X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fconfig.c;h=b90ae1ec756fe1d74fc26682732269dc4a591417;hb=8149863204f44539ec0d227f99a65490c970f661;hp=4c8c9874e34e9e6b4e03bdee634827e6f1ecad36;hpb=f8ad90167b1205c925f8e561a2e2a61af738dfbf;p=openldap diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 4c8c9874e3..b90ae1ec75 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2007 The OpenLDAP Foundation. + * Copyright 1998-2009 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -62,7 +62,9 @@ slap_mask_t global_allows = 0; slap_mask_t global_disallows = 0; int global_gentlehup = 0; int global_idletimeout = 0; +int global_writetimeout = 0; char *global_host = NULL; +struct berval global_host_bv = BER_BVNULL; char *global_realm = NULL; char *sasl_host = NULL; char **default_passwd_hash = NULL; @@ -86,7 +88,6 @@ int slapi_plugins_used = 0; static int fp_getline(FILE *fp, ConfigArgs *c); static void fp_getline_init(ConfigArgs *c); -static int fp_parse_line(ConfigArgs *c); static char *strtok_quote(char *line, char *sep, char **quote_ptr); static char *strtok_quote_ldif(char **line); @@ -127,6 +128,7 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { int rc, arg_user, arg_type, arg_syn, iarg; unsigned uiarg; long larg; + unsigned long ularg; ber_len_t barg; if(Conf->arg_type == ARG_IGNORED) { @@ -144,7 +146,7 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { } if(Conf->min_args && (c->argc < Conf->min_args)) { snprintf( c->cr_msg, sizeof( c->cr_msg ), "<%s> missing <%s> argument", - c->argv[0], Conf->what ); + c->argv[0], Conf->what ? Conf->what : "" ); Debug(LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE, "%s: keyword %s\n", c->log, c->cr_msg, 0 ); return(ARG_BAD_CONF); } @@ -215,6 +217,16 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { ch_free( c->value_ndn.bv_val ); ch_free( c->value_dn.bv_val ); } + } else if(arg_type == ARG_ATDESC) { + const char *text = NULL; + c->value_ad = NULL; + rc = slap_str2ad( c->argv[1], &c->value_ad, &text ); + if ( rc != LDAP_SUCCESS ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), "<%s> invalid AttributeDescription %d (%s)", + c->argv[0], rc, text ); + Debug(LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE, "%s: %s\n" , c->log, c->cr_msg, 0); + return(ARG_BAD_CONF); + } } else { /* all numeric */ int j; iarg = 0; larg = 0; barg = 0; @@ -249,6 +261,16 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { return(ARG_BAD_CONF); } break; + case ARG_ULONG: + if ( lutil_atoulx( &ularg, c->argv[1], 0 ) != 0 ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), + "<%s> unable to parse \"%s\" as unsigned long", + c->argv[0], c->argv[1] ); + Debug(LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE, "%s: %s\n", + c->log, c->cr_msg, 0); + return(ARG_BAD_CONF); + } + break; case ARG_BER_LEN_T: { unsigned long l; if ( lutil_atoulx( &l, c->argv[1], 0 ) != 0 ) { @@ -297,6 +319,7 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) { case ARG_INT: c->value_int = iarg; break; case ARG_UINT: c->value_uint = uiarg; break; case ARG_LONG: c->value_long = larg; break; + case ARG_ULONG: c->value_ulong = ularg; break; case ARG_BER_LEN_T: c->value_ber_t = barg; break; } } @@ -348,6 +371,7 @@ int config_set_vals(ConfigTable *Conf, ConfigArgs *c) { case ARG_INT: *(int*)ptr = c->value_int; break; case ARG_UINT: *(unsigned*)ptr = c->value_uint; break; case ARG_LONG: *(long*)ptr = c->value_long; break; + case ARG_ULONG: *(unsigned long*)ptr = c->value_ulong; break; case ARG_BER_LEN_T: *(ber_len_t*)ptr = c->value_ber_t; break; case ARG_STRING: { char *cc = *(char**)ptr; @@ -365,6 +389,9 @@ int config_set_vals(ConfigTable *Conf, ConfigArgs *c) { case ARG_BERVAL: *(struct berval *)ptr = c->value_bv; break; + case ARG_ATDESC: + *(AttributeDescription **)ptr = c->value_ad; + break; } return(0); } @@ -435,6 +462,7 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) case ARG_INT: c->value_int = *(int *)ptr; break; case ARG_UINT: c->value_uint = *(unsigned *)ptr; break; case ARG_LONG: c->value_long = *(long *)ptr; break; + case ARG_ULONG: c->value_ulong = *(unsigned long *)ptr; break; case ARG_BER_LEN_T: c->value_ber_t = *(ber_len_t *)ptr; break; case ARG_STRING: if ( *(char **)ptr ) @@ -442,6 +470,8 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) break; case ARG_BERVAL: ber_dupbv( &c->value_bv, (struct berval *)ptr ); break; + case ARG_ATDESC: + c->value_ad = *(AttributeDescription **)ptr; break; } } if ( cf->arg_type & ARGS_TYPES) { @@ -451,6 +481,7 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) case ARG_INT: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%d", c->value_int); break; case ARG_UINT: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%u", c->value_uint); break; case ARG_LONG: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%ld", c->value_long); break; + case ARG_ULONG: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%lu", c->value_ulong); break; case ARG_BER_LEN_T: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%ld", c->value_ber_t); break; case ARG_ON_OFF: bv.bv_len = snprintf(bv.bv_val, sizeof( c->log ), "%s", c->value_int ? "TRUE" : "FALSE"); break; @@ -468,6 +499,13 @@ config_get_vals(ConfigTable *cf, ConfigArgs *c) return 1; } break; + case ARG_ATDESC: + if ( c->value_ad ) { + bv = c->value_ad->ad_cname; + } else { + return 1; + } + break; default: bv.bv_val = NULL; break; @@ -496,9 +534,6 @@ init_config_attrs(ConfigTable *ct) { fprintf( stderr, "init_config_attrs: register_at failed\n" ); return code; } -#ifndef LDAP_DEVEL - ct[i].ad->ad_type->sat_flags |= SLAP_AT_HIDE; -#endif } return 0; @@ -514,9 +549,6 @@ init_config_ocs( ConfigOCs *ocs ) { fprintf( stderr, "init_config_ocs: register_oc failed\n" ); return code; } -#ifndef LDAP_DEVEL - ocs[i].co_oc->soc_flags |= SLAP_OC_HIDE; -#endif } return 0; } @@ -722,7 +754,7 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf, ConfigTable *cft) c->argc = 0; ch_free( c->tline ); - if ( fp_parse_line( c ) ) { + if ( config_fp_parse_line( c ) ) { rc = 1; goto done; } @@ -843,6 +875,10 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf, ConfigTable *cft) rc = 0; done: + if ( cf ) { + cf->be = c->be; + cf->bi = c->bi; + } ch_free(c->tline); fclose(fp); ch_free(c->argv); @@ -1003,6 +1039,140 @@ enum_to_verb(slap_verbmasks *v, slap_mask_t m, struct berval *bv) { return -1; } +/* register a new verbmask */ +static int +slap_verbmask_register( slap_verbmasks *vm_, slap_verbmasks **vmp, struct berval *bv, int mask ) +{ + slap_verbmasks *vm = *vmp; + int i; + + /* check for duplicate word */ + /* NOTE: we accept duplicate codes; the first occurrence will be used + * when mapping from mask to verb */ + i = verb_to_mask( bv->bv_val, vm ); + if ( !BER_BVISNULL( &vm[ i ].word ) ) { + return -1; + } + + for ( i = 0; !BER_BVISNULL( &vm[ i ].word ); i++ ) + ; + + if ( vm == vm_ ) { + /* first time: duplicate array */ + vm = ch_calloc( i + 2, sizeof( slap_verbmasks ) ); + for ( i = 0; !BER_BVISNULL( &vm_[ i ].word ); i++ ) + { + ber_dupbv( &vm[ i ].word, &vm_[ i ].word ); + *((slap_mask_t*)&vm[ i ].mask) = vm_[ i ].mask; + } + + } else { + vm = ch_realloc( vm, (i + 2) * sizeof( slap_verbmasks ) ); + } + + ber_dupbv( &vm[ i ].word, bv ); + *((slap_mask_t*)&vm[ i ].mask) = mask; + + BER_BVZERO( &vm[ i+1 ].word ); + + *vmp = vm; + + return i; +} + +static slap_verbmasks slap_ldap_response_code_[] = { + { BER_BVC("success"), LDAP_SUCCESS }, + + { BER_BVC("operationsError"), LDAP_OPERATIONS_ERROR }, + { BER_BVC("protocolError"), LDAP_PROTOCOL_ERROR }, + { BER_BVC("timelimitExceeded"), LDAP_TIMELIMIT_EXCEEDED }, + { BER_BVC("sizelimitExceeded"), LDAP_SIZELIMIT_EXCEEDED }, + { BER_BVC("compareFalse"), LDAP_COMPARE_FALSE }, + { BER_BVC("compareTrue"), LDAP_COMPARE_TRUE }, + + { BER_BVC("authMethodNotSupported"), LDAP_AUTH_METHOD_NOT_SUPPORTED }, + { BER_BVC("strongAuthNotSupported"), LDAP_STRONG_AUTH_NOT_SUPPORTED }, + { BER_BVC("strongAuthRequired"), LDAP_STRONG_AUTH_REQUIRED }, + { BER_BVC("strongerAuthRequired"), LDAP_STRONGER_AUTH_REQUIRED }, +#if 0 /* not LDAPv3 */ + { BER_BVC("partialResults"), LDAP_PARTIAL_RESULTS }, +#endif + + { BER_BVC("referral"), LDAP_REFERRAL }, + { BER_BVC("adminlimitExceeded"), LDAP_ADMINLIMIT_EXCEEDED }, + { BER_BVC("unavailableCriticalExtension"), LDAP_UNAVAILABLE_CRITICAL_EXTENSION }, + { BER_BVC("confidentialityRequired"), LDAP_CONFIDENTIALITY_REQUIRED }, + { BER_BVC("saslBindInProgress"), LDAP_SASL_BIND_IN_PROGRESS }, + + { BER_BVC("noSuchAttribute"), LDAP_NO_SUCH_ATTRIBUTE }, + { BER_BVC("undefinedType"), LDAP_UNDEFINED_TYPE }, + { BER_BVC("inappropriateMatching"), LDAP_INAPPROPRIATE_MATCHING }, + { BER_BVC("constraintViolation"), LDAP_CONSTRAINT_VIOLATION }, + { BER_BVC("typeOrValueExists"), LDAP_TYPE_OR_VALUE_EXISTS }, + { BER_BVC("invalidSyntax"), LDAP_INVALID_SYNTAX }, + + { BER_BVC("noSuchObject"), LDAP_NO_SUCH_OBJECT }, + { BER_BVC("aliasProblem"), LDAP_ALIAS_PROBLEM }, + { BER_BVC("invalidDnSyntax"), LDAP_INVALID_DN_SYNTAX }, +#if 0 /* not LDAPv3 */ + { BER_BVC("isLeaf"), LDAP_IS_LEAF }, +#endif + { BER_BVC("aliasDerefProblem"), LDAP_ALIAS_DEREF_PROBLEM }, + + { BER_BVC("proxyAuthzFailure"), LDAP_X_PROXY_AUTHZ_FAILURE }, + { BER_BVC("inappropriateAuth"), LDAP_INAPPROPRIATE_AUTH }, + { BER_BVC("invalidCredentials"), LDAP_INVALID_CREDENTIALS }, + { BER_BVC("insufficientAccess"), LDAP_INSUFFICIENT_ACCESS }, + + { BER_BVC("busy"), LDAP_BUSY }, + { BER_BVC("unavailable"), LDAP_UNAVAILABLE }, + { BER_BVC("unwillingToPerform"), LDAP_UNWILLING_TO_PERFORM }, + { BER_BVC("loopDetect"), LDAP_LOOP_DETECT }, + + { BER_BVC("namingViolation"), LDAP_NAMING_VIOLATION }, + { BER_BVC("objectClassViolation"), LDAP_OBJECT_CLASS_VIOLATION }, + { BER_BVC("notAllowedOnNonleaf"), LDAP_NOT_ALLOWED_ON_NONLEAF }, + { BER_BVC("notAllowedOnRdn"), LDAP_NOT_ALLOWED_ON_RDN }, + { BER_BVC("alreadyExists"), LDAP_ALREADY_EXISTS }, + { BER_BVC("noObjectClassMods"), LDAP_NO_OBJECT_CLASS_MODS }, + { BER_BVC("resultsTooLarge"), LDAP_RESULTS_TOO_LARGE }, + { BER_BVC("affectsMultipleDsas"), LDAP_AFFECTS_MULTIPLE_DSAS }, + + { BER_BVC("other"), LDAP_OTHER }, + + /* extension-specific */ + + { BER_BVC("cupResourcesExhausted"), LDAP_CUP_RESOURCES_EXHAUSTED }, + { BER_BVC("cupSecurityViolation"), LDAP_CUP_SECURITY_VIOLATION }, + { BER_BVC("cupInvalidData"), LDAP_CUP_INVALID_DATA }, + { BER_BVC("cupUnsupportedScheme"), LDAP_CUP_UNSUPPORTED_SCHEME }, + { BER_BVC("cupReloadRequired"), LDAP_CUP_RELOAD_REQUIRED }, + + { BER_BVC("cancelled"), LDAP_CANCELLED }, + { BER_BVC("noSuchOperation"), LDAP_NO_SUCH_OPERATION }, + { BER_BVC("tooLate"), LDAP_TOO_LATE }, + { BER_BVC("cannotCancel"), LDAP_CANNOT_CANCEL }, + + { BER_BVC("assertionFailed"), LDAP_ASSERTION_FAILED }, + + { BER_BVC("proxiedAuthorizationDenied"), LDAP_PROXIED_AUTHORIZATION_DENIED }, + + { BER_BVC("syncRefreshRequired"), LDAP_SYNC_REFRESH_REQUIRED }, + + { BER_BVC("noOperation"), LDAP_X_NO_OPERATION }, + + { BER_BVNULL, 0 } +}; + +slap_verbmasks *slap_ldap_response_code = slap_ldap_response_code_; + +int +slap_ldap_response_code_register( struct berval *bv, int err ) +{ + return slap_verbmask_register( slap_ldap_response_code_, + &slap_ldap_response_code, bv, err ); +} + #ifdef HAVE_TLS static slap_verbmasks tlskey[] = { { BER_BVC("no"), SB_TLS_OFF }, @@ -1068,6 +1238,7 @@ static slap_cf_aux_table bindkey[] = { { BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL }, { BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 1, NULL }, { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 1, NULL }, + { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 1, NULL }, #ifdef HAVE_OPENSSL_CRL { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 1, NULL }, #endif @@ -1264,19 +1435,26 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0 int slap_tls_get_config( LDAP *ld, int opt, char **val ) { +#ifdef HAVE_TLS slap_verbmasks *keys; int i, ival; *val = NULL; switch( opt ) { -#ifdef HAVE_TLS case LDAP_OPT_X_TLS_CRLCHECK: keys = crlkeys; break; case LDAP_OPT_X_TLS_REQUIRE_CERT: keys = vfykeys; break; -#endif + case LDAP_OPT_X_TLS_PROTOCOL_MIN: { + char buf[8]; + ldap_pvt_tls_get_option( ld, opt, &ival ); + snprintf( buf, sizeof( buf ), "%d.