From: Kurt Zeilenga Date: Fri, 21 May 2004 04:11:38 +0000 (+0000) Subject: Misc fixes including: X-Git-Tag: OPENLDAP_REL_ENG_2_2_12~5 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=7ff3ba0dcc39b1352fa698fe5d139fcef5b2556a;p=openldap Misc fixes including: + Fixed slapd set acl recursion (ITS#3140) + Fixed slapd entry2mods normalization bug (ITS#3144,3152) + Fixed back-ldap normalization bug + Fixed pcache cache_entries init bug (ITS#3150) + Fixed pcache consistency_check bug (ITS#3151) --- diff --git a/CHANGES b/CHANGES index a11e33621c..90c719f037 100644 --- a/CHANGES +++ b/CHANGES @@ -4,12 +4,16 @@ OpenLDAP 2.2.12 Engineering Fixed slapd empty DN uniqueMember normalization Fixed slapd empty DN in proxyAuthx control Fixed slapd parsing of auth{cz} "dn:" rules - Fixed slapd set acl recursion (ITS#3140) Fixed slapd first component bug (ITS#3118) Fixed slapd TOLOWER macro use bug (ITS#3115) Fixed slapd TLS context clash bug (ITS#3109) + Fixed slapd set acl recursion (ITS#3140) + Fixed slapd entry2mods normalization bug (ITS#3144,3152) Fixed slapd extended match memory leak (ITS#3146) - Fixed libldap SASL buffering bug (ITS#1181) + Fixed back-ldap normalization bug + Fixed pcache cache_entries init bug (ITS#3150) + Fixed pcache consistency_check bug (ITS#3151) + Fixed libldap SASL buffering bug (ITS#3139) Build Environment Fixed liblber memory debug portability bug (ITS#3116) Fixed back-perl perl portability bug (ITS#2554,2946) diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c index cb2f1b8e33..6f5f5ec664 100644 --- a/clients/tools/ldapsearch.c +++ b/clients/tools/ldapsearch.c @@ -640,7 +640,7 @@ getNextPage: return EXIT_FAILURE; } - err = ber_printf( seber, "{b}", abs(subentries) == 1 ? 0 : 1 ); + err = ber_printf( seber, "b", abs(subentries) == 1 ? 0 : 1 ); if ( err == -1 ) { ber_free( seber, 1 ); fprintf( stderr, _("Subentries control encoding error!\n") ); diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1 index d687439979..fbdd2f53f5 100644 --- a/doc/man/man1/ldapsearch.1 +++ b/doc/man/man1/ldapsearch.1 @@ -227,6 +227,11 @@ timelimit of (zero) removes the .B ldap.conf limit. +A timelimit of +.I none +uses +.I maxInt +(2147483647, RFC 2251) as timelimit. A server may impose a maximal timelimit which only the root user may override. .TP @@ -237,6 +242,11 @@ of (zero) removes the .B ldap.conf limit. +A sizelimit of +.I none +uses +.I maxInt +(2147483647, RFC 2251) as sizelimit. A server may impose a maximal sizelimit which only the root user may override. .TP diff --git a/servers/slapd/add.c b/servers/slapd/add.c index 078bd73075..da0ae87789 100644 --- a/servers/slapd/add.c +++ b/servers/slapd/add.c @@ -625,7 +625,7 @@ slap_entry2mods( for ( i = 0; i < count; i++ ) { ber_dupbv(mod->sml_values+i, a_new->a_vals+i); if ( mod->sml_nvalues ) { - ber_dupbv( mod->sml_nvalues+i, a_new->a_vals+i ); + ber_dupbv( mod->sml_nvalues+i, a_new->a_nvals+i ); } } diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c index a652863997..0cabb65f62 100644 --- a/servers/slapd/back-ldap/search.c +++ b/servers/slapd/back-ldap/search.c @@ -40,7 +40,6 @@ static int ldap_build_entry( Operation *op, LDAPMessage *e, Entry *ent, struct berval *bdn, int flags ); #define LDAP_BUILD_ENTRY_PRIVATE 0x01 -#define LDAP_BUILD_ENTRY_NORMALIZE 0x02 static struct berval dummy = BER_BVNULL; @@ -342,7 +341,6 @@ ldap_build_entry( const char *text; int last; int private = flags & LDAP_BUILD_ENTRY_PRIVATE; - int normalize = flags & LDAP_BUILD_ENTRY_NORMALIZE; dncookie dc; /* safe assumptions ... */ @@ -489,7 +487,7 @@ ldap_build_entry( ldap_dnattr_result_rewrite( &dc, attr->a_vals ); } - if ( normalize && last && attr->a_desc->ad_type->sat_equality && + if ( last && attr->a_desc->ad_type->sat_equality && attr->a_desc->ad_type->sat_equality->smr_normalize ) { int i; @@ -611,7 +609,7 @@ ldap_back_entry_get( *ent = ch_calloc(1,sizeof(Entry)); - rc = ldap_build_entry(op, e, *ent, &bdn, LDAP_BUILD_ENTRY_NORMALIZE); + rc = ldap_build_entry(op, e, *ent, &bdn, 0); if (rc != LDAP_SUCCESS) { ch_free(*ent); diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c index 4a7be65abf..3d428b03f0 100644 --- a/servers/slapd/controls.c +++ b/servers/slapd/controls.c @@ -348,8 +348,7 @@ find_ctrl( const char *oid ) void slap_free_ctrls( Operation *op, - LDAPControl **ctrls -) + LDAPControl **ctrls ) { int i; @@ -582,8 +581,8 @@ int get_ctrls( if( sc->sc_extendedops != NULL ) { int i; for( i=0; sc->sc_extendedops[i] != NULL; i++ ) { - if( strcmp( op->ore_reqoid.bv_val, sc->sc_extendedops[i] ) - == 0 ) + if( strcmp( op->ore_reqoid.bv_val, + sc->sc_extendedops[i] ) == 0 ) { tagmask=0L; break; @@ -607,7 +606,7 @@ int get_ctrls( } rs->sr_err = sc->sc_parse( op, rs, c ); - + assert( rs->sr_err != LDAP_UNAVAILABLE_CRITICAL_EXTENSION ); if( rs->sr_err != LDAP_SUCCESS ) goto return_results; if ( sc->sc_mask & SLAP_CTRL_FRONTEND ) { @@ -666,7 +665,7 @@ static int parseModifyIncrement ( LDAPControl *ctrl ) { #if 0 - if ( op->o_parseModifyIncrement != SLAP_NO_CONTROL ) { + if ( op->o_modifyIncrement != SLAP_NO_CONTROL ) { rs->sr_text = "modifyIncrement control specified multiple times"; return LDAP_PROTOCOL_ERROR; } @@ -678,7 +677,7 @@ static int parseModifyIncrement ( } #if 0 - op->o_parseModifyIncrement = ctrl->ldctl_iscritical + op->o_modifyIncrement = ctrl->ldctl_iscritical ? SLAP_CRITICAL_CONTROL : SLAP_NONCRITICAL_CONTROL; #endif @@ -766,13 +765,13 @@ static int parseProxyAuthz ( ctrl->ldctl_value.bv_val, ctrl->ldctl_value.bv_len, NULL, &dn, SLAP_GETDN_AUTHZID ); - if( rc != LDAP_SUCCESS ) { + /* FIXME: empty DN in proxyAuthz control should be legal... */ + if( rc != LDAP_SUCCESS /* || !dn.bv_len */ ) { if ( dn.bv_val ) { ch_free( dn.bv_val ); } rs->sr_text = "authzId mapping failed"; return