X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fconfig.c;h=70a5a6375fd80a2ec5e1f84b364f30289ff7b293;hb=2bfe79fe884565801600e309d1fcbefa41fb0f4b;hp=8e8558c053b72ea06e576859d2f3cc1757409e48;hpb=0af1940f3fb59fe57b2281ef253fe1341c505c2c;p=openldap diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 8e8558c053..70a5a6375f 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -43,8 +43,13 @@ #include "slapi/slapi.h" #endif #include "lutil.h" +#include "lutil_ldap.h" #include "config.h" +#ifdef HAVE_TLS +#include +#endif + #define ARGS_STEP 512 /* @@ -116,17 +121,20 @@ ConfigTable *config_find_keyword(ConfigTable *Conf, ConfigArgs *c) { } int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { - int rc, arg_user, arg_type, iarg; + int rc, arg_user, arg_type, arg_syn, iarg; long larg; ber_len_t barg; - arg_type = Conf->arg_type; - if(arg_type == ARG_IGNORED) { + if(Conf->arg_type == ARG_IGNORED) { Debug(LDAP_DEBUG_CONFIG, "%s: keyword <%s> ignored\n", c->log, Conf->name, 0); return(0); } - if((arg_type & ARG_DN) && c->argc == 1) { + arg_type = Conf->arg_type & ARGS_TYPES; + arg_user = Conf->arg_type & ARGS_USERLAND; + arg_syn = Conf->arg_type & ARGS_SYNTAX; + + if((arg_type == ARG_DN) && c->argc == 1) { c->argc = 2; c->argv[1] = ""; } @@ -142,55 +150,71 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { snprintf( c->msg, sizeof( c->msg ), "<%s> extra cruft after <%s>", c->argv[0], Conf->what ); -#ifdef LDAP_DEVEL ignored = ""; -#endif /* LDAP_DEVEL */ Debug(LDAP_DEBUG_CONFIG, "%s: %s%s.\n", c->log, c->msg, ignored ); -#ifdef LDAP_DEVEL return(ARG_BAD_CONF); -#endif /* LDAP_DEVEL */ } - if((arg_type & ARG_DB) && !c->be) { + if((arg_syn & ARG_DB) && !c->be) { snprintf( c->msg, sizeof( c->msg ), "<%s> only allowed within database declaration", c->argv[0] ); Debug(LDAP_DEBUG_CONFIG, "%s: keyword %s\n", c->log, c->msg, 0); return(ARG_BAD_CONF); } - if((arg_type & ARG_PRE_BI) && c->bi) { + if((arg_syn & ARG_PRE_BI) && c->bi) { snprintf( c->msg, sizeof( c->msg ), "<%s> must occur before any backend %sdeclaration", - c->argv[0], (arg_type & ARG_PRE_DB) ? "or database " : "" ); + c->argv[0], (arg_syn & ARG_PRE_DB) ? "or database " : "" ); Debug(LDAP_DEBUG_CONFIG, "%s: keyword %s\n", c->log, c->msg, 0 ); return(ARG_BAD_CONF); } - if((arg_type & ARG_PRE_DB) && c->be && c->be != frontendDB) { + if((arg_syn & ARG_PRE_DB) && c->be && c->be != frontendDB) { snprintf( c->msg, sizeof( c->msg ), "<%s> must occur before any database declaration", c->argv[0] ); Debug(LDAP_DEBUG_CONFIG, "%s: keyword %s\n", c->log, c->msg, 0); return(ARG_BAD_CONF); } - if((arg_type & ARG_PAREN) && *c->argv[1] != '(' /*')'*/) { + if((arg_syn & ARG_PAREN) && *c->argv[1] != '(' /*')'*/) { snprintf( c->msg, sizeof( c->msg ), "<%s> old format not supported", c->argv[0] ); Debug(LDAP_DEBUG_CONFIG, "%s: %s\n", c->log, c->msg, 0); return(ARG_BAD_CONF); } - if((arg_type & ARGS_POINTER) && !Conf->arg_item && !(arg_type & ARG_OFFSET)) { + if(arg_type && !Conf->arg_item && !