%d", + ( ival >> 8 ) & 0xff, ival & 0xff ); + *val = ch_strdup( buf ); + return 0; + } default: return -1; } @@ -1287,6 +1465,7 @@ slap_tls_get_config( LDAP *ld, int opt, char **val ) return 0; } } +#endif return -1; } @@ -1387,6 +1566,10 @@ void bindconf_free( slap_bindconf *bc ) { ch_free( bc->sb_tls_cipher_suite ); bc->sb_tls_cipher_suite = NULL; } + if ( bc->sb_tls_protocol_min ) { + ch_free( bc->sb_tls_protocol_min ); + bc->sb_tls_protocol_min = NULL; + } #ifdef HAVE_OPENSSL_CRL if ( bc->sb_tls_crlcheck ) { ch_free( bc->sb_tls_crlcheck ); @@ -1438,6 +1621,7 @@ static struct { { "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE }, { "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR }, { "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE }, + { "tls_protocol_min", offsetof(slap_bindconf, sb_tls_protocol_min), LDAP_OPT_X_TLS_PROTOCOL_MIN }, {0, 0} }; @@ -1472,6 +1656,17 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) } else newctx = 1; } + if ( bc->sb_tls_protocol_min ) { + rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, + bc->sb_tls_protocol_min ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "bindconf_tls_set: failed to set tls_protocol_min to %s\n", + bc->sb_tls_protocol_min, 0, 0 ); + res = -1; + } else + newctx = 1; + } #ifdef HAVE_OPENSSL_CRL if ( bc->sb_tls_crlcheck ) { rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK, @@ -1798,8 +1993,8 @@ fp_getline( FILE *fp, ConfigArgs *c ) return(line[0] ? 1 : 0); } -static int -fp_parse_line(ConfigArgs *c) +int +config_fp_parse_line(ConfigArgs *c) { char *token; static char *const hide[] = { @@ -1852,7 +2047,7 @@ config_destroy( ) if ( frontendDB->be_schemadn.bv_val ) free( frontendDB->be_schemadn.bv_val ); if ( frontendDB->be_acl ) - acl_destroy( frontendDB->be_acl, NULL ); + acl_destroy( frontendDB->be_acl ); } free( line ); if ( slapd_args_file ) @@ -1931,3 +2126,66 @@ int config_generic_wrapper( Backend *be, const char *fname, int lineno, } return rc; } + +/* See if the given URL (in plain and parsed form) matches + * any of the server's listener addresses. Return matching + * Listener or NULL for no match. + */ +Listener *config_check_my_url( const char *url, LDAPURLDesc *lud ) +{ + Listener **l = slapd_get_listeners(); + int i, isMe; + + /* Try a straight compare with Listener strings */ + for ( i=0; l && l[i]; i++ ) { + if ( !strcasecmp( url, l[i]->sl_url.bv_val )) { + return l[i]; + } + } + + isMe = 0; + /* If hostname is empty, or is localhost, or matches + * our hostname, this url refers to this host. + * Compare it against listeners and ports. + */ + if ( !lud->lud_host || !lud->lud_host[0] || + !strncasecmp("localhost", lud->lud_host, + STRLENOF("localhost")) || + !strcasecmp( global_host, lud->lud_host )) { + + for ( i=0; l && l[i]; i++ ) { + LDAPURLDesc *lu2; + ldap_url_parse( l[i]->sl_url.bv_val, &lu2 ); + do { + if ( strcasecmp( lud->lud_scheme, + lu2->lud_scheme )) + break; + if ( lud->lud_port != lu2->lud_port ) + break; + /* Listener on ANY address */ + if ( !lu2->lud_host || !lu2->lud_host[0] ) { + isMe = 1; + break; + } + /* URL on ANY address */ + if ( !lud->lud_host || !lud->lud_host[0] ) { + isMe = 1; + break; + } + /* Listener has specific host, must + * match it + */ + if ( !strcasecmp( lud->lud_host, + lu2->lud_host )) { + isMe = 1; + break; + } + } while(0); + ldap_free_urldesc( lu2 ); + if ( isMe ) { + return l[i]; + } + } + } + return NULL; +}