Merge remote-tracking branch 'origin/master' into OPENLDAP_REL_ENG_2_5

clients/tools/common.c

@@ -730,8 +730,6 @@ tool_args( int argc, char **argv )
 				}
 				unknown_ctrls = tmpctrls;
 				ctrl.ldctl_oid = control;
-				/* don't free it */
-				control = NULL;
 				ctrl.ldctl_value.bv_val = NULL;
 				ctrl.ldctl_value.bv_len = 0;
 				ctrl.ldctl_iscritical = crit;
@@ -758,6 +756,8 @@ tool_args( int argc, char **argv )
 					ctrl.ldctl_value = bv;
 				}
 
+				/* don't free it */
+				control = NULL;
 				unknown_ctrls[ unknown_ctrls_num ] = ctrl;
 				unknown_ctrls_num++;
 

doc/guide/admin/appendix-recommended-versions.sdf

@@ -15,14 +15,9 @@ H2: Dependency Versions
 !block table; align=Center; coltags="N,EX,EX"; title="Table 8.5: OpenLDAP Software Dependency Versions"
 Feature|Software|Version
 {{TERM[expand]TLS}}:
-|{{PRD:OpenSSL}}|0.9.7+
-|{{PRD:GnuTLS}}|3.3.6+
-{{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+
-{{TERM[expand]Kerberos}}:
-|{{PRD:Heimdal}}|Version
-|{{PRD:MIT Kerberos}}|Version
-Threads:
-|POSIX {{pthreads}}|Version
-TCP Wrappers|Name|Version
+|{{PRD:OpenSSL}}|1.1.1+
+|{{PRD:GnuTLS}}|3.6.0+
+{{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.27+
+{{TERM[expand]lloadd}}|{{PRD:libevent}}|2.1+
+Threads:|POSIX {{pthreads}}|Version
 !endblock
-

doc/guide/plain.sdf

@@ -13,7 +13,7 @@
 !macro HTML_FOOTER
 {{INLINE:<FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1">}}
 {{INLINE:<B>________________<BR><SMALL>}}
-[[c]]  Copyright 2011,
+[[c]]  Copyright 2011-2021,
 {{INLINE:<A HREF="/foundation/">OpenLDAP Foundation</A>}},
 {{EMAIL: info@OpenLDAP.org}}
 {{INLINE:</SMALL><BR></B></FONT>}}

doc/guide/preamble.sdf

@@ -55,7 +55,7 @@
 <P>
 <FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1"><B>
 ________________<BR>
-<SMALL>&copy; Copyright 2011, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info@OpenLDAP.org">info@OpenLDAP.org</A></SMALL></B></FONT>
+<SMALL>&copy; Copyright 2011-2021, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info@OpenLDAP.org">info@OpenLDAP.org</A></SMALL></B></FONT>
 
 	!endblock
 !endmacro
@@ -275,6 +275,7 @@ XED|XML Enabled Directory
 XER|XML Encoding Rules
 XML|Extensible Markup Language
 syncrepl|LDAP Sync-based Replication
+lloadd|LDAP Load Balancer
 !endblock
 
 !block references; data; sort=Reference; style=grid

doc/man/man5/slapo-accesslog.5

@@ -25,7 +25,9 @@ directive.
 .TP
 .B logdb <suffix>
 Specify the suffix of a database to be used for storing the log records.
-The specified database must be defined elsewhere in the configuration.
+The specified database must be defined elsewhere in the configuration and
+must support an ordered return of results such as
+.BR slapd\-mdb (5)
 The access controls
 on the log database should prevent general access. The suffix entry
 of the log database will be created automatically by this overlay. The log

doc/man/man5/slapo-constraint.5

@@ -35,8 +35,9 @@ directive.
 .B constraint_attribute <attribute_name>[,...] <type> <value> [<extra> [...]]
 Specifies the constraint which should apply to the comma-separated
 attribute list named as the first parameter.
-Five types of constraint are currently supported -
+Six types of constraint are currently supported -
 .BR regex ,
+.BR negregex ,
 .BR size ,
 .BR count ,
 .BR uri ,
@@ -45,6 +46,8 @@ and
 
