X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fconfig.c;h=1b612e8aab48b8a01c0e21ac830d43001007535b;hb=fb2d3926ce4714b83f76c059a18a0d67d12b8019;hp=ddfc2af581eee4f9cdbe2be4e81244ea4262ba66;hpb=1d24564f9d7714e73a07b2ebe013096db584dda0;p=openldap diff --git a/servers/slapd/config.c b/servers/slapd/config.c index ddfc2af581..1b612e8aab 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -36,13 +36,21 @@ #include #include + +#ifndef S_ISREG +#define S_ISREG(m) (((m) & _S_IFMT) == _S_IFREG) +#endif + +#if HAVE_UNISTD_H #include +#endif #include "slap.h" #ifdef LDAP_SLAPI #include "slapi/slapi.h" #endif #include "lutil.h" +#include "lutil_ldap.h" #include "config.h" #ifdef HAVE_TLS @@ -149,14 +157,10 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { snprintf( c->msg, sizeof( c->msg ), "<%s> extra cruft after <%s>", c->argv[0], Conf->what ); -#ifdef LDAP_DEVEL ignored = ""; -#endif /* LDAP_DEVEL */ Debug(LDAP_DEBUG_CONFIG, "%s: %s%s.\n", c->log, c->msg, ignored ); -#ifdef LDAP_DEVEL return(ARG_BAD_CONF); -#endif /* LDAP_DEVEL */ } if((arg_syn & ARG_DB) && !c->be) { snprintf( c->msg, sizeof( c->msg ), "<%s> only allowed within database declaration", @@ -315,7 +319,8 @@ int config_set_vals(ConfigTable *Conf, ConfigArgs *c) { return(0); } if(arg_type & ARG_OFFSET) { - if (c->be) + if (c->be && (!overlay_is_over(c->be) || + ((slap_overinfo *)c->be->bd_info)->oi_orig == c->bi)) ptr = c->be->be_private; else if (c->bi) ptr = c->bi->bi_private; @@ -406,7 +411,8 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) if ( rc ) return rc; } else { if ( cf->arg_type & ARG_OFFSET ) { - if ( c->be ) + if (c->be && (!overlay_is_over(c->be) || + ((slap_overinfo *)c->be->bd_info)->oi_orig == c->bi)) ptr = c->be->be_private; else if ( c->bi ) ptr = c->bi->bi_private; @@ -472,45 +478,18 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) int init_config_attrs(ConfigTable *ct) { - LDAPAttributeType *at; int i, code; - const char *err; for (i=0; ct[i].name; i++ ) { - int freeit = 0; - if ( !ct[i].attribute ) continue; - at = ldap_str2attributetype( ct[i].attribute, - &code, &err, LDAP_SCHEMA_ALLOW_ALL ); - if ( !at ) { - fprintf( stderr, "init_config_attrs: AttributeType \"%s\": %s, %s\n", - ct[i].attribute, ldap_scherr2str(code), err ); - return code; - } - - code = at_add( at, 0, NULL, &err ); - if ( code ) { - if ( code == SLAP_SCHERR_ATTR_DUP ) { - freeit = 1; - - } else { - ldap_attributetype_free( at ); - fprintf( stderr, "init_config_attrs: AttributeType \"%s\": %s, %s\n", - ct[i].attribute, scherr2str(code), err ); - return code; - } - } - code = slap_str2ad( at->at_names[0], &ct[i].ad, &err ); - if ( freeit || code ) { - ldap_attributetype_free( at ); - } else { - ldap_memfree( at ); - } + code = register_at( ct[i].attribute, &ct[i].ad, 1 ); if ( code ) { - fprintf( stderr, "init_config_attrs: AttributeType \"%s\": %s\n", - ct[i].attribute, err ); + fprintf( stderr, "init_config_attrs: register_at failed\n" ); return code; } +#ifndef LDAP_DEVEL + ct[i].ad->ad_type->sat_flags |= SLAP_AT_HIDE; +#endif } return 0; @@ -518,32 +497,17 @@ init_config_attrs(ConfigTable *ct) { int init_config_ocs( ConfigOCs *ocs ) { - int i; + int i, code; for (i=0;ocs[i].co_def;i++) { - LDAPObjectClass *oc; - int