LDAP_PROXY_AUTHZ_FAILURE; - } #ifdef NEW_LOGGING @@ -801,6 +800,9 @@ static int parseProxyAuthz ( op->o_dn.bv_val = NULL; op->o_ndn = dn; + Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu PROXYAUTHZ dn=\"%s\"\n", + op->o_connid, op->o_opid, dn.bv_val, 0, 0 ); + /* * NOTE: since slap_sasl_getdn() returns a normalized dn, * from now on op->o_dn is normalized @@ -847,6 +849,11 @@ static int parsePagedResults ( return LDAP_PROTOCOL_ERROR; } + if ( op->o_sync != SLAP_NO_CONTROL ) { + rs->sr_text = "paged results control specified with sync control"; + return LDAP_PROTOCOL_ERROR; + } + if ( ctrl->ldctl_value.bv_len == 0 ) { rs->sr_text = "paged results control value is empty (or absent)"; return LDAP_PROTOCOL_ERROR; @@ -1282,7 +1289,8 @@ static int parseSearchOptions ( if ( search_flags & LDAP_SEARCH_FLAG_DOMAIN_SCOPE ) { if ( op->o_domain_scope != SLAP_NO_CONTROL ) { - rs->sr_text = "searchOptions control specified multiple times or with domainScope control"; + rs->sr_text = "searchOptions control specified multiple times " + "or with domainScope control"; return LDAP_PROTOCOL_ERROR; } @@ -1293,8 +1301,8 @@ static int parseSearchOptions ( if ( search_flags & ~(LDAP_SEARCH_FLAG_DOMAIN_SCOPE) ) { /* Other search flags not recognised so far */ - rs->sr_text = "searchOptions contained invalid flag"; - return LDAP_UNAVAILABLE_CRITICAL_EXTENSION; + rs->sr_text = "searchOptions contained unrecongized flag"; + return LDAP_UNWILLING_TO_PERFORM; } return LDAP_SUCCESS; @@ -1313,12 +1321,18 @@ static int parseLDAPsync ( struct slap_session_entry *se; if ( op->o_sync != SLAP_NO_CONTROL ) { - rs->sr_text = "LDAP Sync control specified multiple times"; + rs->sr_text = "Sync control specified multiple times"; + return LDAP_PROTOCOL_ERROR; + } + + if ( op->o_pagedresults != SLAP_NO_CONTROL ) { + rs->sr_text = "Sync control specified with pagedResults control"; return LDAP_PROTOCOL_ERROR; } + if ( ctrl->ldctl_value.bv_len == 0 ) { - rs->sr_text = "LDAP Sync control value is empty (or absent)"; + rs->sr_text = "Sync control value is empty (or absent)"; return LDAP_PROTOCOL_ERROR; } @@ -1341,7 +1355,7 @@ static int parseLDAPsync ( } if ( (tag = ber_scanf( ber, "{i" /*}*/, &mode )) == LBER_ERROR ) { - rs->sr_text = "LDAP Sync control : mode decoding error"; + rs->sr_text = "Sync control : mode decoding error"; return LDAP_PROTOCOL_ERROR; } @@ -1353,7 +1367,7 @@ static int parseLDAPsync ( mode = SLAP_SYNC_REFRESH_AND_PERSIST; break; default: - rs->sr_text = "LDAP Sync control : unknown update mode"; + rs->sr_text = "Sync control : unknown update mode"; return LDAP_PROTOCOL_ERROR; } @@ -1362,7 +1376,7 @@ static int parseLDAPsync ( if ( tag == LDAP_TAG_SYNC_COOKIE ) { struct berval tmp_bv; if (( ber_scanf( ber, /*{*/ "o", &tmp_bv )) == LBER_ERROR ) { - rs->sr_text = "LDAP Sync control : cookie decoding error"; + rs->sr_text = "Sync control : cookie decoding error"; return