
}
static int
config_updatedn(ConfigArgs *c) {
if (c->op == SLAP_CONFIG_EMIT) {
......
......@@ -3752,7 +3752,8 @@ static ConfigOCs pcocs[] = {
{ "( OLcfgOvOc:2.2 "
"NAME 'olcPcacheDatabase' "
"DESC 'Cache database configuration' "
"AUXILIARY )", Cft_Misc, olcDatabaseDummy, pc_ldadd },
/* co_table is initialized in pcache_initialize */
"AUXILIARY )", Cft_Misc, NULL, pc_ldadd },
{ NULL, 0, NULL }
};
......@@ -5669,6 +5670,13 @@ pcache_initialize()
ConfigArgs c;
char *argv[ 4 ];
/* olcDatabaseDummy is defined in slapd, and Windows
will not let us initialize a struct element with a data pointer
from another library, so we have to initialize this element
"by hand". */
pcocs[1].co_table = olcDatabaseDummy;
code = slap_loglevel_get( &debugbv, &pcache_debug );
if ( code ) {
return code;
......
......@@ -1968,46 +1968,6 @@ static ConfigOCs rwmocs[] = {
{ NULL, 0, NULL }
};
static void
slap_bv_x_ordered_unparse( BerVarray in, BerVarray *out )
{
int i;
BerVarray bva = NULL;
char ibuf[32], *ptr;
struct berval idx;
assert( in != NULL );
for ( i = 0; !BER_BVISNULL( &in[i] ); i++ )
/* count'em */ ;
if ( i == 0 ) {
return;
}
idx.bv_val = ibuf;
bva = ch_malloc( ( i + 1 ) * sizeof(struct berval) );
BER_BVZERO( &bva[ 0 ] );
for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), "{%d}", i );
if ( idx.bv_len >= sizeof( ibuf ) ) {
ber_bvarray_free( bva );
return;
}
bva[i].bv_len = idx.bv_len + in[i].bv_len;
bva[i].bv_val = ch_malloc( bva[i].bv_len + 1 );
ptr = lutil_strcopy( bva[i].bv_val, ibuf );
ptr = lutil_strcopy( ptr, in[i].bv_val );
*ptr = '\0';
BER_BVZERO( &bva[ i + 1 ] );
}
*out = bva;