From: Pierangelo Masarati Date: Mon, 5 Apr 2004 17:36:53 +0000 (+0000) Subject: exploit new frontend API 2 protocol error mapping; use urldesc... X-Git-Tag: OPENLDAP_REL_ENG_2_2_BP~142 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=6a1dd9a1cdb4970a471750b4a1206509048823e0;p=openldap exploit new frontend API 2 protocol error mapping; use urldesc... --- diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h index c4692f361e..2c1c2ce07f 100644 --- a/servers/slapd/back-ldap/back-ldap.h +++ b/servers/slapd/back-ldap/back-ldap.h @@ -80,7 +80,8 @@ struct ldaprwmap { struct ldapinfo { struct slap_backend_db *be; - char *url; + char *url; + LDAPURLDesc *lud; struct berval binddn; struct berval bindpw; #ifdef LDAP_BACK_PROXY_AUTHZ diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 29bc8b24ab..76d73abfb7 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -248,7 +248,7 @@ ldap_back_getconn(Operation *op, SlapReply *rs) rs->sr_err = ldap_initialize(&ld, li->url); if (rs->sr_err != LDAP_SUCCESS) { - rs->sr_err = ldap_back_map_result(rs); + rs->sr_err = slap_map_api2result( rs ); if (rs->sr_text == NULL) { rs->sr_text = "ldap_initialize() failed"; } @@ -446,10 +446,10 @@ ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, return ldap_bind_s( ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE ); } +#if 0 /* deprecated in favour of slap_map_api2result() */ /* Map API errors to protocol errors... */ - int -ldap_back_map_result(SlapReply *rs) +ldap_back_map_result( SlapReply *rs ) { switch(rs->sr_err) { @@ -489,12 +489,12 @@ ldap_back_map_result(SlapReply *rs) case LDAP_REFERRAL_LIMIT_EXCEEDED: return LDAP_LOOP_DETECT; default: - if LDAP_API_ERROR(rs->sr_err) + if ( LDAP_API_ERROR(rs->sr_err) ) return LDAP_OTHER; - else - return rs->sr_err; + return rs->sr_err; } } +#endif int ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, @@ -502,28 +502,43 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, { struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private; char *match = NULL; - LDAPMessage *res; + LDAPMessage *res = NULL; char *text = NULL; +#define ERR_OK(err) ((err) == LDAP_SUCCESS || (err) == LDAP_COMPARE_FALSE || (err) == LDAP_COMPARE_TRUE) + rs->sr_text = NULL; rs->sr_matched = NULL; - if (rs->sr_err == LDAP_SUCCESS) { - if (ldap_result(lc->ld, msgid, 1, NULL, &res) == -1) { + /* if the error recorded in the reply corresponds + * to a successful state, get the error from the + * remote server response */ + if ( ERR_OK( rs->sr_err ) ) { + /* if result parsing fails, note the failure reason */ + if ( ldap_result( lc->ld, msgid, 1, NULL, &res ) == -1 ) { ldap_get_option(lc->ld, LDAP_OPT_ERROR_NUMBER, &rs->sr_err); + + /* otherwise get the result; if it is not + * LDAP_SUCCESS, record it in the reply + * structure (this includes + * LDAP_COMPARE_{TRUE|FALSE}) */ } else { int rc = ldap_parse_result(lc->ld, res, &rs->sr_err, &match, &text, NULL, NULL, 1); rs->sr_text = text; - if (rc != LDAP_SUCCESS) rs->sr_err = rc; + if ( rc != LDAP_SUCCESS ) rs->sr_err = rc; } } - if (rs->sr_err != LDAP_SUCCESS) { - rs->sr_err = ldap_back_map_result(rs); + /* if the error in the reply structure is not + * LDAP_SUCCESS, try to map it from client + * to server error */ + if ( !ERR_OK( rs->sr_err ) ) { + rs->sr_err = slap_map_api2result( rs ); - /* internal ops must not reply to client */ + /* internal ops ( op->o_conn == NULL ) + * must not reply to client */ if ( op->o_conn && !op->o_do_not_cache && match ) { struct berval dn, mdn; dncookie dc; @@ -539,11 +554,14 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, #endif ber_str2bv(match, 0, 0, &dn); ldap_back_dn_massage(&dc, &dn, &mdn); + + /* record the (massaged) matched + * DN into the reply structure */ rs->sr_matched = mdn.bv_val; } } - if (op->o_conn && (sendok || rs->sr_err != LDAP_SUCCESS)) { + if ( op->o_conn && ( sendok || rs->sr_err != LDAP_SUCCESS ) ) { send_ldap_result( op, rs ); } if ( match ) { @@ -557,7 +575,7 @@ ldap_back_op_result(struct ldapconn *lc, Operation *op, SlapReply *rs, ldap_memfree( text ); } rs->sr_text = NULL; - return( (rs->sr_err == LDAP_SUCCESS) ? 0 : -1 ); + return( ERR_OK( rs->sr_err ) ? 0 : -1 ); } #ifdef LDAP_BACK_PROXY_AUTHZ diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index 32da6f9f3d..4ba0036665 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -70,7 +70,7 @@ ldap_back_db_config( /* URI of server to query (preferred over "server" directive) */ } else if ( strcasecmp( argv[0], "uri" ) == 0 ) { - LDAPURLDesc *lud, tmplud; + LDAPURLDesc tmplud; if (argc != 2) { fprintf( stderr, "%s: line %d: " @@ -82,8 +82,11 @@ ldap_back_db_config( if ( li->url != NULL ) { ch_free( li->url ); } + if ( li->lud != NULL ) { + ldap_free_urldesc( li->lud ); + } - if ( ldap_url_parse( argv[ 1 ], &lud ) != LDAP_URL_SUCCESS ) { + if ( ldap_url_parse( argv[ 1 ], &li->lud ) != LDAP_URL_SUCCESS ) { fprintf( stderr, "%s: line %d: " "unable to parse uri \"%s\" " "in \"uri \" line\n", @@ -91,10 +94,10 @@ ldap_back_db_config( return 1; } - if ( ( lud->lud_dn != NULL && lud->lud_dn[0] != '\0' ) - || lud->lud_attrs != NULL - || lud->lud_filter != NULL - || lud->lud_exts != NULL ) + if ( ( li->lud->lud_dn != NULL && li->lud->lud_dn[0] != '\0' ) + || li->lud->lud_attrs != NULL + || li->lud->lud_filter != NULL + || li->lud->lud_exts != NULL ) { fprintf( stderr, "%s: line %d: " "warning, only protocol, " @@ -105,7 +108,7 @@ ldap_back_db_config( #if 0 tmplud = *lud; - tmplud.lud_dn = NULL; + tmplud.lud_dn = ""; tmplud.lud_attrs = NULL; tmplud.lud_filter = NULL; if ( !ldap_is_ldapi_url( argv[ 1 ] ) ) { @@ -125,8 +128,6 @@ ldap_back_db_config( li->url = ch_strdup( argv[ 1 ] ); #endif - ldap_free_urldesc( lud ); - /* name to use for ldap_back_group */ } else if ( strcasecmp( argv[0], "binddn" ) == 0 ) { if (argc != 2) { @@ -396,6 +397,7 @@ ldap_back_map_config( /* * FIXME: this should become an err */ + goto error_return; } } @@ -421,6 +423,7 @@ ldap_back_map_config( /* * FIXME: this should become an err */ + goto error_return; } ad = NULL; @@ -441,7 +444,6 @@ ldap_back_map_config( fprintf( stderr, "%s: line %d: duplicate