From 06a856973efe657354876bbca2175bbc399b4e064a3170dd2cf729f6ce03562a Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 10 Dec 2009 16:03:08 +0000 Subject: [PATCH] - Fixed an issue in back-config's objectclass inheritence code that could cause the server to fail to start or to spin in an endless loop (bnc#558059,ITS#6408) - default the tls_reqcert parameter of a syncrepl config to "demand" as documented even if other tls_ options are absent (bnc#558397, ITS#6319) - apply changes to the global size and timelimits to all database that don't specify limits themself. (bnc#562184, ITS#6428) OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=25 --- ...onfig-objectclass-inheritence-ITS-6408.dif | 55 ++++++ 0002-init-bindconf-TLS-settings-ITS-6419.dif | 162 ++++++++++++++++++ ...imit-changes-to-all-databases-ITS-6428.dif | 135 +++++++++++++++ openldap2-client.changes | 12 ++ openldap2-client.spec | 6 + openldap2.changes | 12 ++ openldap2.spec | 6 + 7 files changed, 388 insertions(+) create mode 100644 0001-back-config-objectclass-inheritence-ITS-6408.dif create mode 100644 0002-init-bindconf-TLS-settings-ITS-6419.dif create mode 100644 0003-apply-global-limit-changes-to-all-databases-ITS-6428.dif diff --git a/0001-back-config-objectclass-inheritence-ITS-6408.dif b/0001-back-config-objectclass-inheritence-ITS-6408.dif new file mode 100644 index 0000000..775edcd --- /dev/null +++ b/0001-back-config-objectclass-inheritence-ITS-6408.dif @@ -0,0 +1,55 @@ +From 49921a1e1a1832f9461d800eeeaee30f12864441 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Tue, 8 Dec 2009 12:13:39 +0100 +Subject: [PATCH 1/3] back-config objectclass inheritence (ITS#6408) + +bnc#558059 +--- + servers/slapd/bconfig.c | 12 ++++++------ + 1 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index c903458..d43e927 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -4932,10 +4932,10 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, + ok: + /* Newly added databases and overlays need to be started up */ + if ( CONFIG_ONLINE_ADD( ca )) { +- if ( colst[0]->co_type == Cft_Database ) { ++ if ( coptr->co_type == Cft_Database ) { + rc = backend_startup_one( ca->be, &ca->reply ); + +- } else if ( colst[0]->co_type == Cft_Overlay ) { ++ } else if ( coptr->co_type == Cft_Overlay ) { + if ( ca->bi->bi_db_open ) { + BackendInfo *bi_orig = ca->be->bd_info; + ca->be->bd_info = ca->bi; +@@ -4961,7 +4961,7 @@ ok: + ce->ce_parent = last; + ce->ce_entry = entry_dup( e ); + ce->ce_entry->e_private = ce; +- ce->ce_type = colst[0]->co_type; ++ ce->ce_type = coptr->co_type; + ce->ce_be = ca->be; + ce->ce_bi = ca->bi; + ce->ce_private = ca->ca_private; +@@ -5006,12 +5006,12 @@ ok: + + done: + if ( rc ) { +- if ( (colst[0]->co_type == Cft_Database) && ca->be ) { ++ if ( (coptr->co_type == Cft_Database) && ca->be ) { + if ( ca->be != frontendDB ) + backend_destroy_one( ca->be, 1 ); +- } else if ( (colst[0]->co_type == Cft_Overlay) && ca->bi ) { ++ } else if ( (coptr->co_type == Cft_Overlay) && ca->bi ) { + overlay_destroy_one( ca->be, (slap_overinst *)ca->bi ); +- } else if ( colst[0]->co_type == Cft_Schema ) { ++ } else if ( coptr->co_type == Cft_Schema ) { + schema_destroy_one( ca, colst, nocs, last ); + } + } +-- +1.6.4.2 + diff --git a/0002-init-bindconf-TLS-settings-ITS-6419.dif b/0002-init-bindconf-TLS-settings-ITS-6419.dif new file mode 100644 index 0000000..11a8fca --- /dev/null +++ b/0002-init-bindconf-TLS-settings-ITS-6419.dif @@ -0,0 +1,162 @@ +From d14434499207d1f0ca4686ce46787056b23b4d2c Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp +Date: Tue, 8 Dec 2009 13:36:17 +0100 +Subject: [PATCH 2/3] init bindconf TLS settings (ITS#6419) + +bnc#558397 +--- + servers/slapd/config.c | 71 +++++++++++++++++++++++++++++++++++++++++---- + servers/slapd/slap.h | 8 +++++ + servers/slapd/syncrepl.c | 4 ++ + 3 files changed, 76 insertions(+), 7 deletions(-) + +diff --git a/servers/slapd/config.c b/servers/slapd/config.c +index be5a2f7..171e968 100644 +--- a/servers/slapd/config.c ++++ b/servers/slapd/config.c +@@ -1210,8 +1210,32 @@ static slap_verbmasks versionkey[] = { + { BER_BVNULL, 0 } + }; + ++static int ++slap_sb_uri( ++ struct berval *val, ++ void *bcp, ++ slap_cf_aux_table *tab0, ++ const char *tabmsg, ++ int unparse ) ++{ ++ slap_bindconf *bc = bcp; ++ if ( unparse ) { ++ if ( bc->sb_uri.bv_len >= val->bv_len ) ++ return -1; ++ val->bv_len = bc->sb_uri.bv_len; ++ AC_MEMCPY( val->bv_val, bc->sb_uri.bv_val, val->bv_len ); ++ } else { ++ bc->sb_uri = *val; ++#ifdef HAVE_TLS ++ if ( ldap_is_ldaps_url( val->bv_val )) ++ bc->sb_tls_do_init = 1; ++#endif ++ } ++ return 0; ++} ++ + static slap_cf_aux_table bindkey[] = { +- { BER_BVC("uri="), offsetof(slap_bindconf, sb_uri), 'b', 1, NULL }, ++ { BER_BVC("uri="), 0, 'x', 1, slap_sb_uri }, + { BER_BVC("version="), offsetof(slap_bindconf, sb_version), 'i', 0, versionkey }, + { BER_BVC("bindmethod="), offsetof(slap_bindconf, sb_method), 'i', 0, methkey }, + { BER_BVC("timeout="), offsetof(slap_bindconf, sb_timeout_api), 'i', 0, NULL }, +@@ -1224,21 +1248,20 @@ static slap_cf_aux_table bindkey[] = { + { BER_BVC("authcID="), offsetof(slap_bindconf, sb_authcId), 'b', 1, NULL }, + { BER_BVC("authzID="), offsetof(slap_bindconf, sb_authzId), 'b', 1, (slap_verbmasks *)authzNormalize }, + #ifdef HAVE_TLS +- { BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'i', 0, tlskey }, +- + /* NOTE: replace "13" with the actual index + * of the first TLS-related line */ + #define aux_TLS (bindkey+13) /* beginning of TLS keywords */ + ++ { BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'i', 0, tlskey }, + { BER_BVC("tls_cert="), offsetof(slap_bindconf, sb_tls_cert), 's', 1, NULL }, + { BER_BVC("tls_key="), offsetof(slap_bindconf, sb_tls_key), 's', 1, NULL }, + { BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL }, + { BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL }, +- { BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 1, NULL }, +- { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 1, NULL }, +- { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 1, NULL }, ++ { BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL }, ++ { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL }, ++ { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL }, + #ifdef HAVE_OPENSSL_CRL +- { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 1, NULL }, ++ { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL }, + #endif + #endif + { BER_BVNULL, 0, 0, 0, NULL } +@@ -1330,6 +1353,20 @@ slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, L + + rc = lutil_atoulx( ulptr, val, 0 ); + break; ++ ++ case 'x': ++ if ( tab->aux != NULL ) { ++ struct berval value; ++ slap_cf_aux_table_parse_x *func = (slap_cf_aux_table_parse_x *)tab->aux; ++ ++ ber_str2bv( val, 0, 1, &value ); ++ ++ rc = func( &value, (void *)((char *)dst + tab->off), tab, tabmsg, 0 ); ++ ++ } else { ++ rc = 1; ++ } ++ break; + } + + if ( rc ) { +@@ -1420,6 +1457,26 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0 + ptr += snprintf( ptr, sizeof( buf ) - ( ptr - buf ), "%lu", *ulptr ); + break; + ++ case 'x': ++ *ptr++ = ' '; ++ ptr = lutil_strcopy( ptr, tab->key.bv_val ); ++ if ( tab->quote ) *ptr++ = '"'; ++ if ( tab->aux != NULL ) { ++ struct berval value; ++ slap_cf_aux_table_parse_x *func = (slap_cf_aux_table_parse_x *)tab->aux; ++ int rc; ++ ++ value.bv_val = ptr; ++ value.bv_len = buf + sizeof( buf ) - ptr; ++ ++ rc = func( &value, (void *)((char *)src + tab->off), tab, "(unparse)", 1 ); ++ if ( rc == 0 ) { ++ ptr += value.bv_len; ++ } ++ } ++ if ( tab->quote ) *ptr++ = '"'; ++ break; ++ + default: + assert( 0 ); + } +diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h +index 076b898..210f6ba 100644 +--- a/servers/slapd/slap.h ++++ b/servers/slapd/slap.h +@@ -1630,6 +1630,14 @@ typedef struct slap_cf_aux_table { + void *aux; + } slap_cf_aux_table; + ++typedef int ++slap_cf_aux_table_parse_x LDAP_P(( ++ struct berval *val, ++ void *bc, ++ slap_cf_aux_table *tab0, ++ const char *tabmsg, ++ int unparse )); ++ + #define SLAP_LIMIT_TIME 1 + #define SLAP_LIMIT_SIZE 2 + +diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c +index fb1001f..bf84556 100644 +--- a/servers/slapd/syncrepl.c ++++ b/servers/slapd/syncrepl.c +@@ -4060,6 +4060,10 @@ parse_syncrepl_line( + { + val = c->argv[ i ] + STRLENOF( PROVIDERSTR "=" ); + ber_str2bv( val, 0, 1, &si->si_bindconf.sb_uri ); ++#ifdef HAVE_TLS ++ if ( ldap_is_ldaps_url( val )) ++ si->si_bindconf.sb_tls_do_init = 1; ++#endif + si->si_got |= GOT_PROVIDER; + } else if ( !strncasecmp( c->argv[ i ], SCHEMASTR "=", + STRLENOF( SCHEMASTR "=" ) ) ) +-- +1.6.4.2 + diff --git a/0003-apply-global-limit-changes-to-all-databases-ITS-6428.dif b/0003-apply-global-limit-changes-to-all-databases-ITS-6428.dif new file mode 100644 index 0000000..1ccc518 --- /dev/null +++ b/0003-apply-global-limit-changes-to-all-databases-ITS-6428.dif @@ -0,0 +1,135 @@ +From ed86ffeec8ac01f9bc8ed531e5205a924c4a2979 Mon Sep 17 00:00:00 2001 +From: ralf +Date: Thu, 10 Dec 2009 10:56:52 +0000 +Subject: [PATCH 3/3] apply global limit changes to all databases (ITS#6428) + +bnc#562184 +--- + servers/slapd/bconfig.c | 90 ++++++++++++++++++++++++++++++++++++++++------ + 1 files changed, 78 insertions(+), 12 deletions(-) + +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index d43e927..ae15224 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -2208,14 +2208,23 @@ config_sizelimit(ConfigArgs *c) { + rc = 1; + return rc; + } else if ( c->op == LDAP_MOD_DELETE ) { +- /* Reset to defaults */ +- lim->lms_s_soft = SLAPD_DEFAULT_SIZELIMIT; +- lim->lms_s_hard = 0; +- lim->lms_s_unchecked = -1; +- lim->lms_s_pr = 0; +- lim->lms_s_pr_hide = 0; +- lim->lms_s_pr_total = 0; +- return 0; ++ /* Reset to defaults or values from frontend */ ++ if ( c->be == frontendDB ) { ++ lim->lms_s_soft = SLAPD_DEFAULT_SIZELIMIT; ++ lim->lms_s_hard = 0; ++ lim->lms_s_unchecked = -1; ++ lim->lms_s_pr = 0; ++ lim->lms_s_pr_hide = 0; ++ lim->lms_s_pr_total = 0; ++ } else { ++ lim->lms_s_soft = frontendDB->be_def_limit.lms_s_soft; ++ lim->lms_s_hard = frontendDB->be_def_limit.lms_s_hard; ++ lim->lms_s_unchecked = frontendDB->be_def_limit.lms_s_unchecked; ++ lim->lms_s_pr = frontendDB->be_def_limit.lms_s_pr; ++ lim->lms_s_pr_hide = frontendDB->be_def_limit.lms_s_pr_hide; ++ lim->lms_s_pr_total = frontendDB->be_def_limit.lms_s_pr_total; ++ } ++ goto ok; + } + for(i = 1; i < c->argc; i++) { + if(!strncasecmp(c->argv[i], "size", 4)) { +@@ -2240,6 +2249,34 @@ config_sizelimit(ConfigArgs *c) { + lim->lms_s_hard = 0; + } + } ++ ++ok: ++ if ( ( c->be == frontendDB ) && ( c->ca_entry ) ) { ++ /* This is a modification to the global limits apply it to ++ * the other databases as needed */ ++ AttributeDescription *ad=NULL; ++ const char *text = NULL; ++ slap_str2ad(c->argv[0], &ad, &text); ++ /* if we got here... */ ++ assert( ad != NULL ); ++ ++ CfEntryInfo *ce = c->ca_entry->e_private; ++ if ( ce->ce_type == Cft_Global ){ ++ ce = ce->ce_kids; ++ } ++ for (; ce; ce=ce->ce_sibs) { ++ Entry *dbe = ce->ce_entry; ++ if ( (ce->ce_type == Cft_Database) && (ce->ce_be != frontendDB) ++ && (!attr_find(dbe->e_attrs, ad)) ) { ++ ce->ce_be->be_def_limit.lms_s_soft = lim->lms_s_soft; ++ ce->ce_be->be_def_limit.lms_s_hard = lim->lms_s_hard; ++ ce->ce_be->be_def_limit.lms_s_unchecked =lim->lms_s_unchecked; ++ ce->ce_be->be_def_limit.lms_s_pr =lim->lms_s_pr; ++ ce->ce_be->be_def_limit.lms_s_pr_hide =lim->lms_s_pr_hide; ++ ce->ce_be->be_def_limit.lms_s_pr_total =lim->lms_s_pr_total; ++ } ++ } ++ } + return(0); + } + +@@ -2259,10 +2296,15 @@ config_timelimit(ConfigArgs *c) { + rc = 1; + return rc; + } else if ( c->op == LDAP_MOD_DELETE ) { +- /* Reset to defaults */ +- lim->lms_t_soft = SLAPD_DEFAULT_TIMELIMIT; +- lim->lms_t_hard = 0; +- return 0; ++ /* Reset to defaults or values from frontend */ ++ if ( c->be == frontendDB ) { ++ lim->lms_t_soft = SLAPD_DEFAULT_TIMELIMIT; ++ lim->lms_t_hard = 0; ++ } else { ++ lim->lms_t_soft = frontendDB->be_def_limit.lms_t_soft; ++ lim->lms_t_hard = frontendDB->be_def_limit.lms_t_hard; ++ } ++ goto ok; + } + for(i = 1; i < c->argc; i++) { + if(!strncasecmp(c->argv[i], "time", 4)) { +@@ -2287,6 +2329,30 @@ config_timelimit(ConfigArgs *c) { + lim->lms_t_hard = 0; + } + } ++ ++ok: ++ if ( ( c->be == frontendDB ) && ( c->ca_entry ) ) { ++ /* This is a modification to the global limits apply it to ++ * the other databases as needed */ ++ AttributeDescription *ad=NULL; ++ const char *text = NULL; ++ slap_str2ad(c->argv[0], &ad, &text); ++ /* if we got here... */ ++ assert( ad != NULL ); ++ ++ CfEntryInfo *ce = c->ca_entry->e_private; ++ if ( ce->ce_type == Cft_Global ){ ++ ce = ce->ce_kids; ++ } ++ for (; ce; ce=ce->ce_sibs) { ++ Entry *dbe = ce->ce_entry; ++ if ( (ce->ce_type == Cft_Database) && (ce->ce_be != frontendDB) ++ && (!attr_find(dbe->e_attrs, ad)) ) { ++ ce->ce_be->be_def_limit.lms_t_soft = lim->lms_t_soft; ++ ce->ce_be->be_def_limit.lms_t_hard = lim->lms_t_hard; ++ } ++ } ++ } + return(0); + } + +-- +1.6.4.2 + diff --git a/openldap2-client.changes b/openldap2-client.changes index 97a563d..df58381 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Dec 10 15:41:11 UTC 2009 - rhafer@novell.com + +- Fixed an issue in back-config's objectclass inheritence code that + could cause the server to fail to start or to spin in an endless + loop (bnc#558059,ITS#6408) +- default the tls_reqcert parameter of a syncrepl config to + "demand" as documented even if other tls_ options are absent + (bnc#558397, ITS#6319) +- apply changes to the global size and timelimits to all database + that don't specify limits themself. (bnc#562184, ITS#6428) + ------------------------------------------------------------------- Mon Nov 30 16:09:22 UTC 2009 - rhafer@novell.com diff --git a/openldap2-client.spec b/openldap2-client.spec index 577d3a3..97ce5d3 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -61,6 +61,9 @@ Patch4: ldapi_url.dif Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif +Patch12: 0001-back-config-objectclass-inheritence-ITS-6408.dif +Patch13: 0002-init-bindconf-TLS-settings-ITS-6419.dif +Patch14: 0003-apply-global-limit-changes-to-all-databases-ITS-6428.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -181,6 +184,9 @@ Authors: %patch7 %endif %patch11 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 %if %suse_version == 1100 %patch200 -p1 %endif diff --git a/openldap2.changes b/openldap2.changes index 97a563d..df58381 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Dec 10 15:41:11 UTC 2009 - rhafer@novell.com + +- Fixed an issue in back-config's objectclass inheritence code that + could cause the server to fail to start or to spin in an endless + loop (bnc#558059,ITS#6408) +- default the tls_reqcert parameter of a syncrepl config to + "demand" as documented even if other tls_ options are absent + (bnc#558397, ITS#6319) +- apply changes to the global size and timelimits to all database + that don't specify limits themself. (bnc#562184, ITS#6428) + ------------------------------------------------------------------- Mon Nov 30 16:09:22 UTC 2009 - rhafer@novell.com diff --git a/openldap2.spec b/openldap2.spec index dac897e..7bf46d6 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -61,6 +61,9 @@ Patch4: ldapi_url.dif Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif +Patch12: 0001-back-config-objectclass-inheritence-ITS-6408.dif +Patch13: 0002-init-bindconf-TLS-settings-ITS-6419.dif +Patch14: 0003-apply-global-limit-changes-to-all-databases-ITS-6428.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -181,6 +184,9 @@ Authors: %patch7 %endif %patch11 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 %if %suse_version == 1100 %patch200 -p1 %endif