X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fconfig.c;h=70a5a6375fd80a2ec5e1f84b364f30289ff7b293;hb=2bfe79fe884565801600e309d1fcbefa41fb0f4b;hp=34ebb1d25cd4df9f5d2a1b2f604439814aeca354;hpb=ec849bd9813460be148d27ad4e552e82f60062ca;p=openldap diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 34ebb1d25c..70a5a6375f 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -43,6 +43,7 @@ #include "slapi/slapi.h" #endif #include "lutil.h" +#include "lutil_ldap.h" #include "config.h" #ifdef HAVE_TLS @@ -120,17 +121,20 @@ ConfigTable *config_find_keyword(ConfigTable *Conf, ConfigArgs *c) { } int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { - int rc, arg_user, arg_type, iarg; + int rc, arg_user, arg_type, arg_syn, iarg; long larg; ber_len_t barg; - arg_type = Conf->arg_type; - if(arg_type == ARG_IGNORED) { + if(Conf->arg_type == ARG_IGNORED) { Debug(LDAP_DEBUG_CONFIG, "%s: keyword <%s> ignored\n", c->log, Conf->name, 0); return(0); } - if((arg_type & ARG_DN) && c->argc == 1) { + arg_type = Conf->arg_type & ARGS_TYPES; + arg_user = Conf->arg_type & ARGS_USERLAND; + arg_syn = Conf->arg_type & ARGS_SYNTAX; + + if((arg_type == ARG_DN) && c->argc == 1) { c->argc = 2; c->argv[1] = ""; } @@ -146,55 +150,71 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { snprintf( c->msg, sizeof( c->msg ), "<%s> extra cruft after <%s>", c->argv[0], Conf->what ); -#ifdef LDAP_DEVEL ignored = ""; -#endif /* LDAP_DEVEL */ Debug(LDAP_DEBUG_CONFIG, "%s: %s%s.\n", c->log, c->msg, ignored ); -#ifdef LDAP_DEVEL return(ARG_BAD_CONF); -#endif /* LDAP_DEVEL */ } - if((arg_type & ARG_DB) && !c->be) { + if((arg_syn & ARG_DB) && !c->be) { snprintf( c->msg, sizeof( c->msg ), "<%s> only allowed within database declaration", c->argv[0] ); Debug(LDAP_DEBUG_CONFIG, "%s: keyword %s\n", c->log, c->msg, 0); return(ARG_BAD_CONF); } - if((arg_type & ARG_PRE_BI) && c->bi) { + if((arg_syn & ARG_PRE_BI) && c->bi) { snprintf( c->msg, sizeof( c->msg ), "<%s> must occur before any backend %sdeclaration", - c->argv[0], (arg_type & ARG_PRE_DB) ? "or database " : "" ); + c->argv[0], (arg_syn & ARG_PRE_DB) ? "or database " : "" ); Debug(LDAP_DEBUG_CONFIG, "%s: keyword %s\n", c->log, c->msg, 0 ); return(ARG_BAD_CONF); } - if((arg_type & ARG_PRE_DB) && c->be && c->be != frontendDB) { + if((arg_syn & ARG_PRE_DB) && c->be && c->be != frontendDB) { snprintf( c->msg, sizeof( c->msg ), "<%s> must occur before any database declaration", c->argv[0] ); Debug(LDAP_DEBUG_CONFIG, "%s: keyword %s\n", c->log, c->msg, 0); return(ARG_BAD_CONF); } - if((arg_type & ARG_PAREN) && *c->argv[1] != '(' /*')'*/) { + if((arg_syn & ARG_PAREN) && *c->argv[1] != '(' /*')'*/) { snprintf( c->msg, sizeof( c->msg ), "<%s> old format not supported", c->argv[0] ); Debug(LDAP_DEBUG_CONFIG, "%s: %s\n", c->log, c->msg, 0); return(ARG_BAD_CONF); } - if((arg_type & ARGS_POINTER) && !Conf->arg_item && !(arg_type & ARG_OFFSET)) { + if(arg_type && !Conf->arg_item && !