X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbconfig.c;h=eeed0cdc49b7774a4a2cdb7a1b81e6aeb458537b;hb=6d1aa51604a7ae9c44287af5201afc9f43b5e91e;hp=5493d9811b6d19f703b15ad9d84dec9d4539a5d4;hpb=b613ab25b0f684377062a381dbc432ea126f5b6f;p=openldap diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index 5493d9811b..eeed0cdc49 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 2005-2008 The OpenLDAP Foundation. + * Copyright 2005-2009 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -145,6 +145,7 @@ enum { CFG_DATABASE, CFG_TLS_RAND, CFG_TLS_CIPHER, + CFG_TLS_PROTOCOL_MIN, CFG_TLS_CERT_FILE, CFG_TLS_CERT_KEY, CFG_TLS_CA_PATH, @@ -685,6 +686,14 @@ static ConfigTable config_back_cf_table[] = { #endif "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' " "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "TLSProtocolMin", NULL, 0, 0, 0, +#ifdef HAVE_TLS + CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config, +#else + ARG_IGNORED, NULL, +#endif + "( OLcfgGlAt:87 NAME 'olcTLSProtocolMin' " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, { "tool-threads", "count", 2, 2, 0, ARG_INT|ARG_MAGIC|CFG_TTHREADS, &config_generic, "( OLcfgGlAt:80 NAME 'olcToolThreads' " "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, @@ -979,12 +988,7 @@ config_generic(ConfigArgs *c) { AccessControl *a; char *src, *dst, ibuf[11]; struct berval bv, abv; - AccessControl *end; - if ( c->be == frontendDB ) - end = NULL; - else - end = frontendDB->be_acl; - for (i=0, a=c->be->be_acl; a && a != end; i++,a=a->acl_next) { + for (i=0, a=c->be->be_acl; a; i++,a=a->acl_next) { abv.bv_len = snprintf( ibuf, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i ); if ( abv.bv_len >= sizeof( ibuf ) ) { ber_bvarray_free_x( c->rvalue_vals, NULL ); @@ -1033,7 +1037,7 @@ config_generic(ConfigArgs *c) { if ( !BER_BVISEMPTY( &si->si_url )) { bv.bv_len = si->si_url.bv_len + 6; bv.bv_val = ch_malloc( bv.bv_len ); - sprintf( bv.bv_val, "%d %s", si->si_num, + bv.bv_len = sprintf( bv.bv_val, "%d %s", si->si_num, si->si_url.bv_val ); ber_bvarray_add( &c->rvalue_vals, &bv ); } else { @@ -1220,13 +1224,8 @@ config_generic(ConfigArgs *c) { case CFG_ACL: if ( c->valx < 0 ) { - AccessControl *end; - if ( c->be == frontendDB ) - end = NULL; - else - end = frontendDB->be_acl; - acl_destroy( c->be->be_acl, end ); - c->be->be_acl = end; + acl_destroy( c->be->be_acl ); + c->be->be_acl = NULL; } else { AccessControl **prev, *a; @@ -1691,11 +1690,10 @@ sortval_reject: case CFG_ACL: /* Don't append to the global ACL if we're on a specific DB */ i = c->valx; - if ( c->be != frontendDB && frontendDB->be_acl && c->valx == -1 ) { + if ( c->valx == -1 ) { AccessControl *a; i = 0; - for ( a=c->be->be_acl; a && a != frontendDB->be_acl; - a = a->acl_next ) + for ( a=c->be->be_acl; a; a = a->acl_next ) i++; } if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) { @@ -1785,20 +1783,28 @@ sortval_reject: *sip = si; if (( slapMode & SLAP_SERVER_MODE ) && c->argc > 2 ) { + Listener **l = slapd_get_listeners(); + int i, isMe = 0; + + /* Try a straight compare with Listener strings */ + for ( i=0; l && l[i]; i++ ) { + if ( !strcasecmp( c->argv[2], l[i]->sl_url.bv_val )) { + isMe = 1; + break; + } + } + /* If hostname is empty, or is localhost, or matches * our hostname, this serverID refers to this host. * Compare it against listeners and ports. */ - if ( !lud->lud_host || !lud->lud_host[0] || + if ( !isMe && ( !lud->lud_host || !lud->lud_host[0] || !strncasecmp("localhost", lud->lud_host, STRLENOF("localhost")) || - !strcasecmp( global_host, lud->lud_host )) { - Listener **l = slapd_get_listeners(); - int i; + !strcasecmp( global_host, lud->lud_host ))) { for ( i=0; l && l[i]; i++ ) { LDAPURLDesc *lu2; - int isMe = 0; ldap_url_parse( l[i]->sl_url.bv_val, &lu2 ); do { if ( strcasecmp( lud->lud_scheme, @@ -1827,15 +1833,17 @@ sortval_reject: } while(0); ldap_free_urldesc( lu2 ); if ( isMe ) { - slap_serverID = si->si_num; - Debug( LDAP_DEBUG_CONFIG, - "%s: SID=%d (listener=%s)\n", - c->log, slap_serverID, - l[i]->sl_url.bv_val ); break; } } } + if ( isMe ) { + slap_serverID = si->si_num; + Debug( LDAP_DEBUG_CONFIG, + "%s: SID=%d (listener=%s)\n", + c->log, slap_serverID, + l[i]->sl_url.bv_val ); + } } if ( c->argc > 2 ) ldap_free_urldesc( lud ); @@ -3080,7 +3088,16 @@ config_shadow( ConfigArgs *c, int flag ) return 1; } - SLAP_DBFLAGS(c->be) |= (SLAP_DBFLAG_SHADOW | SLAP_DBFLAG_SINGLE_SHADOW | flag); + if ( SLAP_SHADOW(c->be) ) { + /* if already shadow, only check consistency */ + if ( ( SLAP_DBFLAGS(c->be) & flag ) != flag ) { + Debug( LDAP_DEBUG_ANY, "%s: inconsistent shadow flag 0x%x.\n", c->log, flag, 0 ); + return 1; + } + + } else { + SLAP_DBFLAGS(c->be) |= (SLAP_DBFLAG_SHADOW | SLAP_DBFLAG_SINGLE_SHADOW | flag); + } return 0; } @@ -3209,6 +3226,7 @@ config_tls_config(ConfigArgs *c) { switch(c->type) { case CFG_TLS_CRLCHECK: flag = LDAP_OPT_X_TLS_CRLCHECK; break; case CFG_TLS_VERIFY: flag = LDAP_OPT_X_TLS_REQUIRE_CERT; break; + case CFG_TLS_PROTOCOL_MIN: flag = LDAP_OPT_X_TLS_PROTOCOL_MIN; break; default: Debug(LDAP_DEBUG_ANY, "%s: " "unknown tls_option <0x%x>\n", @@ -3231,7 +3249,7 @@ config_tls_config(ConfigArgs *c) { } return(ldap_pvt_tls_set_option(slap_tls_ld, flag, &i)); } else { - return(ldap_int_tls_config(slap_tls_ld, flag, c->argv[1])); + return(ldap_pvt_tls_config(slap_tls_ld, flag, c->argv[1])); } } #endif @@ -3636,6 +3654,9 @@ config_send( Operation *op, SlapReply *rs, CfEntryInfo *ce, int depth ) rs->sr_entry = ce->ce_entry; rs->sr_flags = 0; rc = send_search_entry( op, rs ); + if ( rc != LDAP_SUCCESS ) { + return rc; + } } if ( op->ors_scope == LDAP_SCOPE_SUBTREE ) { if ( ce->ce_kids ) { @@ -3798,14 +3819,15 @@ config_rename_kids( CfEntryInfo *ce ) struct berval rdn, nrdn; for (ce2 = ce->ce_kids; ce2; ce2 = ce2->ce_sibs) { + struct