Commit 8ab24ff0 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

Merge remote-tracking branch 'origin/master' into OPENLDAP_REL_ENG_2_5

parents 2a33d97e 1aecfe0b
......@@ -730,8 +730,6 @@ tool_args( int argc, char **argv )
}
unknown_ctrls = tmpctrls;
ctrl.ldctl_oid = control;
/* don't free it */
control = NULL;
ctrl.ldctl_value.bv_val = NULL;
ctrl.ldctl_value.bv_len = 0;
ctrl.ldctl_iscritical = crit;
......@@ -758,6 +756,8 @@ tool_args( int argc, char **argv )
ctrl.ldctl_value = bv;
}
/* don't free it */
control = NULL;
unknown_ctrls[ unknown_ctrls_num ] = ctrl;
unknown_ctrls_num++;
......
......@@ -15,14 +15,9 @@ H2: Dependency Versions
!block table; align=Center; coltags="N,EX,EX"; title="Table 8.5: OpenLDAP Software Dependency Versions"
Feature|Software|Version
{{TERM[expand]TLS}}:
|{{PRD:OpenSSL}}|0.9.7+
|{{PRD:GnuTLS}}|3.3.6+
{{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+
{{TERM[expand]Kerberos}}:
|{{PRD:Heimdal}}|Version
|{{PRD:MIT Kerberos}}|Version
Threads:
|POSIX {{pthreads}}|Version
TCP Wrappers|Name|Version
|{{PRD:OpenSSL}}|1.1.1+
|{{PRD:GnuTLS}}|3.6.0+
{{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.27+
{{TERM[expand]lloadd}}|{{PRD:libevent}}|2.1+
Threads:|POSIX {{pthreads}}|Version
!endblock
......@@ -13,7 +13,7 @@
!macro HTML_FOOTER
{{INLINE:<FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1">}}
{{INLINE:<B>________________<BR><SMALL>}}
[[c]] Copyright 2011,
[[c]] Copyright 2011-2021,
{{INLINE:<A HREF="/foundation/">OpenLDAP Foundation</A>}},
{{EMAIL: info@OpenLDAP.org}}
{{INLINE:</SMALL><BR></B></FONT>}}
......
......@@ -55,7 +55,7 @@
<P>
<FONT COLOR="#808080" FACE="Arial,Verdana,Helvetica" SIZE="1"><B>
________________<BR>
<SMALL>&copy; Copyright 2011, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info@OpenLDAP.org">info@OpenLDAP.org</A></SMALL></B></FONT>
<SMALL>&copy; Copyright 2011-2021, <A HREF="http://www.OpenLDAP.org/foundation/">OpenLDAP Foundation</A>, <A HREF="mailto:info@OpenLDAP.org">info@OpenLDAP.org</A></SMALL></B></FONT>
!endblock
!endmacro
......@@ -275,6 +275,7 @@ XED|XML Enabled Directory
XER|XML Encoding Rules
XML|Extensible Markup Language
syncrepl|LDAP Sync-based Replication
lloadd|LDAP Load Balancer
!endblock
!block references; data; sort=Reference; style=grid
......
......@@ -25,7 +25,9 @@ directive.
.TP
.B logdb <suffix>
Specify the suffix of a database to be used for storing the log records.
The specified database must be defined elsewhere in the configuration.
The specified database must be defined elsewhere in the configuration and
must support an ordered return of results such as
.BR slapd\-mdb (5)
The access controls
on the log database should prevent general access. The suffix entry
of the log database will be created automatically by this overlay. The log
......
......@@ -35,8 +35,9 @@ directive.
.B constraint_attribute <attribute_name>[,...] <type> <value> [<extra> [...]]
Specifies the constraint which should apply to the comma-separated
attribute list named as the first parameter.
Five types of constraint are currently supported -
Six types of constraint are currently supported -
.BR regex ,
.BR negregex ,
.BR size ,
.BR count ,
.BR uri ,
......@@ -45,6 +46,8 @@ and
The parameter following the
.B regex
or
.B negregex
type is a Unix style regular expression (See
.BR regex (7)
). The parameter following the
......@@ -104,6 +107,7 @@ overlay constraint
constraint_attribute jpegPhoto size 131072
constraint_attribute userPassword count 3
constraint_attribute mail regex ^[[:alnum:]]+@mydomain.com$
constraint_attribute mail negregex ^[[:alnum:]]+@notallowed.com$
constraint_attribute title uri
ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
constraint_attribute cn,sn,givenName set
......@@ -115,7 +119,9 @@ constraint_attribute cn,sn,givenName set
A specification like the above would reject any
.B mail
attribute which did not look like
.BR "<alpha-numeric string>@mydomain.com" .
.BR "<alpha-numeric string>@mydomain.com"
or that looks like
.BR "<alpha-numeric string>@notallowed.com" .