 The parameter following the
 .B regex
+or
+.B negregex
 type is a Unix style regular expression (See
 .BR regex (7)
 ). The parameter following the
@@ -104,6 +107,7 @@ overlay constraint
 constraint_attribute jpegPhoto size 131072
 constraint_attribute userPassword count 3
 constraint_attribute mail regex ^[[:alnum:]]+@mydomain.com$
+constraint_attribute mail negregex ^[[:alnum:]]+@notallowed.com$
 constraint_attribute title uri
   ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
 constraint_attribute cn,sn,givenName set
@@ -115,7 +119,9 @@ constraint_attribute cn,sn,givenName set
 A specification like the above would reject any
 .B mail
 attribute which did not look like
-.BR "<alpha-numeric string>@mydomain.com" .
+.BR "<alpha-numeric string>@mydomain.com"
+or that looks like
+.BR "<alpha-numeric string>@notallowed.com" .
 It would also reject any
 .B title
 attribute whose values were not listed in the

doc/man/man5/slapo-rwm.5

@@ -394,13 +394,7 @@ referralDN           all ops (only if applicable; defaults
 .LP
 .SH "Basic Configuration Syntax"
 All rewrite/remap directives start with the prefix
-.BR rwm\- ;
-for backwards compatibility with the historical
-.BR slapd\-ldap (5)
-and
-.BR slapd\-meta (5)
-builtin rewrite/remap capabilities, the prefix may be omitted, 
-but this practice is strongly discouraged.
+.BR rwm\-
 .TP
 .B rwm\-rewriteEngine { on | off }
 If `on', the requested rewriting is performed; if `off', no

libraries/libldap/tls_o.c

@@ -501,6 +501,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 					X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL  );
 		}
 	}
+	/* Explicitly honor the server side cipher suite preference */
+	SSL_CTX_set_options( ctx, SSL_OP_CIPHER_SERVER_PREFERENCE );
 	return 0;
 }
 

servers/slapd/back-asyncmeta/bind.c

@@ -1258,7 +1258,7 @@ asyncmeta_controls_add( Operation *op,
 	LDAPControl		**ctrls = NULL;
 	/* set to the maximum number of controls this backend can add */
 	LDAPControl		c[ 2 ] = {{ 0 }};
-	int			n = 0, i, j1 = 0, j2 = 0;
+	int			n = 0, i, j1 = 0, j2 = 0, skipped = 0;
 
 	*pctrls = NULL;
 
@@ -1344,12 +1344,22 @@ asyncmeta_controls_add( Operation *op,
 
 	i = 0;
 	if ( op->o_ctrls ) {
+		LDAPControl *proxyauthz = ldap_control_find(
+				LDAP_CONTROL_PROXY_AUTHZ, op->o_ctrls, NULL );
+
 		for ( i = 0; op->o_ctrls[ i ]; i++ ) {
-			ctrls[ i + j1 ] = op->o_ctrls[ i ];
+			/* Only replace it if we generated one */
+			if ( j1 && proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
+				/* Frontend has already checked only one is present */
+				assert( skipped == 0 );
+				skipped++;
+				continue;
+			}
+			ctrls[ i + j1 - skipped ] = op->o_ctrls[ i ];
 		}
 	}
 
-	n += j1;
+	n += j1 - skipped;
 	if ( j2 ) {
 		ctrls[ n ] = (LDAPControl *)&ctrls[ n + j2 + 1 ] + j1;
 		*ctrls[ n ] = c[ j1 ];

servers/slapd/back-ldap/bind.c

@@ -2548,10 +2548,6 @@ ldap_back_proxy_authz_ctrl(
 
 	if ( op->o_tag == LDAP_REQ_BIND ) {
 		ndn = op->o_req_ndn;
-
-	} else if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
-		ndn = op->o_conn->c_ndn;
-
 	} else {
 		ndn = op->o_ndn;
 	}
@@ -2807,7 +2803,7 @@ ldap_back_controls_add(
 	LDAPControl	**ctrls = NULL;
 	/* set to the maximum number of controls this backend can add */
 	LDAPControl	c[ 2 ] = { { 0 } };
-	int		n = 0, i, j1 = 0, j2 = 0;
+	int		n = 0, i, j1 = 0, j2 = 0, skipped = 0;
 