code; - const char *err; - - oc = ldap_str2objectclass( ocs[i].co_def, &code, &err, - LDAP_SCHEMA_ALLOW_ALL ); - if ( !oc ) { - fprintf( stderr, "init_config_ocs: objectclass \"%s\": %s, %s\n", - ocs[i].co_def, ldap_scherr2str(code), err ); - return code; - } - code = oc_add(oc,0,NULL,&err); - if ( code && code != SLAP_SCHERR_CLASS_DUP ) { - fprintf( stderr, "init_config_ocs: objectclass \"%s\": %s, %s\n", - ocs[i].co_def, scherr2str(code), err ); - ldap_objectclass_free(oc); + code = register_oc( ocs[i].co_def, &ocs[i].co_oc, 1 ); + if ( code ) { + fprintf( stderr, "init_config_ocs: register_oc failed\n" ); return code; } - ocs[i].co_oc = oc_find(oc->oc_names[0]); - if ( code ) - ldap_objectclass_free(oc); - else - ldap_memfree(oc); +#ifndef LDAP_DEVEL + ocs[i].co_oc->soc_flags |= SLAP_OC_HIDE; +#endif } return 0; } @@ -877,14 +841,21 @@ done: /* restrictops, allows, disallows, requires, loglevel */ int -verb_to_mask(const char *word, slap_verbmasks *v) { +bverb_to_mask(struct berval *bword, slap_verbmasks *v) { int i; for(i = 0; !BER_BVISNULL(&v[i].word); i++) { - if(!strcasecmp(word, v[i].word.bv_val)) break; + if(!ber_bvstrcasecmp(bword, &v[i].word)) break; } return(i); } +int +verb_to_mask(const char *word, slap_verbmasks *v) { + struct berval bword; + ber_str2bv( word, 0, 0, &bword ); + return bverb_to_mask( &bword, v ); +} + int verbs_to_mask(int argc, char *argv[], slap_verbmasks *v, slap_mask_t *m) { int i, j; @@ -1038,8 +1009,15 @@ static slap_verbmasks methkey[] = { { BER_BVNULL, 0 } }; +static slap_verbmasks versionkey[] = { + { BER_BVC("2"), LDAP_VERSION2 }, + { BER_BVC("3"), LDAP_VERSION3 }, + { BER_BVNULL, 0 } +}; + static slap_cf_aux_table bindkey[] = { { BER_BVC("uri="), offsetof(slap_bindconf, sb_uri), 'b', 1, NULL }, + { BER_BVC("version="), offsetof(slap_bindconf, sb_version), 'd', 0, versionkey }, { BER_BVC("bindmethod="), offsetof(slap_bindconf, sb_method), 'd', 0, methkey }, { BER_BVC("binddn="), offsetof(slap_bindconf, sb_binddn), 'b', 1, NULL }, { BER_BVC("credentials="), offsetof(slap_bindconf, sb_cred), 'b', 1, NULL }, @@ -1148,7 +1126,7 @@ slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, L int slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0 ) { - char buf[BUFSIZ], *ptr; + char buf[AC_LINE_MAX], *ptr; slap_cf_aux_table *tab; struct berval tmp; @@ -1282,10 +1260,12 @@ void bindconf_free( slap_bindconf *bc ) { BER_BVZERO( &bc->sb_authzId ); } #ifdef HAVE_TLS +#if 0 if ( bc->sb_tls_ctx ) { SSL_CTX_free( bc->sb_tls_ctx ); bc->sb_tls_ctx = NULL; } +#endif if ( bc->sb_tls_cert ) { ch_free( bc->sb_tls_cert ); bc->sb_tls_cert = NULL; @@ -1395,6 +1375,157 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) } #endif +/* + * connect to a client using the bindconf data + * note: should move "version" into bindconf... + */ +int +slap_client_connect( LDAP **ldp, slap_bindconf *sb ) +{ + LDAP *ld = NULL; + int rc; + + /* Init connection to master */ + rc = ldap_initialize( &ld, sb->sb_uri.bv_val ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "ldap_initialize(%s) failed (%d)\n", + sb->sb_uri.bv_val, rc, 0 ); + return rc; + } + + if ( sb->sb_version != 0 ) { + ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, + (const void *)&sb->sb_version ); + } + +#ifdef HAVE_TLS + if ( sb->sb_tls_do_init ) { + rc = bindconf_tls_set( sb, ld ); + + } else if ( sb->sb_tls_ctx ) { + rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, + sb->sb_tls_ctx ); + } + + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "URI=%s TLS context initialization failed (%d)\n", + sb->sb_uri.bv_val, rc, 0 ); + return rc; + } +#endif + + /* Bind */ + if ( sb->sb_tls ) { + rc = ldap_start_tls_s( ld, NULL, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: URI=%s " + "%s, ldap_start_tls failed (%d)\n", + sb->sb_uri.bv_val, + sb->sb_tls == SB_TLS_CRITICAL ? + "Error" : "Warning", + rc ); + if ( sb->sb_tls == SB_TLS_CRITICAL ) { + goto done; + } + } + } + + if ( sb->sb_method == LDAP_AUTH_SASL ) { +#ifdef HAVE_CYRUS_SASL + void *defaults; + + if ( sb->sb_secprops != NULL ) { + rc = ldap_set_option( ld, + LDAP_OPT_X_SASL_SECPROPS, sb->sb_secprops); + + if( rc != LDAP_OPT_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "error, ldap_set_option " + "(%s,SECPROPS,\"%s\") failed!\n", + sb->sb_uri.bv_val, sb->sb_secprops, 0 ); + goto done; + } + } + + defaults = lutil_sasl_defaults( ld, + sb->sb_saslmech.bv_val, + sb->sb_realm.bv_val, + sb->sb_authcId.bv_val, + sb->sb_cred.bv_val, + sb->sb_authzId.bv_val ); + + rc = ldap_sasl_interactive_bind_s( ld, + sb->sb_binddn.bv_val, + sb->sb_saslmech.bv_val, + NULL, NULL, + LDAP_SASL_QUIET, + lutil_sasl_interact, + defaults ); + + lutil_sasl_freedefs( defaults ); + + /* FIXME: different error behaviors according to + * 1) return code + * 2) on err policy : exit, retry, backoff ... + */ + if ( rc != LDAP_SUCCESS ) { + static struct berval bv_GSSAPI = BER_BVC( "GSSAPI" ); + + Debug( LDAP_DEBUG_ANY, "slap_client_connect: URI=%s " + "ldap_sasl_interactive_bind_s failed (%d)\n", + sb->sb_uri.bv_val, rc, 0 ); + + /* FIXME (see above comment) */ + /* if Kerberos credentials cache is not active, retry */ + if ( ber_bvcmp( &sb->sb_saslmech, &bv_GSSAPI ) == 0 && + rc == LDAP_LOCAL_ERROR ) + { + rc = LDAP_SERVER_DOWN; + } + + goto done; + } +#else /* HAVE_CYRUS_SASL */ + /* Should never get here, we trapped this at config time */ + assert(0); + Debug( LDAP_DEBUG_SYNC, "not compiled with SASL support\n", 0, 0, 0 ); + rc = LDAP_OTHER; + goto done; +#endif + + } else if ( sb->sb_method == LDAP_AUTH_SIMPLE ) { + rc = ldap_sasl_bind_s( ld, + sb->sb_binddn.bv_val, LDAP_SASL_SIMPLE, + &sb->sb_cred, NULL, NULL, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "slap_client_connect: " + "URI=%s DN=\"%s\" " + "ldap_sasl_bind_s failed (%d)\n", + sb->sb_uri.bv_val, sb->sb_binddn.bv_val, rc ); + goto done; + } + } + +done:; + if ( rc ) { + if ( ld ) { + ldap_unbind_ext( ld, NULL, NULL ); + *ldp = NULL; + } + + } else { + *ldp = ld; + } + + return rc; +} + /* -------------------------------------- */ @@ -1453,7 +1584,7 @@ strtok_quote( char *line, char *sep, char **quote_ptr ) return( tmp ); } -static char buf[BUFSIZ]; +static char buf[AC_LINE_MAX]; static char *line; static size_t lmax, lcur; @@ -1461,7 +1592,7 @@ static size_t lmax, lcur; do { \ size_t len = strlen( buf ); \ while ( lcur + len + 1 > lmax ) { \ - lmax += BUFSIZ; \ + lmax += AC_LINE_MAX; \ line = (char *) ch_realloc( line, lmax ); \ } \ strcpy( line + lcur, buf ); \