LDAP_PROTOCOL_ERROR; } ber_bvarray_add( &op->o_sync_state.octet_str, &tmp_bv ); @@ -1370,12 +1384,12 @@ static int parseLDAPsync ( } if ( tag == LDAP_TAG_RELOAD_HINT ) { if (( ber_scanf( ber, /*{*/ "b", &op->o_sync_rhint )) == LBER_ERROR ) { - rs->sr_text = "LDAP Sync control : rhint decoding error"; + rs->sr_text = "Sync control : rhint decoding error"; return LDAP_PROTOCOL_ERROR; } } if (( ber_scanf( ber, /*{*/ "}")) == LBER_ERROR ) { - rs->sr_text = "LDAP Sync control : decoding error"; + rs->sr_text = "Sync control : decoding error"; return LDAP_PROTOCOL_ERROR; } diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c index 5d671ab77c..fe1db8995c 100644 --- a/servers/slapd/filter.c +++ b/servers/slapd/filter.c @@ -776,7 +776,8 @@ filter2bv_x( Operation *op, Filter *f, struct berval *fstr ) filter_escape_value_x( &f->f_sub_initial, &tmp, op->o_tmpmemctx ); fstr->bv_len += tmp.bv_len; - fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, op->o_tmpmemctx ); + fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, + op->o_tmpmemctx ); snprintf( &fstr->bv_val[len-2], tmp.bv_len+3, /* "(attr=" */ "%s*)", @@ -788,10 +789,12 @@ filter2bv_x( Operation *op, Filter *f, struct berval *fstr ) if ( f->f_sub_any != NULL ) { for ( i = 0; f->f_sub_any[i].bv_val != NULL; i++ ) { len = fstr->bv_len; - filter_escape_value_x( &f->f_sub_any[i], &tmp, op->o_tmpmemctx ); + filter_escape_value_x( &f->f_sub_any[i], + &tmp, op->o_tmpmemctx ); fstr->bv_len += tmp.bv_len + 1; - fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, op->o_tmpmemctx ); + fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, + op->o_tmpmemctx ); snprintf( &fstr->bv_val[len-1], tmp.bv_len+3, /* "(attr=[init]*[any*]" */ "%s*)", @@ -806,7 +809,8 @@ filter2bv_x( Operation *op, Filter *f, struct berval *fstr ) filter_escape_value_x( &f->f_sub_final, &tmp, op->o_tmpmemctx ); fstr->bv_len += tmp.bv_len; - fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, op->o_tmpmemctx ); + fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, + op->o_tmpmemctx ); snprintf( &fstr->bv_val[len-1], tmp.bv_len+3, /* "(attr=[init*][any*]" */ "%s)", @@ -842,7 +846,8 @@ filter2bv_x( Operation *op, Filter *f, struct berval *fstr ) filter2bv_x( op, p, &tmp ); fstr->bv_len += tmp.bv_len; - fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, op->o_tmpmemctx ); + fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, + op->o_tmpmemctx ); snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2, /*"("*/ "%s)", tmp.bv_val ); @@ -853,29 +858,29 @@ filter2bv_x( Operation *op, Filter *f, struct berval *fstr ) break; case LDAP_FILTER_EXT: { - struct berval ad; - filter_escape_value_x( &f->f_mr_value, &tmp, op->o_tmpmemctx ); - - if ( f->f_mr_desc ) { - ad = f->f_mr_desc->ad_cname; - } else { - ad.bv_len = 0; - ad.bv_val = ""; - } + struct berval ad; + filter_escape_value_x( &f->f_mr_value, &tmp, op->o_tmpmemctx ); + + if ( f->f_mr_desc ) { + ad = f->f_mr_desc->ad_cname; + } else { + ad.bv_len = 0; + ad.bv_val = ""; + } - fstr->bv_len = ad.bv_len + - ( f->f_mr_dnattrs ? sizeof(":dn")-1 : 0 ) + - ( f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_len+1 : 0 ) + - tmp.bv_len + ( sizeof("(:=)") - 1 ); - fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx ); - - snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)", - ad.bv_val, - f->f_mr_dnattrs ? ":dn" : "", - f->f_mr_rule_text.bv_len ? ":" : "", - f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : "", - tmp.bv_val ); - ber_memfree_x( tmp.bv_val, op->o_tmpmemctx ); + fstr->bv_len = ad.bv_len + + ( f->f_mr_dnattrs ? sizeof(":dn")-1 : 0 ) + + ( f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_len+1 : 0 ) + + tmp.bv_len + ( sizeof("(:=)") - 1 ); + fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx ); + + snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)", + ad.bv_val, + f->f_mr_dnattrs ? ":dn" : "", + f->f_mr_rule_text.bv_len ? ":" : "", + f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : "", + tmp.bv_val ); + ber_memfree_x( tmp.bv_val, op->o_tmpmemctx ); } break; case SLAPD_FILTER_COMPUTED: @@ -1263,8 +1268,8 @@ vrFilter_free( Operation *op, ValuesReturnFilter *vrf ) default: #ifdef NEW_LOGGING - LDAP_LOG( FILTER, ERR, - "filter_free: unknown filter type %lu\n", vrf->vrf_choice, 0, 0 ); + LDAP_LOG( FILTER, ERR, "filter_free: unknown filter type %lu\n", + vrf->vrf_choice, 0, 0 ); #else Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n", vrf->vrf_choice, 0, 0 ); @@ -1300,7 +1305,8 @@ vrFilter2bv( Operation *op, ValuesReturnFilter *vrf, struct berval *fstr ) simple_vrFilter2bv( op, p, &tmp ); fstr->bv_len += tmp.bv_len; - fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, op->o_tmpmemctx ); + fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, + op->o_tmpmemctx ); snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2, /*"("*/ "%s)", tmp.bv_val ); @@ -1316,7 +1322,8 @@ simple_vrFilter2bv( Operation *op, ValuesReturnFilter *vrf, struct berval *fstr ber_len_t len; if ( vrf == NULL ) { - ber_str2bv_x( "No filter!", sizeof("No filter!")-1, 1, fstr, op->o_tmpmemctx ); + ber_str2bv_x( "No filter!", sizeof("No filter!")-1, 1, fstr, + op->o_tmpmemctx ); return; } @@ -1390,7 +1397,8 @@ simple_vrFilter2bv( Operation *op, ValuesReturnFilter *vrf, struct berval *fstr filter_escape_value_x( &vrf->vrf_sub_initial, &tmp, op->o_tmpmemctx ); fstr->bv_len += tmp.bv_len; - fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, op->o_tmpmemctx ); + fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, + op->o_tmpmemctx ); snprintf( &fstr->bv_val[len-2], tmp.bv_len+3, /* "(attr=" */ "%s*)", @@ -1403,10 +1411,12 @@ simple_vrFilter2bv( Operation *op, ValuesReturnFilter *vrf, struct berval *fstr int i; for ( i = 0; vrf->vrf_sub_any[i].bv_val != NULL; i++ ) { len = fstr->bv_len; - filter_escape_value_x( &vrf->vrf_sub_any[i], &tmp, op->o_tmpmemctx ); + filter_escape_value_x( &vrf->vrf_sub_any[i], &tmp, + op->o_tmpmemctx ); fstr->bv_len += tmp.bv_len + 1; - fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, op->o_tmpmemctx ); + fstr->bv_val = op->o_tmprealloc( fstr->bv_val, + fstr->bv_len + 1, op->o_tmpmemctx ); snprintf( &fstr->bv_val[len-1], tmp.bv_len+3, /* "(attr=[init]*[any*]" */ "%s*)", @@ -1421,7 +1431,8 @@ simple_vrFilter2bv( Operation *op, ValuesReturnFilter *vrf, struct berval *fstr filter_escape_value_x( &vrf->vrf_sub_final, &tmp, op->o_tmpmemctx ); fstr->bv_len += tmp.bv_len; - fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, op->o_tmpmemctx ); + fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1, + op->o_tmpmemctx ); snprintf( &fstr->bv_val[len-1], tmp.bv_len+3, /* "(attr=[init*][any*]" */ "%s)", @@ -1454,7 +1465,8 @@ simple_vrFilter2bv( Operation *op, ValuesReturnFilter *vrf, struct berval *fstr fstr->bv_len = ad.bv_len + ( vrf->vrf_mr_dnattrs ? sizeof(":dn")-1 : 0 ) + - ( vrf->vrf_mr_rule_text.bv_len ? vrf->vrf_mr_rule_text.bv_len+1 : 0 ) + + ( vrf->vrf_mr_rule_text.bv_len + ? vrf->vrf_mr_rule_text.bv_len+1 : 0 ) + tmp.bv_len + ( sizeof("(:=)") - 1 ); fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx ); @@ -1472,12 +1484,12 @@ simple_vrFilter2bv( Operation *op, ValuesReturnFilter *vrf, struct berval *fstr ber_str2bv_x( vrf->vrf_result == LDAP_COMPARE_FALSE ? "(?=false)" : vrf->vrf_result == LDAP_COMPARE_TRUE ? "(?=true)" : - vrf->vrf_result == SLAPD_COMPARE_UNDEFINED ? "(?=undefined)" : - "(?=error)", + vrf->vrf_result == SLAPD_COMPARE_UNDEFINED + ? "(?=undefined)" : "(?=error)", vrf->vrf_result == LDAP_COMPARE_FALSE ? sizeof("(?=false)")-1 : vrf->vrf_result == LDAP_COMPARE_TRUE ? sizeof("(?=true)")-1 : - vrf->vrf_result == SLAPD_COMPARE_UNDEFINED ? sizeof("(?=undefined)")-1 : - sizeof("(?=error)")-1, + vrf->vrf_result == SLAPD_COMPARE_UNDEFINED + ? sizeof("(?=undefined)")-1 : sizeof("(?=error)")-1, 1, fstr, op->o_tmpmemctx ); break; diff --git a/servers/slapd/filterentry.c b/servers/slapd/filterentry.c index 8527c038d9..01455e8ba5 100644 --- a/servers/slapd/filterentry.c +++ b/servers/slapd/filterentry.c @@ -55,8 +55,7 @@ int test_filter( Operation *op, Entry *e, - Filter *f -) + Filter *f ) { int rc; #ifdef NEW_LOGGING @@ -92,8 +91,7 @@ test_filter( Debug( LDAP_DEBUG_FILTER, " EQUALITY\n", 0, 0, 0 ); #endif - rc = test_ava_filter( op, e, f->f_ava, - LDAP_FILTER_EQUALITY ); + rc = test_ava_filter( op, e, f->f_ava, LDAP_FILTER_EQUALITY ); break; case LDAP_FILTER_SUBSTRINGS: @@ -107,13 +105,11 @@ test_filter( break; case LDAP_FILTER_GE: - rc = test_ava_filter( op, e, f->f_ava, - LDAP_FILTER_GE ); + rc = test_ava_filter( op, e, f->f_ava, LDAP_FILTER_GE ); break; case LDAP_FILTER_LE: - rc = test_ava_filter( op, e, f->f_ava, - LDAP_FILTER_LE ); + rc = test_ava_filter( op, e, f->f_ava, LDAP_FILTER_LE ); break; case LDAP_FILTER_PRESENT: @@ -122,7 +118,6 @@ test_filter( #else Debug( LDAP_DEBUG_FILTER, " PRESENT\n", 0, 0, 0 ); #endif - rc = test_presence_filter( op, e, f->f_desc ); break; @@ -132,8 +127,7 @@ test_filter( #else Debug( LDAP_DEBUG_FILTER, " APPROX\n", 0, 0, 0 ); #endif - rc = test_ava_filter( op, e, f->f_ava, - LDAP_FILTER_APPROX ); + rc = test_ava_filter( op, e, f->f_ava, LDAP_FILTER_APPROX ); break; case LDAP_FILTER_AND: @@ -142,7 +136,6 @@ test_filter( #else Debug( LDAP_DEBUG_FILTER, " AND\n", 0, 0, 0 ); #endif - rc = test_filter_and( op, e, f->f_and ); break; @@ -152,7 +145,6 @@ test_filter( #else Debug( LDAP_DEBUG_FILTER, " OR\n", 0, 0, 0 ); #endif - rc = test_filter_or( op, e, f->f_or ); break; @@ -162,7 +154,6 @@ test_filter( #else Debug( LDAP_DEBUG_FILTER, " NOT\n", 0, 0, 0 ); #endif - rc = test_filter( op, e, f->f_not ); /* Flip true to false and false to true @@ -184,7 +175,6 @@ test_filter( #else Debug( LDAP_DEBUG_FILTER, " EXT\n", 0, 0, 0 ); #endif - rc = test_mra_filter( op, e, f->f_mra ); break; @@ -196,7 +186,6 @@ test_filter( Debug( LDAP_DEBUG_ANY, " unknown filter type %lu\n", f->f_choice, 0, 0 ); #endif - rc = LDAP_PROTOCOL_ERROR; } @@ -205,7 +194,6 @@ test_filter( #else Debug( LDAP_DEBUG_FILTER, "<= test_filter %d\n", rc, 0, 0 ); #endif - return( rc ); } @@ -251,17 +239,12 @@ static int test_mra_filter( rc = value_match( &ret, a->a_desc, mra->ma_rule, 0, bv, &mra->ma_value, &text ); - if( rc != LDAP_SUCCESS ) { - return rc; - } - - if ( ret == 0 ) { - return LDAP_COMPARE_TRUE; - } + if( rc != LDAP_SUCCESS ) return rc; + if ( ret == 0 ) return LDAP_COMPARE_TRUE; } } - } else { + } else { /* * No attribute description: test all */ @@ -279,9 +262,7 @@ static int test_mra_filter( rc = asserted_value_validate_normalize( a->a_desc, mra->ma_rule, SLAP_MR_EXT|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, &mra->ma_value, &value, &text, memctx ); - if ( rc != LDAP_SUCCESS ) { - continue; - } + if ( rc != LDAP_SUCCESS ) continue; /* check search access */ if ( !access_allowed( op, e, @@ -291,20 +272,19 @@ static int test_mra_filter( } /* check match */ - if (mra->ma_rule == a->a_desc->ad_type->sat_equality) + if (mra->ma_rule == a->a_desc->ad_type->sat_equality) { bv = a->a_nvals; - else + } else { bv = a->a_vals; - for ( ; bv->bv_val != NULL; bv++ ) - { + } + + for ( ; bv->bv_val != NULL; bv++ ) { int ret; rc = value_match( &ret, a->a_desc, mra->ma_rule, 0, bv, &value, &text ); - if( rc != LDAP_SUCCESS ) { - break; - } + if( rc != LDAP_SUCCESS ) break; if ( ret == 0 ) { rc = LDAP_COMPARE_TRUE; @@ -312,9 +292,7 @@ static int test_mra_filter( } } op->o_tmpfree( value.bv_val, memctx ); - if ( rc != LDAP_SUCCESS ) { - return rc ; - } + if ( rc != LDAP_SUCCESS ) return rc; } } @@ -337,7 +315,8 @@ static int