mapping found (ignored)\n", fname, lineno ); - /* FIXME: free stuff */ goto error_return; } @@ -515,16 +517,16 @@ ldap_back_exop_whoami( } ch_free(c.ldctl_value.bv_val); if (rs->sr_err != LDAP_SUCCESS) { - rs->sr_err = ldap_back_map_result(rs); + rs->sr_err = slap_map_api2result( rs ); } } else { /* else just do the same as before */ bv = (struct berval *) ch_malloc( sizeof(struct berval) ); if( op->o_dn.bv_len ) { - bv->bv_len = op->o_dn.bv_len + sizeof("dn:")-1; + bv->bv_len = op->o_dn.bv_len + sizeof("dn:") - 1; bv->bv_val = ch_malloc( bv->bv_len + 1 ); - AC_MEMCPY( bv->bv_val, "dn:", sizeof("dn:")-1 ); - AC_MEMCPY( &bv->bv_val[sizeof("dn:")-1], op->o_dn.bv_val, + AC_MEMCPY( bv->bv_val, "dn:", sizeof("dn:") - 1 ); + AC_MEMCPY( &bv->bv_val[sizeof("dn:") - 1], op->o_dn.bv_val, op->o_dn.bv_len ); bv->bv_val[bv->bv_len] = '\0'; } else { @@ -633,15 +635,6 @@ suffix_massage_config( ch_free( rargv[ 1 ] ); ch_free( rargv[ 2 ] ); -#if 0 /* "matched" is not normalized */ - rargv[ 0 ] = "rewriteContext"; - rargv[ 1 ] = "matchedDN"; - rargv[ 2 ] = "alias"; - rargv[ 3 ] = "searchResult"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); -#else /* normalize "matched" */ - rargv[ 0 ] = "rewriteContext"; rargv[ 1 ] = "matchedDN"; rargv[ 2 ] = "alias"; @@ -656,18 +649,6 @@ suffix_massage_config( rargv[ 4 ] = NULL; rewrite_parse( info, "", ++line, 4, rargv ); -#if 0 - rargv[ 0 ] = "rewriteRule"; - rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val ); - rargv[ 2 ] = suffix_massage_patternize( nvnc->bv_val ); - rargv[ 3 ] = ":"; - rargv[ 4 ] = NULL; - rewrite_parse( info, "", ++line, 4, rargv ); - ch_free( rargv[ 1 ] ); - ch_free( rargv[ 2 ] ); -#endif /* 0 */ -#endif /* normalize "matched" */ - return 0; } #endif /* ENABLE_REWRITE */ diff --git a/servers/slapd/back-ldap/extended.c b/servers/slapd/back-ldap/extended.c index 4403fbaaf5..1cf5a0444f 100644 --- a/servers/slapd/back-ldap/extended.c +++ b/servers/slapd/back-ldap/extended.c @@ -166,7 +166,7 @@ ldap_back_exop_passwd( } } if (rc != LDAP_SUCCESS) { - rs->sr_err = ldap_back_map_result(rs); + rs->sr_err = slap_map_api2result( rs ); send_ldap_result(op, rs); if (rs->sr_matched) free((char *)rs->sr_matched); if (rs->sr_text) free((char *)rs->sr_text); diff --git a/servers/slapd/back-ldap/init.c b/servers/slapd/back-ldap/init.c index ed0f9019fd..cd5466122a 100644 --- a/servers/slapd/back-ldap/init.c +++ b/servers/slapd/back-ldap/init.c @@ -197,6 +197,10 @@ ldap_back_db_destroy( ch_free(li->url); li->url = NULL; } + if ( li->lud ) { + ldap_free_urldesc( li->lud ); + li->lud = NULL; + } if (li->binddn.bv_val) { ch_free(li->binddn.bv_val); li->binddn.bv_val = NULL; diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c index 6cf7697fda..b0d137cb0e 100644 --- a/servers/slapd/back-ldap/search.c +++ b/servers/slapd/back-ldap/search.c @@ -260,7 +260,7 @@ fail:; &match.bv_val, (char **)&rs->sr_text, NULL, NULL, 1); if (rc != LDAP_SUCCESS ) rs->sr_err = rc; - rs->sr_err = ldap_back_map_result(rs); + rs->sr_err = slap_map_api2result( rs ); rc = 0; break; }