It would also reject any
.B title
attribute whose values were not listed in the
......
......@@ -394,13 +394,7 @@ referralDN all ops (only if applicable; defaults
.LP
.SH "Basic Configuration Syntax"
All rewrite/remap directives start with the prefix
.BR rwm\- ;
for backwards compatibility with the historical
.BR slapd\-ldap (5)
and
.BR slapd\-meta (5)
builtin rewrite/remap capabilities, the prefix may be omitted,
but this practice is strongly discouraged.
.BR rwm\-
.TP
.B rwm\-rewriteEngine { on | off }
If `on', the requested rewriting is performed; if `off', no
......
......@@ -501,6 +501,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL );
}
}
/* Explicitly honor the server side cipher suite preference */
SSL_CTX_set_options( ctx, SSL_OP_CIPHER_SERVER_PREFERENCE );
return 0;
}
......
......@@ -1258,7 +1258,7 @@ asyncmeta_controls_add( Operation *op,
LDAPControl **ctrls = NULL;
/* set to the maximum number of controls this backend can add */
LDAPControl c[ 2 ] = {{ 0 }};
int n = 0, i, j1 = 0, j2 = 0;
int n = 0, i, j1 = 0, j2 = 0, skipped = 0;
*pctrls = NULL;
......@@ -1344,12 +1344,22 @@ asyncmeta_controls_add( Operation *op,
i = 0;
if ( op->o_ctrls ) {
LDAPControl *proxyauthz = ldap_control_find(
LDAP_CONTROL_PROXY_AUTHZ, op->o_ctrls, NULL );
for ( i = 0; op->o_ctrls[ i ]; i++ ) {
ctrls[ i + j1 ] = op->o_ctrls[ i ];
/* Only replace it if we generated one */
if ( j1 && proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
/* Frontend has already checked only one is present */
assert( skipped == 0 );
skipped++;
continue;
}
ctrls[ i + j1 - skipped ] = op->o_ctrls[ i ];
}
}
n += j1;
n += j1 - skipped;
if ( j2 ) {
ctrls[ n ] = (LDAPControl *)&ctrls[ n + j2 + 1 ] + j1;
*ctrls[ n ] = c[ j1 ];
......
......@@ -2548,10 +2548,6 @@ ldap_back_proxy_authz_ctrl(
if ( op->o_tag == LDAP_REQ_BIND ) {
ndn = op->o_req_ndn;
} else if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
ndn = op->o_conn->c_ndn;
} else {
ndn = op->o_ndn;
}
......@@ -2807,7 +2803,7 @@ ldap_back_controls_add(
LDAPControl **ctrls = NULL;
/* set to the maximum number of controls this backend can add */
LDAPControl c[ 2 ] = { { 0 } };
int n = 0, i, j1 = 0, j2 = 0;
int n = 0, i, j1 = 0, j2 = 0, skipped = 0;
*pctrls = NULL;
......@@ -2897,12 +2893,22 @@ ldap_back_controls_add(
i = 0;
if ( op->o_ctrls ) {
LDAPControl *proxyauthz = ldap_control_find(
LDAP_CONTROL_PROXY_AUTHZ, op->o_ctrls, NULL );
for ( i = 0; op->o_ctrls[ i ]; i++ ) {
ctrls[ i + j1 ] = op->o_ctrls[ i ];
/* Only replace it if we generated one */
if ( j1 && proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
/* Frontend has already checked only one is present */
assert( skipped == 0 );
skipped++;
continue;
}
ctrls[ i + j1 - skipped ] = op->o_ctrls[ i ];
}
}
n += j1;
n += j1 - skipped;
if ( j2 ) {
ctrls[ n ] = (LDAPControl *)&ctrls[ n + j2 + 1 ] + j1;
*ctrls[ n ] = c[ j1 ];
......
......@@ -1633,7 +1633,7 @@ meta_back_controls_add(
LDAPControl **ctrls = NULL;
/* set to the maximum number of controls this backend can add */
LDAPControl c[ 2 ] = {{ 0 }};
int n = 0, i, j1 = 0, j2 = 0;
int n = 0, i, j1 = 0, j2 = 0, skipped = 0;
*pctrls = NULL;
......@@ -1719,12 +1719,22 @@ meta_back_controls_add(
i = 0;
if ( op->o_ctrls ) {
LDAPControl *proxyauthz = ldap_control_find(
LDAP_CONTROL_PROXY_AUTHZ, op->o_ctrls, NULL );
for ( i = 0; op->o_ctrls[ i ]; i++ ) {
ctrls[ i + j1 ] = op->o_ctrls[ i ];
/* Only replace it if we generated one */
if ( j1 && proxyauthz && proxyauthz == op->o_ctrls[ i ] ) {
/* Frontend has already checked only one is present */
assert( skipped == 0 );
skipped++;
continue;
}
ctrls[ i + j1 - skipped ] = op->o_ctrls[ i ];
}
}
n += j1;
n += j1 - skipped;
if ( j2 ) {
ctrls[ n ] = (LDAPControl *)&ctrls[ n + j2 + 1 ] + j1;
*ctrls[ n ] = c[ j1 ];
......
