X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldap%2Fbind.c;h=09b23924d5f11d5313ac508e30c8350be7804559;hb=a0b5f5138b0888a019b7305de3ef2faf15907429;hp=251387218f34b66e3c6aec310cafda581c85ff3b;hpb=3e84f692aad70e07c3f75571661e848056c93bc3;p=openldap diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 251387218f..09b23924d5 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -235,16 +235,7 @@ ldap_back_freeconn( Operation *op, struct ldapconn *lc ) { struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private; -retry_lock:; - switch ( ldap_pvt_thread_mutex_trylock( &li->conn_mutex ) ) { - case LDAP_PVT_THREAD_EBUSY: - default: - ldap_pvt_thread_yield(); - goto retry_lock; - - case 0: - break; - } + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); assert( lc->lc_refcnt > 0 ); if ( --lc->lc_refcnt == 0 ) { @@ -260,34 +251,25 @@ retry_lock:; return 0; } +#ifdef HAVE_TLS static int -ldap_back_prepare_conn( struct ldapconn **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) +ldap_back_start_tls( + LDAP *ld, + int protocol, + int *is_tls, + const char *url, + unsigned flags, + const char **text ) { - struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; - int vers = op->o_protocol; - LDAP *ld = NULL; + int rc = LDAP_SUCCESS; + struct ldapinfo li; - assert( lcp != NULL ); + /* this is ridicolous... */ + li.flags = flags; - rs->sr_err = ldap_initialize( &ld, li->url ); - if ( rs->sr_err != LDAP_SUCCESS ) { - goto error_return; - } - - /* Set LDAP version. This will always succeed: If the client - * bound with a particular version, then so can we. - */ - ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers ); - - /* automatically chase referrals ("[dont-]chase-referrals" statement) */ - if ( LDAP_BACK_CHASE_REFERRALS( li ) ) { - ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON ); - } - -#ifdef HAVE_TLS /* start TLS ("tls-[try-]{start,propagate}" statements) */ - if ( ( LDAP_BACK_USE_TLS( li ) || ( op->o_conn->c_is_tls && LDAP_BACK_PROPAGATE_TLS( li ) ) ) - && !ldap_is_ldaps_url( li->url ) ) + if ( ( LDAP_BACK_USE_TLS( &li ) || ( *is_tls && LDAP_BACK_PROPAGATE_TLS( &li ) ) ) + && !ldap_is_ldaps_url( url ) ) { #ifdef SLAP_STARTTLS_ASYNCHRONOUS /* @@ -296,16 +278,28 @@ ldap_back_prepare_conn( struct ldapconn **lcp, Operation *op, SlapReply *rs, lda */ int msgid; - rs->sr_err = ldap_start_tls( ld, NULL, NULL, &msgid ); - if ( rs->sr_err == LDAP_SUCCESS ) { + if ( protocol == 0 ) { + ldap_get_option( ld, LDAP_OPT_PROTOCOL_VERSION, + (void *)&protocol ); + } + + if ( protocol < LDAP_VERSION3 ) { + protocol = LDAP_VERSION3; + /* Set LDAP version */ + ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, + (const void *)&protocol ); + } + + rc = ldap_start_tls( ld, NULL, NULL, &msgid ); + if ( rc == LDAP_SUCCESS ) { LDAPMessage *res = NULL; - int rc, retries = 1; + int retries = 1; struct timeval tv = { 0, 0 }; retry:; rc = ldap_result( ld, msgid, LDAP_MSG_ALL, &tv, &res ); if ( rc < 0 ) { - rs->sr_err = LDAP_OTHER; + rc = LDAP_OTHER; } else if ( rc == 0 ) { if ( retries ) { @@ -314,27 +308,27 @@ retry:; tv.tv_usec = 100000; goto retry; } - rs->sr_err = LDAP_OTHER; + rc = LDAP_OTHER; } else if ( rc == LDAP_RES_EXTENDED ) { struct berval *data = NULL; - rs->sr_err = ldap_parse_extended_result( ld, res, + rc = ldap_parse_extended_result( ld, res, NULL, &data, 0 ); - if ( rs->sr_err == LDAP_SUCCESS ) { - rs->sr_err = ldap_result2error( ld, res, 1 ); + if ( rc == LDAP_SUCCESS ) { + rc = ldap_result2error( ld, res, 1 ); res = NULL; /* FIXME: in case a referral * is returned, should we try * using it instead of the * configured URI? */ - if ( rs->sr_err == LDAP_SUCCESS ) { - ldap_install_tls( ld ); + if ( rc == LDAP_SUCCESS ) { + rc = ldap_install_tls( ld ); - } else if ( rs->sr_err == LDAP_REFERRAL ) { - rs->sr_err = LDAP_OTHER; - rs->sr_text = "unwilling to chase referral returned by Start TLS exop"; + } else if ( rc == LDAP_REFERRAL ) { + rc = LDAP_OTHER; + *text = "unwilling to chase referral returned by Start TLS exop"; } if ( data ) { @@ -346,7 +340,7 @@ retry:; } } else { - rs->sr_err = LDAP_OTHER; + rc = LDAP_OTHER; } if ( res != NULL ) { @@ -357,30 +351,87 @@ retry:; /* * use synchronous StartTLS */ - rs->sr_err = ldap_start_tls_s( ld, NULL, NULL ); + rc = ldap_start_tls_s( ld, NULL, NULL ); #endif /* ! SLAP_STARTTLS_ASYNCHRONOUS */ /* if StartTLS is requested, only attempt it if the URL * is not "ldaps://"; this may occur not only in case * of misconfiguration, but also when used in the chain * overlay, where the "uri" can be parsed out of a referral */ - if ( rs->sr_err == LDAP_SERVER_DOWN - || ( rs->sr_err != LDAP_SUCCESS && LDAP_BACK_TLS_CRITICAL( li ) ) ) - { - ldap_unbind_ext_s( ld, NULL, NULL ); - goto error_return; + switch ( rc ) { + case LDAP_SUCCESS: + *is_tls = 1; + break; + + case LDAP_SERVER_DOWN: + break; + + default: + if ( LDAP_BACK_TLS_CRITICAL( &li ) ) { + *text = "could not start TLS"; + break; + } + + /* in case Start TLS is not critical */ + *is_tls = 0; + rc = LDAP_SUCCESS; + break; } - /* in case Start TLS is not critical */ - rs->sr_err = LDAP_SUCCESS; + } else { + *is_tls = 0; + } + + return rc; +} +#endif /* HAVE_TLS */ + +static int +ldap_back_prepare_conn( struct ldapconn **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) +{ + struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; + int vers = op->o_protocol; + LDAP *ld = NULL; +#ifdef HAVE_TLS + int is_tls = op->o_conn->c_is_tls; +#endif /* HAVE_TLS */ + + assert( lcp != NULL ); + + rs->sr_err = ldap_initialize( &ld, li->url ); + if ( rs->sr_err != LDAP_SUCCESS ) { + goto error_return; + } + + /* Set LDAP version. This will always succeed: If the client + * bound with a particular version, then so can we. + */ + ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers ); + + /* automatically chase referrals ("[dont-]chase-referrals" statement) */ + if ( LDAP_BACK_CHASE_REFERRALS( li ) ) { + ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON ); + } + +#ifdef HAVE_TLS + rs->sr_err = ldap_back_start_tls( ld, + op->o_protocol, &is_tls, + li->url, li->flags, &rs->sr_text ); + if ( rs->sr_err != LDAP_SUCCESS ) { + ldap_unbind_ext( ld, NULL, NULL ); + goto error_return; } #endif /* HAVE_TLS */ if ( *lcp == NULL ) { *lcp = (struct ldapconn *)ch_calloc( 1, sizeof( struct ldapconn ) ); + (*lcp)->lc_flags= li->flags; } (*lcp)->lc_ld = ld; (*lcp)->lc_refcnt = 1; +#ifdef HAVE_TLS + (*lcp)->lc_is_tls = is_tls; +#endif /* HAVE_TLS */ error_return:; if ( rs->sr_err != LDAP_SUCCESS ) { @@ -401,7 +452,8 @@ struct ldapconn * ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok ) { struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; - struct ldapconn *lc, lc_curr = { 0 }; + struct ldapconn *lc, + lc_curr = { 0 }; int refcnt = 1; /* Searches for a ldapconn in the avl tree */ @@ -415,30 +467,35 @@ ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok ) lc_curr.lc_conn = op->o_conn; } else { - lc_curr.lc_conn = NULL; +#ifdef HAVE_TLS + if ( op->o_conn->c_is_tls ) { + lc_curr.lc_conn = LDAP_BACK_PRIV_CONN_TLS; + } else +#endif /* HAVE_TLS */ + { + lc_curr.lc_conn = LDAP_BACK_PRIV_CONN; + } } /* Internal searches are privileged and shared. So is root. */ /* FIXME: there seem to be concurrency issues */ if ( op->o_do_not_cache || be_isroot( op ) ) { lc_curr.lc_local_ndn = op->o_bd->be_rootndn; - lc_curr.lc_conn = NULL; +#ifdef HAVE_TLS + if ( op->o_conn->c_is_tls ) { + lc_curr.lc_conn = LDAP_BACK_PRIV_CONN_TLS; + } else +#endif /* HAVE_TLS */ + { + lc_curr.lc_conn = LDAP_BACK_PRIV_CONN; + } lc_curr.lc_ispriv = 1; } else { lc_curr.lc_local_ndn = op->o_ndn; } -retry_lock:; - switch ( ldap_pvt_thread_mutex_trylock( &li->conn_mutex ) ) { - case LDAP_PVT_THREAD_EBUSY: - default: - ldap_pvt_thread_yield(); - goto retry_lock; - - case 0: - break; - } + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); lc = (struct ldapconn *)avl_find( li->conntree, (caddr_t)&lc_curr, ldap_back_conn_cmp ); @@ -456,8 +513,6 @@ retry_lock:; lc->lc_conn = lc_curr.lc_conn; ber_dupbv( &lc->lc_local_ndn, &lc_curr.lc_local_ndn ); - ldap_pvt_thread_mutex_init( &lc->lc_mutex ); - if ( lc_curr.lc_ispriv ) { ber_dupbv( &lc->lc_cred, &li->acl_passwd ); ber_dupbv( &lc->lc_bound_ndn, &li->acl_authcDN ); @@ -473,19 +528,37 @@ retry_lock:; } } +#ifdef HAVE_TLS + /* if start TLS failed but it was not mandatory, + * check if the non-TLS connection was already + * in cache; in case, destroy the newly created + * connection and use the existing one */ + if ( lc->lc_conn == LDAP_BACK_PRIV_CONN_TLS + && !ldap_tls_inplace( lc->lc_ld ) ) + { + struct ldapconn *tmplc; + + lc_curr.lc_conn = LDAP_BACK_PRIV_CONN; + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); + tmplc = (struct ldapconn *)avl_find( li->conntree, + (caddr_t)&lc_curr, ldap_back_conn_cmp ); + if ( tmplc != NULL ) { + refcnt = ++tmplc->lc_refcnt; + ldap_back_conn_free( lc ); + lc = tmplc; + } + ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); + + if ( tmplc != NULL ) { + goto done; + } + } +#endif /* HAVE_TLS */ + lc->lc_bound = 0; /* Inserts the newly created ldapconn in the avl tree */ -retry_lock2:; - switch ( ldap_pvt_thread_mutex_trylock( &li->conn_mutex ) ) { - case LDAP_PVT_THREAD_EBUSY: - default: - ldap_pvt_thread_yield(); - goto retry_lock2; - - case 0: - break; - } + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); assert( lc->lc_refcnt == 1 ); rs->sr_err = avl_insert( &li->conntree, (caddr_t)lc, @@ -517,7 +590,8 @@ retry_lock2:; "=>ldap_back_getconn: conn %p fetched (refcnt=%u)\n", (void *)lc, refcnt, 0 ); } - + +done:; return lc; } @@ -529,17 +603,7 @@ ldap_back_release_conn( { struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; -retry_lock:; - switch ( ldap_pvt_thread_mutex_trylock( &li->conn_mutex ) ) { - case LDAP_PVT_THREAD_EBUSY: - default: - ldap_pvt_thread_yield(); - goto retry_lock; - - case 0: - break; - } - + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); assert( lc->lc_refcnt > 0 ); lc->lc_refcnt--; ldap_pvt_thread_mutex_unlock( &li->conn_mutex ); @@ -552,8 +616,7 @@ retry_lock:; * it from all the callers, and I made the function return the flag, so * it can be used to simplify the check. * - * Note: lc_mutex is locked; dolock indicates whether li->conn_mutex - * must be locked or not + * Note: dolock indicates whether li->conn_mutex must be locked or not */ static int ldap_back_dobind_int( @@ -657,21 +720,12 @@ retry:; if ( rs->sr_err == LDAP_SERVER_DOWN ) { if ( retries > 0 ) { if ( dolock ) { -retry_lock:; - switch ( ldap_pvt_thread_mutex_trylock( &li->conn_mutex ) ) { - case LDAP_PVT_THREAD_EBUSY: - default: - ldap_pvt_thread_yield(); - goto retry_lock; - - case 0: - break; - } + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); } assert( lc->lc_refcnt > 0 ); if ( lc->lc_refcnt == 1 ) { - ldap_unbind_ext_s( lc->lc_ld, NULL, NULL ); + ldap_unbind_ext( lc->lc_ld, NULL, NULL ); lc->lc_ld = NULL; /* lc here must be the regular lc, reset and ready for init */ @@ -706,13 +760,7 @@ done:; int ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) { - int rc; - - ldap_pvt_thread_mutex_lock( &lc->lc_mutex ); - rc = ldap_back_dobind_int( lc, op, rs, sendok, 1, 1 ); - ldap_pvt_thread_mutex_unlock( &lc->lc_mutex ); - - return rc; + return ldap_back_dobind_int( lc, op, rs, sendok, 1, 1 ); } /* @@ -727,6 +775,22 @@ ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, { struct ldapconn *lc = (struct ldapconn *)params; +#ifdef HAVE_TLS + /* ... otherwise we couldn't get here */ + assert( lc != NULL ); + + if ( !ldap_tls_inplace( ld ) ) { + int is_tls = lc->lc_is_tls, + rc; + const char *text = NULL; + + rc = ldap_back_start_tls( ld, 0, &is_tls, url, lc->lc_flags, &text ); + if ( rc != LDAP_SUCCESS ) { + return rc; + } + } +#endif /* HAVE_TLS */ + /* FIXME: add checks on the URL/identity? */ return ldap_sasl_bind_s( ld, lc->lc_bound_ndn.bv_val, @@ -828,19 +892,10 @@ ldap_back_retry( struct ldapconn *lc, Operation *op, SlapReply *rs, ldap_back_se int rc = 0; struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; -retry_lock:; - switch ( ldap_pvt_thread_mutex_trylock( &li->conn_mutex ) ) { - case LDAP_PVT_THREAD_EBUSY: - default: - ldap_pvt_thread_yield(); - goto retry_lock; - - case 0: - break; - } + ldap_pvt_thread_mutex_lock( &li->conn_mutex ); if ( lc->lc_refcnt == 1 ) { - ldap_unbind_ext_s( lc->lc_ld, NULL, NULL ); + ldap_unbind_ext( lc->lc_ld, NULL, NULL ); lc->lc_ld = NULL; lc->lc_bound = 0;