(arg_syn & ARG_OFFSET)) { snprintf( c->msg, sizeof( c->msg ), "<%s> invalid config_table, arg_item is NULL", c->argv[0] ); Debug(LDAP_DEBUG_CONFIG, "%s: %s\n", c->log, c->msg, 0); return(ARG_BAD_CONF); } - c->type = arg_user = (arg_type & ARGS_USERLAND); + c->type = arg_user; memset(&c->values, 0, sizeof(c->values)); - if(arg_type & ARGS_NUMERIC) { + if(arg_type == ARG_STRING) { + if ( !check_only ) + c->value_string = ch_strdup(c->argv[1]); + } else if(arg_type == ARG_BERVAL) { + if ( !check_only ) + ber_str2bv( c->argv[1], 0, 1, &c->value_bv ); + } else if(arg_type == ARG_DN) { + struct berval bv; + ber_str2bv( c->argv[1], 0, 0, &bv ); + rc = dnPrettyNormal( NULL, &bv, &c->value_dn, &c->value_ndn, NULL ); + if ( rc != LDAP_SUCCESS ) { + snprintf( c->msg, sizeof( c->msg ), "<%s> invalid DN %d (%s)", + c->argv[0], rc, ldap_err2string( rc )); + Debug(LDAP_DEBUG_CONFIG, "%s: %s\n" , c->log, c->msg, 0); + return(ARG_BAD_CONF); + } + if ( check_only ) { + ch_free( c->value_ndn.bv_val ); + ch_free( c->value_dn.bv_val ); + } + } else { /* all numeric */ int j; iarg = 0; larg = 0; barg = 0; - switch(arg_type & ARGS_NUMERIC) { + switch(arg_type) { case ARG_INT: if ( lutil_atoix( &iarg, c->argv[1], 0 ) != 0 ) { snprintf( c->msg, sizeof( c->msg ), @@ -254,32 +278,12 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { c->log, c->msg, 0 ); return(ARG_BAD_CONF); } - switch(arg_type & ARGS_NUMERIC) { + switch(arg_type) { case ARG_ON_OFF: case ARG_INT: c->value_int = iarg; break; case ARG_LONG: c->value_long = larg; break; case ARG_BER_LEN_T: c->value_ber_t = barg; break; } - } else if(arg_type & ARG_STRING) { - if ( !check_only ) - c->value_string = ch_strdup(c->argv[1]); - } else if(arg_type & ARG_BERVAL) { - if ( !check_only ) - ber_str2bv( c->argv[1], 0, 1, &c->value_bv ); - } else if(arg_type & ARG_DN) { - struct berval bv; - ber_str2bv( c->argv[1], 0, 0, &bv ); - rc = dnPrettyNormal( NULL, &bv, &c->value_dn, &c->value_ndn, NULL ); - if ( rc != LDAP_SUCCESS ) { - snprintf( c->msg, sizeof( c->msg ), "<%s> invalid DN %d (%s)", - c->argv[0], rc, ldap_err2string( rc )); - Debug(LDAP_DEBUG_CONFIG, "%s: %s\n" , c->log, c->msg, 0); - return(ARG_BAD_CONF); - } - if ( check_only ) { - ch_free( c->value_ndn.bv_val ); - ch_free( c->value_dn.bv_val ); - } } return 0; } @@ -308,7 +312,8 @@ int config_set_vals(ConfigTable *Conf, ConfigArgs *c) { return(0); } if(arg_type & ARG_OFFSET) { - if (c->be) + if (c->be && (!overlay_is_over(c->be) || + ((slap_overinfo *)c->be->bd_info)->oi_orig == c->bi)) ptr = c->be->be_private; else if (c->bi) ptr = c->bi->bi_private; @@ -320,11 +325,11 @@ int config_set_vals(ConfigTable *Conf, ConfigArgs *c) { return(ARG_BAD_CONF); } ptr = (void *)((char *)ptr + (long)Conf->arg_item); - } else if (arg_type & ARGS_POINTER) { + } else if (arg_type & ARGS_TYPES) { ptr = Conf->arg_item; } - if(arg_type & ARGS_POINTER) - switch(arg_type & ARGS_POINTER) { + if(arg_type & ARGS_TYPES) + switch(arg_type & ARGS_TYPES) { case ARG_ON_OFF: case ARG_INT: *(int*)ptr = c->value_int; break; case ARG_LONG: *(long*)ptr = c->value_long; break; @@ -399,7 +404,8 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) if ( rc ) return rc; } else { if ( cf->arg_type & ARG_OFFSET ) { - if ( c->be ) + if (c->be && (!overlay_is_over(c->be) || + ((slap_overinfo *)c->be->bd_info)->oi_orig == c->bi)) ptr = c->be->be_private; else if ( c->bi ) ptr = c->bi->bi_private; @@ -410,7 +416,7 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) ptr = cf->arg_item; } - switch(cf->arg_type & ARGS_POINTER) { + switch(cf->arg_type & ARGS_TYPES) { case ARG_ON_OFF: case ARG_INT: c->value_int = *(int *)ptr; break; case ARG_LONG: c->value_long = *(long *)ptr; break; @@ -423,9 +429,10 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) ber_dupbv( &c->value_bv, (struct berval *)ptr ); break; } } - if ( cf->arg_type & ARGS_POINTER) { + if ( cf->arg_type & ARGS_TYPES) { + bv.bv_len = 0; bv.bv_val = c->log; - switch(cf->arg_type & ARGS_POINTER) { + switch(cf->arg_type & ARGS_TYPES) { case ARG_INT: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%d", c->value_int); break; case ARG_LONG: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%ld", c->value_long); break; case ARG_BER_LEN_T: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%ld", c->value_ber_t); break; @@ -445,14 +452,19 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) return 1; } break; + default: + bv.bv_val = NULL; + break; } if (bv.bv_val == c->log && bv.bv_len >= sizeof( c->log ) ) { return 1; } - if (( cf->arg_type & ARGS_POINTER ) == ARG_STRING ) + if (( cf->arg_type & ARGS_TYPES ) == ARG_STRING ) { ber_bvarray_add(&c->rvalue_vals, &bv); - else + } else if ( !BER_BVISNULL( &bv ) ) { value_add_one(&c->rvalue_vals, &bv); + } + /* else: maybe c->rvalue_vals already set? */ } return rc; } @@ -497,6 +509,10 @@ init_config_attrs(ConfigTable *ct) { fprintf( stderr, "init_config_attrs: AttributeType \"%s\": %s\n", ct[i].attribute, err ); return code; + } else { +#ifndef LDAP_DEVEL + ct[i].ad->ad_type->sat_flags |= SLAP_AT_HIDE; +#endif } } @@ -527,10 +543,14 @@ init_config_ocs( ConfigOCs *ocs ) { return code; } ocs[i].co_oc = oc_find(oc->oc_names[0]); - if ( code ) + if ( code ) { ldap_objectclass_free(oc); - else + } else { ldap_memfree(oc); +#ifndef LDAP_DEVEL + ocs[i].co_oc->soc_flags |= SLAP_OC_HIDE; +#endif + } } return 0; } @@ -552,7 +572,7 @@ strtok_quote_ldif( char **line ) if ( !ptr || !*ptr ) return NULL; - while( isspace( *ptr )) ptr++; + while( isspace( (unsigned char) *ptr )) ptr++; if ( *ptr == '"' ) { inquote = 1; @@ -563,7 +583,7 @@ strtok_quote_ldif( char **line ) for (;*ptr;ptr++) { if ( *ptr == '"' ) { - if ( inquote && ( !ptr[1] || isspace(ptr[1]))) { + if ( inquote && ( !ptr[1] || isspace((unsigned char) ptr[1]))) { *ptr++ = '\0'; break; } @@ -573,7 +593,7 @@ strtok_quote_ldif( char **line ) } if ( inquote ) continue; - if ( isspace( *ptr )) { + if ( isspace( (unsigned char) *ptr )) { *ptr++ = '\0'; break; } @@ -587,7 +607,7 @@ strtok_quote_ldif( char **line ) if ( !*ptr ) { *line = NULL; } else { - while ( isspace( *ptr )) ptr++; + while ( isspace( (unsigned char) *ptr )) ptr++; *line = ptr; } return beg; @@ -864,14 +884,21 @@ done: /* restrictops, allows, disallows, requires, loglevel */ int -verb_to_mask(const char *word, slap_verbmasks *v) { +bverb_to_mask(struct berval *bword, slap_verbmasks *v) { int i; for(i = 0; !BER_BVISNULL(&v[i].word); i++) { - if(!strcasecmp(word, v[i].word.bv_val)) break; + if(!ber_bvstrcasecmp(bword, &v[i].word)) break; } return(i); } +int +verb_to_mask(const char *word, slap_verbmasks *v) { + struct berval bword; + ber_str2bv( word, 0, 0, &bword ); + return bverb_to_mask( &bword, v ); +} + int verbs_to_mask(int argc, char *argv[], slap_verbmasks *v, slap_mask_t *m) { int i, j; @@ -1007,12 +1034,14 @@ enum_to_verb(slap_verbmasks *v, slap_mask_t m, struct berval *bv) { return -1; } +#ifdef HAVE_TLS static slap_verbmasks tlskey[] = { { BER_BVC("no"), SB_TLS_OFF }, { BER_BVC("yes"), SB_TLS_ON }, { BER_BVC("critical"), SB_TLS_CRITICAL }, { BER_BVNULL, 0 } }; +#endif static slap_verbmasks methkey[] = { { BER_BVC("none"), LDAP_AUTH_NONE }, @@ -1023,9 +1052,15 @@ static slap_verbmasks methkey[] = { { BER_BVNULL, 0 } }; +static slap_verbmasks versionkey[] = { + { BER_BVC("2"), LDAP_VERSION2 }, + { BER_BVC("3"), LDAP_VERSION3 }, + { BER_BVNULL, 0 } +}; + static slap_cf_aux_table bindkey[] = { { BER_BVC("uri="), offsetof(slap_bindconf, sb_uri), 'b', 1, NULL }, - { BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'd', 0, tlskey }, + { BER_BVC("version="), offsetof(slap_bindconf, sb_version), 'd', 0, versionkey }, { BER_BVC("bindmethod="), offsetof(slap_bindconf, sb_method), 'd', 0, methkey }, { BER_BVC("binddn="), offsetof(slap_bindconf, sb_binddn), 'b', 1, NULL }, { BER_BVC("credentials="), offsetof(slap_bindconf, sb_cred), 'b', 1, NULL }, @@ -1034,13 +1069,28 @@ static slap_cf_aux_table bindkey[] = { { BER_BVC("realm="), offsetof(slap_bindconf, sb_realm), 'b', 0, NULL }, { BER_BVC("authcID="), offsetof(slap_bindconf, sb_authcId), 'b', 0, NULL }, { BER_BVC("authzID="), offsetof(slap_bindconf, sb_authzId), 'b', 1, NULL }, +#ifdef HAVE_TLS + { BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'd', 0, tlskey }, + +#define aux_TLS (bindkey+10) /* beginning of TLS keywords */ + + { BER_BVC("tls_cert="), offsetof(slap_bindconf, sb_tls_cert), 's', 1, NULL }, + { BER_BVC("tls_key="), offsetof(slap_bindconf, sb_tls_key), 's', 1, NULL }, + { BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL }, + { BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL }, + { BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 1, NULL }, + { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 1, NULL }, +#ifdef HAVE_OPENSSL_CRL + { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 1, NULL }, +#endif +#endif { BER_BVNULL, 0, 0, 0, NULL } }; int slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, LDAP_CONST char *tabmsg ) { - int rc = 0; + int rc = SLAP_CONF_UNKNOWN; slap_cf_aux_table *tab; for (tab = tab0; !BER_BVISNULL(&tab->key); tab++ ) { @@ -1057,11 +1107,13 @@ slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, L case 's': cptr = (char **)((char *)dst + tab->off); *cptr = ch_strdup( val ); + rc = 0; break; case 'b': bptr = (struct berval *)((char *)dst + tab->off); ber_str2bv( val, 0, 1, bptr ); + rc = 0; break; case 'd': @@ -1117,7 +1169,7 @@ slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, L int slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0 ) { - char buf[BUFSIZ], *ptr; + char buf[AC_LINE_MAX], *ptr; slap_cf_aux_table *tab; struct berval tmp; @@ -1201,6 +1253,13 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0 int bindconf_parse( const char *word, slap_bindconf *bc ) { +#ifdef HAVE_TLS + /* Detect TLS config changes explicitly */ + if ( slap_cf_aux_table_parse( word, bc, aux_TLS, "tls config" ) == 0 ) { + bc->sb_tls_do_init = 1; + return 0; + } +#endif return slap_cf_aux_table_parse( word, bc, bindkey, "bind config" ); } @@ -1243,8 +1302,272 @@ void bindconf_free( slap_bindconf *bc ) { ch_free( bc->sb_authzId.bv_val ); BER_BVZERO( &bc->sb_authzId ); } +#ifdef HAVE_TLS +#if 0 + if ( bc->sb_tls_ctx ) { + SSL_CTX_free( bc->sb_tls_ctx ); + bc->sb_tls_ctx = NULL; + } +#endif + if ( bc->sb_tls_cert ) { + ch_free( bc->sb_tls_cert ); + bc->sb_tls_cert = NULL; + } + if ( bc->sb_tls_key ) { + ch_free( bc->sb_tls_key ); + bc->sb_tls_key = NULL; + } + if ( bc->sb_tls_cacert ) { + ch_free( bc->sb_tls_cacert ); + bc->sb_tls_cacert = NULL; + } + if ( bc->sb_tls_cacertdir ) { + ch_free( bc->sb_tls_cacertdir ); + bc->sb_tls_cacertdir = NULL; + } + if ( bc->sb_tls_reqcert ) { + ch_free( bc->sb_tls_reqcert ); + bc->sb_tls_reqcert = NULL; + } + if ( bc->sb_tls_cipher_suite ) { + ch_free( bc->sb_tls_cipher_suite ); + bc->sb_tls_cipher_suite = NULL; + } +#ifdef HAVE_OPENSSL_CRL + if ( bc->sb_tls_crlcheck ) { + ch_free( bc->sb_tls_crlcheck ); + bc->sb_tls_crlcheck = NULL; + } +#endif +#endif } +#ifdef HAVE_TLS +static struct { + const char *key; + size_t offset; + int opt; +} bindtlsopts[] = { + { "tls_cert", offsetof(slap_bindconf, sb_tls_cert), LDAP_OPT_X_TLS_CERTFILE }, + { "tls_key", offsetof(slap_bindconf, sb_tls_key), LDAP_OPT_X_TLS_KEYFILE }, + { "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE }, + { "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR }, + { "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE }, + {0, 0} +}; + +int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) +{ + int i, rc, newctx = 0, res = 0; + char *ptr = (char *)bc, **word; + + bc->sb_tls_do_init = 0; + + for (i=0; bindtlsopts[i].opt; i++) { + word = (char **)(ptr + bindtlsopts[i].offset); + if ( *word ) { + rc = ldap_set_option( ld, bindtlsopts[i].opt, *word ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "bindconf_tls_set: failed to set %s to %s\n", + bindtlsopts[i].key, *word, 0 ); + res = -1; + } else + newctx = 1; + } + } + if ( bc->sb_tls_reqcert ) { + rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, + bc->sb_tls_reqcert ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "bindconf_tls_set: failed to set tls_reqcert to %s\n", + bc->sb_tls_reqcert, 0, 0 ); + res = -1; + } else + newctx = 1; + } +#ifdef HAVE_OPENSSL_CRL + if ( bc->sb_tls_crlcheck ) { + rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK, + bc->sb_tls_crlcheck ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "bindconf_tls_set: failed to set tls_crlcheck to %s\n", + bc->sb_tls_crlcheck, 0, 0 ); + res = -1; + } else + newctx = 1; + } +#endif + if ( newctx ) { + int opt = 0; + + if ( bc->sb_tls_ctx ) { + SSL_CTX_free( bc->sb_tls_ctx ); + bc->sb_tls_ctx = NULL; + } + rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt ); + if ( rc ) + res = rc; + else + ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx ); + } + + return res; +} +#endif + +/* + * connect to a client using the bindconf data + * note: should move "version" into bindconf... + */ +int +slap_client_connect( LDAP **ldp, slap_bindconf *sb ) +{ + LDAP *ld = NULL; + int rc; + + /* Init connection to master */ + rc = ldap_initialize( &ld, sb->sb_uri.bv_val ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "ldap_initialize(%s) failed (%d)\n", + sb->sb_uri.bv_val, rc, 0 ); + return rc; + } + + if ( sb->sb_version != 0 ) { + ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, + (const