 	*pctrls = NULL;
 
@@ -2897,12 +2893,22 @@ ldap_back_controls_add(
 
 	i = 0;
 	if ( op->o_ctrls ) {
+		LDAPControl *proxyauthz = ldap_control_find(
+				LDAP_CONTROL_PROXY_AUTHZ, op->o_ctrls, NULL );
+
 		for ( i = 0; op->o_ctrls[ i ]; i++ ) {
-			ctrls[ i + j1 ] = op->o_ctrls[ i ];
+			/* Only replace it if we generated one */
+			if ( j1 && proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
+				/* Frontend has already checked only one is present */
+				assert( skipped == 0 );
+				skipped++;
+				continue;
+			}
+			ctrls[ i + j1 - skipped ] = op->o_ctrls[ i ];
 		}
 	}
 
-	n += j1;
+	n += j1 - skipped;
 	if ( j2 ) {
 		ctrls[ n ] = (LDAPControl *)&ctrls[ n + j2 + 1 ] + j1;
 		*ctrls[ n ] = c[ j1 ];

servers/slapd/back-meta/bind.c

@@ -1633,7 +1633,7 @@ meta_back_controls_add(
 	LDAPControl		**ctrls = NULL;
 	/* set to the maximum number of controls this backend can add */
 	LDAPControl		c[ 2 ] = {{ 0 }};
-	int			n = 0, i, j1 = 0, j2 = 0;
+	int			n = 0, i, j1 = 0, j2 = 0, skipped = 0;
 
 	*pctrls = NULL;
 
@@ -1719,12 +1719,22 @@ meta_back_controls_add(
 
 	i = 0;
 	if ( op->o_ctrls ) {
+		LDAPControl *proxyauthz = ldap_control_find(
+				LDAP_CONTROL_PROXY_AUTHZ, op->o_ctrls, NULL );
+
 		for ( i = 0; op->o_ctrls[ i ]; i++ ) {
-			ctrls[ i + j1 ] = op->o_ctrls[ i ];
+			/* Only replace it if we generated one */
+			if ( j1 && proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
+				/* Frontend has already checked only one is present */
+				assert( skipped == 0 );
+				skipped++;
+				continue;
+			}
+			ctrls[ i + j1 - skipped ] = op->o_ctrls[ i ];
 		}
 	}
 
-	n += j1;
+	n += j1 - skipped;
 	if ( j2 ) {
 		ctrls[ n ] = (LDAPControl *)&ctrls[ n + j2 + 1 ] + j1;
 		*ctrls[ n ] = c[ j1 ];

servers/slapd/back-relay/op.c

@@ -212,6 +212,8 @@ relay_back_op( Operation *op, SlapReply *rs, int which )
 			rc = (&bi->bi_op_bind)[which]( op, rs );
 		});
 		relay_back_remove_cb( &rcb, op );
+		if ( which == op_bind && rc == LDAP_SUCCESS )
+			op->o_bd = bd;
 
 	} else if ( fail_mode & RB_OPERR ) {
 		rs->sr_err = rc;

servers/slapd/overlays/constraint.c

@@ -40,6 +40,7 @@
  */
 
 #define REGEX_STR "regex"
+#define NEG_REGEX_STR "negregex"
 #define URI_STR "uri"
 #define SET_STR "set"
 #define SIZE_STR "size"
@@ -79,6 +80,7 @@ enum {
 	CONSTRAINT_COUNT,
 	CONSTRAINT_SIZE,
 	CONSTRAINT_REGEX,
+	CONSTRAINT_NEG_REGEX,
 	CONSTRAINT_SET,
 	CONSTRAINT_URI,
 };
@@ -86,7 +88,7 @@ enum {
 static ConfigDriver constraint_cf_gen;
 
