+ Updated ldapdelete(1) to stdout bug (ITS#4453)

+       Fixed slapo-ppolicy rebind bug (ITS#4516)
+       Documentation
+               Fixed slapd(8) logging header reference (ITS#4509)

diff --git a/CHANGES b/CHANGES
index 80a0bdb220703bd2359d05a7a080d44beb39a2b7..50ed1cce09e5147b81883b32a7e71c7e088a33df 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,7 @@ OpenLDAP 2.3.22 Engineering
        Fixed libldap_r tpool cleanup
        Fixed liblutil strtoul(3) usage (ITS#4503)
        Fixed liblutil time resolution issue (ITS#4514)
+       Updated ldapdelete(1) to stdout bug (ITS#4453)
        Updated ldapsearch(1) BASE output (ITS#4504)
        Fixed slapd backglue issue (ITS#4529)
        Fixed slapd cn=config (ITS#4512)
@@ -29,6 +30,7 @@ OpenLDAP 2.3.22 Engineering
        Added slapo-accesslog reqOld feature
        Fixed slapo-auditlog missing return codes
        Fixed slapo-ppolicy BER tags issue (ITS#4528)
+       Fixed slapo-ppolicy rebind bug (ITS#4516)
        Fixed slapo-refint delete prohibit issue (ITS#4442)
        Fixed slapo-syncprov MODs cause DELs (ITS#4423)
        Fixed slapo-syncprov/syncrepl sessionlog issue (ITS#4534)
@@ -37,6 +39,8 @@ OpenLDAP 2.3.22 Engineering
        Build Environment
                Fixed test020-proxycache disabled debug issue (ITS#4491)
                Fixed OSF1 compilation problem (ITS#4537)
+       Documentation
+               Fixed slapd(8) logging header reference (ITS#4509)
 
 OpenLDAP 2.3.21 Release
        Fixed libldap referral chasing issue (ITS#4448)

diff --git a/clients/tools/ldapdelete.c b/clients/tools/ldapdelete.c
index 27d199b13fd9125907c196d99ec7035b13f94f1a..08f54f8848eaa4ec3343d90decfa5e5eae323cef 100644 (file)
--- a/clients/tools/ldapdelete.c
+++ b/clients/tools/ldapdelete.c
@@ -263,8 +263,10 @@ static int dodelete(
                return rc;
        }
 
-       if( verbose || code != LDAP_SUCCESS ||
-               (matcheddn && *matcheddn) || (text && *text) || (refs && *refs) )
+       if( code != LDAP_SUCCESS ) {
+               tool_perror( "ldap_delete", code, NULL, matcheddn, text, refs );
+       } else if ( verbose && 
+               ((matcheddn && *matcheddn) || (text && *text) || (refs && *refs) ))
        {
                printf( _("Delete Result: %s (%d)\n"),
                        ldap_err2string( code ), code );

diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
index 727530dc93677c0a221497bddcccbbb2235c4698..8fed87f59e7b585a708a34e4816d5db400fa8ad8 100644 (file)
--- a/doc/man/man8/slapd.8
+++ b/doc/man/man8/slapd.8
@@ -85,7 +85,7 @@ If this option is specified, even with a zero argument,
 will not fork or disassociate from the invoking terminal.  Some general
 operation and status messages are printed for any value of \fIdebug\-level\fP.
 \fIdebug\-level\fP is taken as a bit string, with each bit corresponding to a
-different kind of debugging information.  See <ldap.h> for details.
+different kind of debugging information.  See <ldap_log.h> for details.
 Remember that if you turn on packet logging, packets containing bind passwords
 will be output, so if you redirect the log to a logfile, that file should
 be read-protected.

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index fb37f669ad8e6df895a6e7647f952f5a331cf7a0..3d2e6227b65d2f9ff4da1b3fbd67dfacf5ace2b3 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -55,7 +55,7 @@ typedef struct pp_info {
  * used by all instances
  */
 typedef struct pw_conn {
-       int restricted;         /* TRUE if connection is restricted */
+       struct berval dn;       /* DN of restricted user */
 } pw_conn;
 
 static pw_conn *pwcons;
@@ -814,7 +814,8 @@ ppolicy_bind_resp( Operation *op, SlapReply *rs )
                         * that we are disallowed from doing anything
                         * other than change password.
                         */
-                       pwcons[op->o_conn->c_conn_idx].restricted = 1;
+                       ber_dupbv( &pwcons[op->o_conn->c_conn_idx].dn,
+                               &op->o_conn->c_ndn );
 
                        ppb->pErr = PP_changeAfterReset;
 
@@ -972,7 +973,10 @@ ppolicy_bind( Operation *op, SlapReply *rs )
        slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
 
        /* Reset lockout status on all Bind requests */
-       pwcons[op->o_conn->c_conn_idx].restricted = 0;
+       if ( !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) {
+               ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
+               BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
+       }
 
        /* Root bypasses policy */
        if ( !be_isroot_dn( op->o_bd, &op->o_req_ndn )) {
@@ -1026,11 +1030,14 @@ ppolicy_bind( Operation *op, SlapReply *rs )
        return SLAP_CB_CONTINUE;
 }
 
-/* Reset the restricted flag for the next session on this connection */
+/* Reset the restricted info for the next session on this connection */
 static int
 ppolicy_connection_destroy( BackendDB *bd, Connection *conn )
 {
-       pwcons[conn->c_conn_idx].restricted = 0;
+       if ( !BER_BVISEMPTY( &pwcons[conn->c_conn_idx].dn )) {
+               ch_free( pwcons[conn->c_conn_idx].dn.bv_val );
+               BER_BVZERO( &pwcons[conn->c_conn_idx].dn );
+       }
        return SLAP_CB_CONTINUE;
 }
 
@@ -1048,7 +1055,18 @@ ppolicy_restrict(
                send_ctrl = 1;
        }
 
-       if ( op->o_conn && pwcons[op->o_conn->c_conn_idx].restricted ) {
+       if ( op->o_conn && !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) {
+               /* if the current authcDN doesn't match the one we recorded,
+                * then an intervening Bind has succeeded and the restriction
+                * no longer applies. (ITS#4516)
+                */
+               if ( !dn_match( &op->o_conn->c_ndn,
+                               &pwcons[op->o_conn->c_conn_idx].dn )) {
+                       ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
+                       BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
+                       return SLAP_CB_CONTINUE;
+               }
+
                Debug( LDAP_DEBUG_TRACE,
                        "connection restricted to password changing only\n", 0, 0, 0);
                if ( send_ctrl ) {
@@ -1354,13 +1372,19 @@ ppolicy_modify( Operation *op, SlapReply *rs )
                }
        }
        
-       if (pwcons[op->o_conn->c_conn_idx].restricted && !mod_pw_only) {
-               Debug( LDAP_DEBUG_TRACE,
-                       "connection restricted to password changing only\n", 0, 0, 0 );
-               rs->sr_err = LDAP_INSUFFICIENT_ACCESS; 
-               rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password";
-               pErr = PP_changeAfterReset;
-               goto return_results;
+       if (!BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn ) && !mod_pw_only ) {
+               if ( dn_match( &op->o_conn->c_ndn,
+                               &pwcons[op->o_conn->c_conn_idx].dn )) {
+                       Debug( LDAP_DEBUG_TRACE,
+                               "connection restricted to password changing only\n", 0, 0, 0 );
+                       rs->sr_err = LDAP_INSUFFICIENT_ACCESS; 
+                       rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password";
+                       pErr = PP_changeAfterReset;
+                       goto return_results;
+               } else {
+                       ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
+                       BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
+               }
        }
 
        /*