(arg_syn & ARG_OFFSET)) { snprintf( c->msg, sizeof( c->msg ), "<%s> invalid config_table, arg_item is NULL", c->argv[0] ); Debug(LDAP_DEBUG_CONFIG, "%s: %s\n", c->log, c->msg, 0); return(ARG_BAD_CONF); } - c->type = arg_user = (arg_type & ARGS_USERLAND); + c->type = arg_user; memset(&c->values, 0, sizeof(c->values)); - if(arg_type & ARGS_NUMERIC) { + if(arg_type == ARG_STRING) { + if ( !check_only ) + c->value_string = ch_strdup(c->argv[1]); + } else if(arg_type == ARG_BERVAL) { + if ( !check_only ) + ber_str2bv( c->argv[1], 0, 1, &c->value_bv ); + } else if(arg_type == ARG_DN) { + struct berval bv; + ber_str2bv( c->argv[1], 0, 0, &bv ); + rc = dnPrettyNormal( NULL, &bv, &c->value_dn, &c->value_ndn, NULL ); + if ( rc != LDAP_SUCCESS ) { + snprintf( c->msg, sizeof( c->msg ), "<%s> invalid DN %d (%s)", + c->argv[0], rc, ldap_err2string( rc )); + Debug(LDAP_DEBUG_CONFIG, "%s: %s\n" , c->log, c->msg, 0); + return(ARG_BAD_CONF); + } + if ( check_only ) { + ch_free( c->value_ndn.bv_val ); + ch_free( c->value_dn.bv_val ); + } + } else { /* all numeric */ int j; iarg = 0; larg = 0; barg = 0; - switch(arg_type & ARGS_NUMERIC) { + switch(arg_type) { case ARG_INT: if ( lutil_atoix( &iarg, c->argv[1], 0 ) != 0 ) { snprintf( c->msg, sizeof( c->msg ), @@ -258,32 +278,12 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { c->log, c->msg, 0 ); return(ARG_BAD_CONF); } - switch(arg_type & ARGS_NUMERIC) { + switch(arg_type) { case ARG_ON_OFF: case ARG_INT: c->value_int = iarg; break; case ARG_LONG: c->value_long = larg; break; case ARG_BER_LEN_T: c->value_ber_t = barg; break; } - } else if(arg_type & ARG_STRING) { - if ( !check_only ) - c->value_string = ch_strdup(c->argv[1]); - } else if(arg_type & ARG_BERVAL) { - if ( !check_only ) - ber_str2bv( c->argv[1], 0, 1, &c->value_bv ); - } else if(arg_type & ARG_DN) { - struct berval bv; - ber_str2bv( c->argv[1], 0, 0, &bv ); - rc = dnPrettyNormal( NULL, &bv, &c->value_dn, &c->value_ndn, NULL ); - if ( rc != LDAP_SUCCESS ) { - snprintf( c->msg, sizeof( c->msg ), "<%s> invalid DN %d (%s)", - c->argv[0], rc, ldap_err2string( rc )); - Debug(LDAP_DEBUG_CONFIG, "%s: %s\n" , c->log, c->msg, 0); - return(ARG_BAD_CONF); - } - if ( check_only ) { - ch_free( c->value_ndn.bv_val ); - ch_free( c->value_dn.bv_val ); - } } return 0; } @@ -312,7 +312,8 @@ int config_set_vals(ConfigTable *Conf, ConfigArgs *c) { return(0); } if(arg_type & ARG_OFFSET) { - if (c->be) + if (c->be && (!overlay_is_over(c->be) || + ((slap_overinfo *)c->be->bd_info)->oi_orig == c->bi)) ptr = c->be->be_private; else if (c->bi) ptr = c->bi->bi_private; @@ -324,11 +325,11 @@ int config_set_vals(ConfigTable *Conf, ConfigArgs *c) { return(ARG_BAD_CONF); } ptr = (void *)((char *)ptr + (long)Conf->arg_item); - } else if (arg_type & ARGS_POINTER) { + } else if (arg_type & ARGS_TYPES) { ptr = Conf->arg_item; } - if(arg_type & ARGS_POINTER) - switch(arg_type & ARGS_POINTER) { + if(arg_type & ARGS_TYPES) + switch(arg_type & ARGS_TYPES) { case ARG_ON_OFF: case ARG_INT: *(int*)ptr = c->value_int; break; case ARG_LONG: *(long*)ptr = c->value_long; break; @@ -403,7 +404,8 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) if ( rc ) return rc; } else { if ( cf->arg_type & ARG_OFFSET ) { - if ( c->be ) + if (c->be && (!overlay_is_over(c->be) || + ((slap_overinfo *)c->be->bd_info)->oi_orig == c->bi)) ptr = c->be->be_private; else if ( c->bi ) ptr = c->bi->bi_private; @@ -414,7 +416,7 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) ptr = cf->arg_item; } - switch(cf->arg_type & ARGS_POINTER) { + switch(cf->arg_type & ARGS_TYPES) { case ARG_ON_OFF: case ARG_INT: c->value_int = *(int *)ptr; break; case ARG_LONG: c->value_long = *(long *)ptr; break; @@ -427,9 +429,10 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) ber_dupbv( &c->value_bv, (struct berval *)ptr ); break; } } - if ( cf->arg_type & ARGS_POINTER) { + if ( cf->arg_type & ARGS_TYPES) { + bv.bv_len = 0; bv.bv_val = c->log; - switch(cf->arg_type & ARGS_POINTER) { + switch(cf->arg_type & ARGS_TYPES) { case ARG_INT: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%d", c->value_int); break; case ARG_LONG: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%ld", c->value_long); break; case ARG_BER_LEN_T: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%ld", c->value_ber_t); break; @@ -449,14 +452,19 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) return 1; } break; + default: + bv.bv_val = NULL; + break; } if (bv.bv_val == c->log && bv.bv_len >= sizeof( c->log ) ) { return 1; } - if (( cf->arg_type & ARGS_POINTER ) == ARG_STRING ) + if (( cf->arg_type & ARGS_TYPES ) == ARG_STRING ) { ber_bvarray_add(&c->rvalue_vals, &bv); - else + } else if ( !BER_BVISNULL( &bv ) ) { value_add_one(&c->rvalue_vals, &bv); + } + /* else: maybe c->rvalue_vals already set? */ } return rc; } @@ -501,6 +509,10 @@ init_config_attrs(ConfigTable *ct) { fprintf( stderr, "init_config_attrs: AttributeType \"%s\": %s\n", ct[i].attribute, err ); return code; + } else { +#ifndef LDAP_DEVEL + ct[i].ad->ad_type->sat_flags |= SLAP_AT_HIDE; +#endif } } @@ -531,10 +543,14 @@ init_config_ocs( ConfigOCs *ocs ) { return code; } ocs[i].co_oc = oc_find(oc->oc_names[0]); - if ( code ) + if ( code ) { ldap_objectclass_free(oc); - else + } else { ldap_memfree(oc); +#ifndef LDAP_DEVEL + ocs[i].co_oc->soc_flags |= SLAP_OC_HIDE; +#endif + } } return 0; } @@ -868,14 +884,21 @@ done: /* restrictops, allows, disallows, requires, loglevel */ int -verb_to_mask(const char *word, slap_verbmasks *v) { +bverb_to_mask(struct berval *bword, slap_verbmasks *v) { int i; for(i = 0; !BER_BVISNULL(&v[i].word); i++) { - if(!strcasecmp(word, v[i].word.bv_val)) break; + if(!ber_bvstrcasecmp(bword, &v[i].word)) break; } return(i); } +int +verb_to_mask(const char *word, slap_verbmasks *v) { + struct berval bword; + ber_str2bv( word, 0, 0, &bword ); + return bverb_to_mask( &bword, v ); +} + int verbs_to_mask(int argc, char *argv[], slap_verbmasks *v, slap_mask_t *m) { int i, j; @@ -1011,12 +1034,14 @@ enum_to_verb(slap_verbmasks *v, slap_mask_t m, struct berval *bv) { return -1; } +#ifdef HAVE_TLS static slap_verbmasks tlskey[] = { { BER_BVC("no"), SB_TLS_OFF }, { BER_BVC("yes"), SB_TLS_ON }, { BER_BVC("critical"), SB_TLS_CRITICAL }, { BER_BVNULL, 0 } }; +#endif static slap_verbmasks methkey[] = { { BER_BVC("none"), LDAP_AUTH_NONE }, @@ -1027,9 +1052,15 @@ static slap_verbmasks methkey[] = { { BER_BVNULL, 0 } }; +static slap_verbmasks versionkey[] = { + { BER_BVC("2"), LDAP_VERSION2 }, + { BER_BVC("3"), LDAP_VERSION3 }, + { BER_BVNULL, 0 } +}; + static slap_cf_aux_table bindkey[] = { { BER_BVC("uri="), offsetof(slap_bindconf, sb_uri), 'b', 1, NULL }, - { BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'd', 0, tlskey }, + { BER_BVC("version="), offsetof(slap_bindconf, sb_version), 'd', 0, versionkey }, { BER_BVC("bindmethod="), offsetof(slap_bindconf, sb_method), 'd', 0, methkey }, { BER_BVC("binddn="), offsetof(slap_bindconf, sb_binddn), 'b', 1, NULL }, { BER_BVC("credentials="), offsetof(slap_bindconf, sb_cred), 'b', 1, NULL }, @@ -1039,6 +1070,10 @@ static slap_cf_aux_table bindkey[] = { { BER_BVC("authcID="), offsetof(slap_bindconf, sb_authcId), 'b', 0, NULL }, { BER_BVC("authzID="), offsetof(slap_bindconf, sb_authzId), 'b', 1, NULL }, #ifdef HAVE_TLS + { BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'd', 0, tlskey }, + +#define aux_TLS (bindkey+10) /* beginning of TLS keywords */ + { BER_BVC("tls_cert="), offsetof(slap_bindconf, sb_tls_cert), 's', 1, NULL }, { BER_BVC("tls_key="), offsetof(slap_bindconf, sb_tls_key), 's', 1, NULL }, { BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL }, @@ -1055,7 +1090,7 @@ static slap_cf_aux_table bindkey[] = { int slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, LDAP_CONST char *tabmsg ) { - int rc = 0; + int rc = SLAP_CONF_UNKNOWN; slap_cf_aux_table *tab; for (tab = tab0; !BER_BVISNULL(&tab->key); tab++ ) { @@ -1072,11 +1107,13 @@ slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, L case 's': cptr = (char **)((char *)dst + tab->off); *cptr = ch_strdup( val ); + rc = 0; break; case 'b': bptr = (struct berval *)((char *)dst + tab->off); ber_str2bv( val, 0, 1, bptr ); + rc = 0; break; case 'd': @@ -1132,7 +1169,7 @@ slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, L int slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0 ) { - char buf[BUFSIZ], *ptr; + char buf[AC_LINE_MAX], *ptr; slap_cf_aux_table *tab; struct berval tmp; @@ -1216,6 +1253,13 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0 int bindconf_parse( const char *word, slap_bindconf *bc ) { +#ifdef HAVE_TLS + /* Detect TLS config changes explicitly */ + if ( slap_cf_aux_table_parse( word, bc, aux_TLS, "tls config" ) == 0 ) { + bc->sb_tls_do_init = 1; + return 0; + } +#endif return slap_cf_aux_table_parse( word, bc, bindkey, "bind config" ); } @@ -1259,10 +1303,12 @@ void bindconf_free( slap_bindconf *bc ) { BER_BVZERO( &bc->sb_authzId ); } #ifdef HAVE_TLS +#if 0 if ( bc->sb_tls_ctx ) { SSL_CTX_free( bc->sb_tls_ctx ); bc->sb_tls_ctx = NULL; } +#endif if ( bc->sb_tls_cert ) { ch_free( bc->sb_tls_cert ); bc->sb_tls_cert = NULL; @@ -1315,6 +1361,8 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) int i, rc, newctx = 0, res = 0; char *ptr = (char *)bc, **word; + bc->sb_tls_do_init = 0; + for (i=0; bindtlsopts[i].opt; i++) { word = (char **)(ptr + bindtlsopts[i].offset); if ( *word ) { @@ -1354,6 +1402,11 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) #endif if ( newctx ) { int opt = 0; + + if ( bc->sb_tls_ctx ) { + SSL_CTX_free( bc->sb_tls_ctx ); + bc->sb_tls_ctx = NULL; + } rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt ); if ( rc ) res = rc; @@ -1365,6 +1418,157 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) } #endif +/* + * connect to a client using the bindconf data + * note: should move "version" into bindconf... + */ +int +slap_client_connect( LDAP **ldp, slap_bindconf *sb ) +{ + LDAP *ld = NULL; + int rc; + + /* Init connection to master */ + rc = ldap_initialize( &ld, sb->sb_uri.bv_val ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "ldap_initialize(%s) failed (%d)\n", + sb->sb_uri.bv_val, rc, 0 ); + return rc; + } + + if ( sb->sb_version != 0 ) { + ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, + (const void *)&sb->sb_version ); + } + +#ifdef HAVE_TLS + if ( sb->sb_tls_do_init ) { + rc = bindconf_tls_set( sb, ld ); + + } else if ( sb->sb_tls_ctx ) { + rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, + sb->sb_tls_ctx ); + } + + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "URI=%s TLS context initialization failed (%d)\n", + sb->sb_uri.bv_val, rc, 0 ); + return rc; + } +#endif + + /* Bind */ + if ( sb->sb_tls ) { + rc = ldap_start_tls_s( ld, NULL, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: URI=%s " + "%s, ldap_start_tls failed (%d)\n", + sb->sb_uri.bv_val, + sb->sb_tls == SB_TLS_CRITICAL ? + "Error" : "Warning", + rc ); + if ( sb->sb_tls == SB_TLS_CRITICAL ) { + goto done; + } + } + } + + if ( sb->sb_method == LDAP_AUTH_SASL ) { +#ifdef HAVE_CYRUS_SASL + void *defaults; + + if ( sb->sb_secprops != NULL ) { + rc = ldap_set_option( ld, + LDAP_OPT_X_SASL_SECPROPS, sb->sb_secprops); + + if( rc != LDAP_OPT_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "error, ldap_set_option " + "(%s,SECPROPS,\"%s\") failed!\n", + sb->sb_uri.bv_val, sb->sb_secprops, 0 ); + goto done; + } + } + + defaults = lutil_sasl_defaults( ld, + sb->sb_saslmech.bv_val, + sb->sb_realm.bv_val, + sb->sb_authcId.bv_val, + sb->sb_cred.bv_val, + sb->sb_authzId.bv_val ); + + rc = ldap_sasl_interactive_bind_s( ld, + sb->sb_binddn.bv_val, + sb->sb_saslmech.bv_val, + NULL, NULL, + LDAP_SASL_QUIET, + lutil_sasl_interact, + defaults ); + + lutil_sasl_freedefs( defaults ); + + /* FIXME: different error behaviors according to + * 1) return code + * 2) on err policy : exit, retry, backoff ... + */ + if ( rc != LDAP_SUCCESS ) { + static struct berval bv_GSSAPI = BER_BVC( "GSSAPI" ); + + Debug( LDAP_DEBUG_ANY, "slap_client_connect: URI=%s " + "ldap_sasl_interactive_bind_s failed (%d)\n", + sb->sb_uri.bv_val, rc, 0 ); + + /* FIXME (see above comment) */ + /* if Kerberos credentials cache is not active, retry */ + if ( ber_bvcmp( &sb->sb_saslmech, &bv_GSSAPI ) == 0 && + rc == LDAP_LOCAL_ERROR ) + { + rc = LDAP_SERVER_DOWN; + } + + goto done; + } +#else /* HAVE_CYRUS_SASL */ + /* Should never get here, we trapped this at config time */ + assert(0); + Debug( LDAP_DEBUG_SYNC, "not compiled with SASL support\n", 0, 0, 0 ); + rc = LDAP_OTHER; + goto done; +#endif + + } else if ( sb->sb_method == LDAP_AUTH_SIMPLE ) { + rc = ldap_sasl_bind_s( ld, + sb->sb_binddn.bv_val, LDAP_SASL_SIMPLE, + &sb->sb_cred, NULL, NULL, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "slap_client_connect: " + "URI=%s DN=\"%s\" " + "ldap_sasl_bind_s failed (%d)\n", + sb->sb_uri.bv_val, sb->sb_binddn.bv_val, rc ); + goto done; + } + } + +done:; + if ( rc ) { + if ( ld ) { + ldap_unbind_ext( ld, NULL, NULL ); + *ldp = NULL; + } + + } else { + *ldp = ld; + } + + return rc; +} + /* -------------------------------------- */ @@ -1423,7 +1627,7 @@ strtok_quote( char *line, char *sep, char **quote_ptr ) return( tmp ); } -static char buf[BUFSIZ]; +static char buf[AC_LINE_MAX]; static char *line; static size_t lmax, lcur; @@ -1431,7 +1635,7 @@ static size_t lmax, lcur; do { \ size_t len = strlen( buf ); \ while ( lcur + len + 1 > lmax ) { \ - lmax += BUFSIZ; \ + lmax += AC_LINE_MAX; \ line = (char *) ch_realloc( line, lmax ); \ } \ strcpy( line + lcur, buf ); \