 static ConfigTable constraintcfg[] = {
-	{ "constraint_attribute", "attribute[list]> (regex|uri|set|size|count) <value> [<restrict URI>]",
+	{ "constraint_attribute", "attribute[list]> (regex|negregex|uri|set|size|count) <value> [<restrict URI>]",
 	  4, 0, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
 	  "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
 	  "DESC 'constraint for list of attributes' "
@@ -177,6 +179,10 @@ constraint_cf_gen( ConfigArgs *c )
 						tstr = REGEX_STR;
 						quotes = 1;
 						break;
+					case CONSTRAINT_NEG_REGEX:
+						tstr = NEG_REGEX_STR;
+						quotes = 1;
+						break;
 					case CONSTRAINT_SET:
 						tstr = SET_STR;
 						quotes = 1;
@@ -296,10 +302,12 @@ constraint_cf_gen( ConfigArgs *c )
 				}
 			}
 
-			if ( strcasecmp( c->argv[2], REGEX_STR ) == 0) {
+			int is_regex = strcasecmp( c->argv[2], REGEX_STR ) == 0;
+			int is_neg_regex = strcasecmp( c->argv[2], NEG_REGEX_STR ) == 0;
+			if ( is_regex || is_neg_regex ) {
 				int err;
 			
-				ap.type = CONSTRAINT_REGEX;
+				ap.type = is_regex ? CONSTRAINT_REGEX : CONSTRAINT_NEG_REGEX;
 				ap.re = ch_malloc( sizeof(regex_t) );
 				if ((err = regcomp( ap.re,
 					c->argv[3], REG_EXTENDED )) != 0) {
@@ -598,6 +606,10 @@ constraint_violation( constraint *c, struct berval *bv, Operation *op )
 			if (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH)
 				return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */
 			break;
+		case CONSTRAINT_NEG_REGEX:
+			if (regexec(c->re, bv->bv_val, 0, NULL, 0) != REG_NOMATCH)
+				return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */
+			break;
 		case CONSTRAINT_URI: {
 			Operation nop = *op;
 			slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;

servers/slapd/overlays/syncprov.c

@@ -3958,10 +3958,12 @@ syncprov_db_close(
 		for ( so=si->si_ops, sonext=so;  so; so=sonext  ) {
 			SlapReply rs = {REP_RESULT};
 			rs.sr_err = LDAP_UNAVAILABLE;
+			ldap_pvt_thread_mutex_lock( &so->s_mutex );
 			send_ldap_result( so->s_op, &rs );
 			sonext=so->s_next;
 			if ( so->s_flags & PS_TASK_QUEUED )
 				ldap_pvt_thread_pool_retract( so->s_pool_cookie );
+			ldap_pvt_thread_mutex_unlock( &so->s_mutex );
 			if ( !syncprov_drop_psearch( so, 0 ))
 				so->s_si = NULL;
 		}

servers/slapd/syncrepl.c

@@ -5358,6 +5358,32 @@ void syncrepl_diff_entry( Operation *op, Attribute *old, Attribute *new,
 		new = new->a_next;
 		old = old->a_next;
 	}
+
+	/* These are all missing from provider */
+	while ( old ) {
+		Modifications *mod = ch_malloc( sizeof( Modifications ) );
+
+		mod->sml_op = LDAP_MOD_DELETE;
+		mod->sml_flags = 0;
+		mod->sml_desc = old->a_desc;
+		mod->sml_type = mod->sml_desc->ad_cname;
+		mod->sml_numvals = 0;
+		mod->sml_values = NULL;
+		mod->sml_nvalues = NULL;
+
+		*modtail = mod;
+		modtail = &mod->sml_next;
+
+		old = old->a_next;
+	}
+
+	/* Newly added attributes */
+	while ( new ) {
+		attr_cmp( op, NULL, new, &modtail, &ml );
+
+		new = new->a_next;
+	}
+
 	*modtail = *ml;
 	*ml = NULL;
 }