berval newdn, newndn; dnRdn ( &ce2->ce_entry->e_name, &rdn ); dnRdn ( &ce2->ce_entry->e_nname, &nrdn ); + build_new_dn( &newdn, &ce->ce_entry->e_name, &rdn, NULL ); + build_new_dn( &newndn, &ce->ce_entry->e_nname, &nrdn, NULL ); free( ce2->ce_entry->e_name.bv_val ); free( ce2->ce_entry->e_nname.bv_val ); - build_new_dn( &ce2->ce_entry->e_name, &ce->ce_entry->e_name, - &rdn, NULL ); - build_new_dn( &ce2->ce_entry->e_nname, &ce->ce_entry->e_nname, - &nrdn, NULL ); + ce2->ce_entry->e_name = newdn; + ce2->ce_entry->e_nname = newndn; config_rename_kids( ce2 ); } } @@ -4466,6 +4488,7 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, if ( !ct ) continue; /* user data? */ for (i=0; a->a_vals[i].bv_val; i++) { char *iptr = NULL; + ca->valx = -1; ca->line = a->a_vals[i].bv_val; if ( a->a_desc->ad_type->sat_flags & SLAP_AT_ORDERED ) { ptr = strchr( ca->line, '}' ); @@ -4477,8 +4500,6 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, if ( a->a_desc->ad_type->sat_flags & SLAP_AT_ORDERED_SIB ) { if ( iptr ) { ca->valx = strtol( iptr+1, NULL, 0 ); - } else { - ca->valx = -1; } } else { ca->valx = i; @@ -4684,7 +4705,7 @@ config_back_add( Operation *op, SlapReply *rs ) { char textbuf[SLAP_TEXT_BUFLEN]; size_t textlen = sizeof textbuf; - rs->sr_err = entry_schema_check(op, op->ora_e, NULL, 0, 1, + rs->sr_err = entry_schema_check(op, op->ora_e, NULL, 0, 1, NULL, &rs->sr_text, textbuf, sizeof( textbuf ) ); if ( rs->sr_err != LDAP_SUCCESS ) goto out; @@ -4767,6 +4788,7 @@ config_modify_add( ConfigTable *ct, ConfigArgs *ca, AttributeDescription *ad, { int rc; + ca->valx = -1; if (ad->ad_type->sat_flags & SLAP_AT_ORDERED && ca->line[0] == '{' ) { @@ -4930,7 +4952,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs, if ( rc == LDAP_SUCCESS) { /* check that the entry still obeys the schema */ - rc = entry_schema_check(op, e, NULL, 0, 0, + rc = entry_schema_check(op, e, NULL, 0, 0, NULL, &rs->sr_text, ca->cr_msg, sizeof(ca->cr_msg) ); } if ( rc ) goto out_noop; @@ -5505,20 +5527,22 @@ config_back_search( Operation *op, SlapReply *rs ) switch ( op->ors_scope ) { case LDAP_SCOPE_BASE: case LDAP_SCOPE_SUBTREE: - config_send( op, rs, ce, 0 ); + rs->sr_err = config_send( op, rs, ce, 0 ); break; case LDAP_SCOPE_ONELEVEL: for (ce = ce->ce_kids; ce; ce=ce->ce_sibs) { - config_send( op, rs, ce, 1 ); + rs->sr_err = config_send( op, rs, ce, 1 ); + if ( rs->sr_err ) { + break; + } } break; } - - rs->sr_err = LDAP_SUCCESS; + out: send_ldap_result( op, rs ); - return 0; + return rs->sr_err; } /* no-op, we never free entries */ @@ -5934,7 +5958,7 @@ config_back_db_open( BackendDB *be, ConfigReply *cr ) /* If we have no explicitly configured ACLs, don't just use * the global ACLs. Explicitly deny access to everything. */ - if ( frontendDB->be_acl && be->be_acl == frontendDB->be_acl ) { + if ( !be->be_acl ) { parse_acl(be, "config_back_db_open", 0, 6, (char **)defacl, 0 ); }