......@@ -212,6 +212,8 @@ relay_back_op( Operation *op, SlapReply *rs, int which )
rc = (&bi->bi_op_bind)[which]( op, rs );
});
relay_back_remove_cb( &rcb, op );
if ( which == op_bind && rc == LDAP_SUCCESS )
op->o_bd = bd;
} else if ( fail_mode & RB_OPERR ) {
rs->sr_err = rc;
......
......@@ -40,6 +40,7 @@
*/
#define REGEX_STR "regex"
#define NEG_REGEX_STR "negregex"
#define URI_STR "uri"
#define SET_STR "set"
#define SIZE_STR "size"
......@@ -79,6 +80,7 @@ enum {
CONSTRAINT_COUNT,
CONSTRAINT_SIZE,
CONSTRAINT_REGEX,
CONSTRAINT_NEG_REGEX,
CONSTRAINT_SET,
CONSTRAINT_URI,
};
......@@ -86,7 +88,7 @@ enum {
static ConfigDriver constraint_cf_gen;
static ConfigTable constraintcfg[] = {
{ "constraint_attribute", "attribute[list]> (regex|uri|set|size|count) <value> [<restrict URI>]",
{ "constraint_attribute", "attribute[list]> (regex|negregex|uri|set|size|count) <value> [<restrict URI>]",
4, 0, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
"( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
"DESC 'constraint for list of attributes' "
......@@ -177,6 +179,10 @@ constraint_cf_gen( ConfigArgs *c )
tstr = REGEX_STR;
quotes = 1;
break;
case CONSTRAINT_NEG_REGEX:
tstr = NEG_REGEX_STR;
quotes = 1;
break;
case CONSTRAINT_SET:
tstr = SET_STR;
quotes = 1;
......@@ -296,10 +302,12 @@ constraint_cf_gen( ConfigArgs *c )
}
}
if ( strcasecmp( c->argv[2], REGEX_STR ) == 0) {
int is_regex = strcasecmp( c->argv[2], REGEX_STR ) == 0;
int is_neg_regex = strcasecmp( c->argv[2], NEG_REGEX_STR ) == 0;
if ( is_regex || is_neg_regex ) {
int err;
ap.type = CONSTRAINT_REGEX;
ap.type = is_regex ? CONSTRAINT_REGEX : CONSTRAINT_NEG_REGEX;
ap.re = ch_malloc( sizeof(regex_t) );
if ((err = regcomp( ap.re,
c->argv[3], REG_EXTENDED )) != 0) {
......@@ -598,6 +606,10 @@ constraint_violation( constraint *c, struct berval *bv, Operation *op )
if (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH)
return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */
break;
case CONSTRAINT_NEG_REGEX:
if (regexec(c->re, bv->bv_val, 0, NULL, 0) != REG_NOMATCH)
return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */
break;
case CONSTRAINT_URI: {
Operation nop = *op;
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
......
......@@ -3958,10 +3958,12 @@ syncprov_db_close(
for ( so=si->si_ops, sonext=so; so; so=sonext ) {
SlapReply rs = {REP_RESULT};
rs.sr_err = LDAP_UNAVAILABLE;
ldap_pvt_thread_mutex_lock( &so->s_mutex );
send_ldap_result( so->s_op, &rs );
sonext=so->s_next;
if ( so->s_flags & PS_TASK_QUEUED )
ldap_pvt_thread_pool_retract( so->s_pool_cookie );
ldap_pvt_thread_mutex_unlock( &so->s_mutex );
if ( !syncprov_drop_psearch( so, 0 ))
so->s_si = NULL;
}
......
......@@ -5358,6 +5358,32 @@ void syncrepl_diff_entry( Operation *op, Attribute *old, Attribute *new,
new = new->a_next;
old = old->a_next;
}
/* These are all missing from provider */
while ( old ) {
Modifications *mod = ch_malloc( sizeof( Modifications ) );
mod->sml_op = LDAP_MOD_DELETE;
mod->sml_flags = 0;
mod->sml_desc = old->a_desc;
mod->sml_type = mod->sml_desc->ad_cname;
mod->sml_numvals = 0;
mod->sml_values = NULL;
mod->sml_nvalues = NULL;
*modtail = mod;
modtail = &mod->sml_next;
old = old->a_next;
}
/* Newly added attributes */
while ( new ) {
attr_cmp( op, NULL, new, &modtail, &ml );
new = new->a_next;
}
*modtail = *ml;
*ml = NULL;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment