1
0
forked from jengelh/openldap2
openldap2/0002-init-bindconf-TLS-settings-ITS-6419.dif
Ralf Haferkamp 06a856973e - Fixed an issue in back-config's objectclass inheritence code that
could cause the server to fail to start or to spin in an endless
  loop (bnc#558059,ITS#6408)
- default the tls_reqcert parameter of a syncrepl config to
  "demand" as documented even if other tls_ options are absent
  (bnc#558397, ITS#6319)
- apply changes to the global size and timelimits to all database
  that don't specify limits themself. (bnc#562184, ITS#6428)

OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=25
2009-12-10 16:03:08 +00:00

163 lines
5.4 KiB
Plaintext

From d14434499207d1f0ca4686ce46787056b23b4d2c Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhafer@suse.de>
Date: Tue, 8 Dec 2009 13:36:17 +0100
Subject: [PATCH 2/3] init bindconf TLS settings (ITS#6419)
bnc#558397
---
servers/slapd/config.c | 71 +++++++++++++++++++++++++++++++++++++++++----
servers/slapd/slap.h | 8 +++++
servers/slapd/syncrepl.c | 4 ++
3 files changed, 76 insertions(+), 7 deletions(-)
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index be5a2f7..171e968 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1210,8 +1210,32 @@ static slap_verbmasks versionkey[] = {
{ BER_BVNULL, 0 }
};
+static int
+slap_sb_uri(
+ struct berval *val,
+ void *bcp,
+ slap_cf_aux_table *tab0,
+ const char *tabmsg,
+ int unparse )
+{
+ slap_bindconf *bc = bcp;
+ if ( unparse ) {
+ if ( bc->sb_uri.bv_len >= val->bv_len )
+ return -1;
+ val->bv_len = bc->sb_uri.bv_len;
+ AC_MEMCPY( val->bv_val, bc->sb_uri.bv_val, val->bv_len );
+ } else {
+ bc->sb_uri = *val;
+#ifdef HAVE_TLS
+ if ( ldap_is_ldaps_url( val->bv_val ))
+ bc->sb_tls_do_init = 1;
+#endif
+ }
+ return 0;
+}
+
static slap_cf_aux_table bindkey[] = {
- { BER_BVC("uri="), offsetof(slap_bindconf, sb_uri), 'b', 1, NULL },
+ { BER_BVC("uri="), 0, 'x', 1, slap_sb_uri },
{ BER_BVC("version="), offsetof(slap_bindconf, sb_version), 'i', 0, versionkey },
{ BER_BVC("bindmethod="), offsetof(slap_bindconf, sb_method), 'i', 0, methkey },
{ BER_BVC("timeout="), offsetof(slap_bindconf, sb_timeout_api), 'i', 0, NULL },
@@ -1224,21 +1248,20 @@ static slap_cf_aux_table bindkey[] = {
{ BER_BVC("authcID="), offsetof(slap_bindconf, sb_authcId), 'b', 1, NULL },
{ BER_BVC("authzID="), offsetof(slap_bindconf, sb_authzId), 'b', 1, (slap_verbmasks *)authzNormalize },
#ifdef HAVE_TLS
- { BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'i', 0, tlskey },
-
/* NOTE: replace "13" with the actual index
* of the first TLS-related line */
#define aux_TLS (bindkey+13) /* beginning of TLS keywords */
+ { BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'i', 0, tlskey },
{ BER_BVC("tls_cert="), offsetof(slap_bindconf, sb_tls_cert), 's', 1, NULL },
{ BER_BVC("tls_key="), offsetof(slap_bindconf, sb_tls_key), 's', 1, NULL },
{ BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL },
{ BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL },
- { BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 1, NULL },
- { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 1, NULL },
- { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 1, NULL },
+ { BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL },
+ { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL },
+ { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL },
#ifdef HAVE_OPENSSL_CRL
- { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 1, NULL },
+ { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL },
#endif
#endif
{ BER_BVNULL, 0, 0, 0, NULL }
@@ -1330,6 +1353,20 @@ slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, L
rc = lutil_atoulx( ulptr, val, 0 );
break;
+
+ case 'x':
+ if ( tab->aux != NULL ) {
+ struct berval value;
+ slap_cf_aux_table_parse_x *func = (slap_cf_aux_table_parse_x *)tab->aux;
+
+ ber_str2bv( val, 0, 1, &value );
+
+ rc = func( &value, (void *)((char *)dst + tab->off), tab, tabmsg, 0 );
+
+ } else {
+ rc = 1;
+ }
+ break;
}
if ( rc ) {
@@ -1420,6 +1457,26 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0
ptr += snprintf( ptr, sizeof( buf ) - ( ptr - buf ), "%lu", *ulptr );
break;
+ case 'x':
+ *ptr++ = ' ';
+ ptr = lutil_strcopy( ptr, tab->key.bv_val );
+ if ( tab->quote ) *ptr++ = '"';
+ if ( tab->aux != NULL ) {
+ struct berval value;
+ slap_cf_aux_table_parse_x *func = (slap_cf_aux_table_parse_x *)tab->aux;
+ int rc;
+
+ value.bv_val = ptr;
+ value.bv_len = buf + sizeof( buf ) - ptr;
+
+ rc = func( &value, (void *)((char *)src + tab->off), tab, "(unparse)", 1 );
+ if ( rc == 0 ) {
+ ptr += value.bv_len;
+ }
+ }
+ if ( tab->quote ) *ptr++ = '"';
+ break;
+
default:
assert( 0 );
}
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 076b898..210f6ba 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1630,6 +1630,14 @@ typedef struct slap_cf_aux_table {
void *aux;
} slap_cf_aux_table;
+typedef int
+slap_cf_aux_table_parse_x LDAP_P((
+ struct berval *val,
+ void *bc,
+ slap_cf_aux_table *tab0,
+ const char *tabmsg,
+ int unparse ));
+
#define SLAP_LIMIT_TIME 1
#define SLAP_LIMIT_SIZE 2
diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c
index fb1001f..bf84556 100644
--- a/servers/slapd/syncrepl.c
+++ b/servers/slapd/syncrepl.c
@@ -4060,6 +4060,10 @@ parse_syncrepl_line(
{
val = c->argv[ i ] + STRLENOF( PROVIDERSTR "=" );
ber_str2bv( val, 0, 1, &si->si_bindconf.sb_uri );
+#ifdef HAVE_TLS
+ if ( ldap_is_ldaps_url( val ))
+ si->si_bindconf.sb_tls_do_init = 1;
+#endif
si->si_got |= GOT_PROVIDER;
} else if ( !strncasecmp( c->argv[ i ], SCHEMASTR "=",
STRLENOF( SCHEMASTR "=" ) ) )
--
1.6.4.2