void *)&sb->sb_version ); + } + +#ifdef HAVE_TLS + if ( sb->sb_tls_do_init ) { + rc = bindconf_tls_set( sb, ld ); + + } else if ( sb->sb_tls_ctx ) { + rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, + sb->sb_tls_ctx ); + } + + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "URI=%s TLS context initialization failed (%d)\n", + sb->sb_uri.bv_val, rc, 0 ); + return rc; + } +#endif + + /* Bind */ + if ( sb->sb_tls ) { + rc = ldap_start_tls_s( ld, NULL, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: URI=%s " + "%s, ldap_start_tls failed (%d)\n", + sb->sb_uri.bv_val, + sb->sb_tls == SB_TLS_CRITICAL ? + "Error" : "Warning", + rc ); + if ( sb->sb_tls == SB_TLS_CRITICAL ) { + goto done; + } + } + } + + if ( sb->sb_method == LDAP_AUTH_SASL ) { +#ifdef HAVE_CYRUS_SASL + void *defaults; + + if ( sb->sb_secprops != NULL ) { + rc = ldap_set_option( ld, + LDAP_OPT_X_SASL_SECPROPS, sb->sb_secprops); + + if( rc != LDAP_OPT_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "error, ldap_set_option " + "(%s,SECPROPS,\"%s\") failed!\n", + sb->sb_uri.bv_val, sb->sb_secprops, 0 ); + goto done; + } + } + + defaults = lutil_sasl_defaults( ld, + sb->sb_saslmech.bv_val, + sb->sb_realm.bv_val, + sb->sb_authcId.bv_val, + sb->sb_cred.bv_val, + sb->sb_authzId.bv_val ); + + rc = ldap_sasl_interactive_bind_s( ld, + sb->sb_binddn.bv_val, + sb->sb_saslmech.bv_val, + NULL, NULL, + LDAP_SASL_QUIET, + lutil_sasl_interact, + defaults ); + + lutil_sasl_freedefs( defaults ); + + /* FIXME: different error behaviors according to + * 1) return code + * 2) on err policy : exit, retry, backoff ... + */ + if ( rc != LDAP_SUCCESS ) { + static struct berval bv_GSSAPI = BER_BVC( "GSSAPI" ); + + Debug( LDAP_DEBUG_ANY, "slap_client_connect: URI=%s " + "ldap_sasl_interactive_bind_s failed (%d)\n", + sb->sb_uri.bv_val, rc, 0 ); + + /* FIXME (see above comment) */ + /* if Kerberos credentials cache is not active, retry */ + if ( ber_bvcmp( &sb->sb_saslmech, &bv_GSSAPI ) == 0 && + rc == LDAP_LOCAL_ERROR ) + { + rc = LDAP_SERVER_DOWN; + } + + goto done; + } +#else /* HAVE_CYRUS_SASL */ + /* Should never get here, we trapped this at config time */ + assert(0); + Debug( LDAP_DEBUG_SYNC, "not compiled with SASL support\n", 0, 0, 0 ); + rc = LDAP_OTHER; + goto done; +#endif + + } else if ( sb->sb_method == LDAP_AUTH_SIMPLE ) { + rc = ldap_sasl_bind_s( ld, + sb->sb_binddn.bv_val, LDAP_SASL_SIMPLE, + &sb->sb_cred, NULL, NULL, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "slap_client_connect: " + "URI=%s DN=\"%s\" " + "ldap_sasl_bind_s failed (%d)\n", + sb->sb_uri.bv_val, sb->sb_binddn.bv_val, rc ); + goto done; + } + } + +done:; + if ( rc ) { + if ( ld ) { + ldap_unbind_ext( ld, NULL, NULL ); + *ldp = NULL; + } + + } else { + *ldp = ld; + } + + return rc; +} /* -------------------------------------- */ @@ -1304,7 +1627,7 @@ strtok_quote( char *line, char *sep, char **quote_ptr ) return( tmp ); } -static char buf[BUFSIZ]; +static char buf[AC_LINE_MAX]; static char *line; static size_t lmax, lcur; @@ -1312,7 +1635,7 @@ static size_t lmax, lcur; do { \ size_t len = strlen( buf ); \ while ( lcur + len + 1 > lmax ) { \ - lmax += BUFSIZ; \ + lmax += AC_LINE_MAX; \ line = (char *) ch_realloc( line, lmax ); \ } \ strcpy( line + lcur, buf ); \