test_mra_filter( for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) { LDAPAVA *ava = rdn[ iAVA ]; struct berval *bv = &ava->la_value, value; - AttributeDescription *ad = (AttributeDescription *)ava->la_private; + AttributeDescription *ad = + (AttributeDescription *)ava->la_private; int ret; const char *text; @@ -363,13 +342,12 @@ static int test_mra_filter( mra->ma_rule, SLAP_MR_EXT|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, &mra->ma_value, &value, &text, memctx ); - if ( rc != LDAP_SUCCESS ) { - continue; - } + if ( rc != LDAP_SUCCESS ) continue; /* check search access */ if ( !access_allowed( op, e, - ad, &value, ACL_SEARCH, NULL ) ) { + ad, &value, ACL_SEARCH, NULL ) ) + { op->o_tmpfree( value.bv_val, memctx ); continue; } @@ -383,9 +361,7 @@ static int test_mra_filter( op->o_tmpfree( value.bv_val, memctx ); } - if ( rc == LDAP_SUCCESS && ret == 0 ) { - rc = LDAP_COMPARE_TRUE; - } + if ( rc == LDAP_SUCCESS && ret == 0 ) rc = LDAP_COMPARE_TRUE; if( rc != LDAP_SUCCESS ) { ldap_dnfree_x( dn, memctx ); @@ -404,8 +380,7 @@ test_ava_filter( Operation *op, Entry *e, AttributeAssertion *ava, - int type -) + int type ) { Attribute *a; @@ -454,35 +429,28 @@ test_ava_filter( rc = value_match( &ret, a->a_desc, mr, 0, bv, &ava->aa_value, &text ); - if( rc != LDAP_SUCCESS ) { - return rc; - } + if( rc != LDAP_SUCCESS ) return rc; switch ( type ) { case LDAP_FILTER_EQUALITY: case LDAP_FILTER_APPROX: - if ( ret == 0 ) { - return LDAP_COMPARE_TRUE; - } + if ( ret == 0 ) return LDAP_COMPARE_TRUE; break; case LDAP_FILTER_GE: - if ( ret >= 0 ) { - return LDAP_COMPARE_TRUE; - } + if ( ret >= 0 ) return LDAP_COMPARE_TRUE; break; case LDAP_FILTER_LE: - if ( ret <= 0 ) { - return LDAP_COMPARE_TRUE; - } + if ( ret <= 0 ) return LDAP_COMPARE_TRUE; break; } } } if ( ava->aa_desc == slap_schema.si_ad_hasSubordinates - && op && op->o_bd && op->o_bd->be_has_subordinates ) { + && op && op->o_bd && op->o_bd->be_has_subordinates ) + { int hasSubordinates; struct berval hs; @@ -491,7 +459,9 @@ test_ava_filter( */ assert( type == LDAP_FILTER_EQUALITY ); - if (op->o_bd->be_has_subordinates( op, e, &hasSubordinates ) != LDAP_SUCCESS) { + if ( op->o_bd->be_has_subordinates( op, e, &hasSubordinates ) != + LDAP_SUCCESS ) + { return LDAP_OTHER; } @@ -505,10 +475,7 @@ test_ava_filter( return LDAP_OTHER; } - if ( bvmatch( &ava->aa_value, &hs ) ) { - return LDAP_COMPARE_TRUE; - } - + if ( bvmatch( &ava->aa_value, &hs ) ) return LDAP_COMPARE_TRUE; return LDAP_COMPARE_FALSE; } @@ -520,18 +487,15 @@ static int test_presence_filter( Operation *op, Entry *e, - AttributeDescription *desc -) + AttributeDescription *desc ) { Attribute *a; - if ( !access_allowed( op, e, desc, NULL, ACL_SEARCH, NULL ) ) - { + if ( !access_allowed( op, e, desc, NULL, ACL_SEARCH, NULL ) ) { return LDAP_INSUFFICIENT_ACCESS; } a = attrs_find( e->e_attrs, desc ); - if ( a == NULL && desc == slap_schema.si_ad_hasSubordinates ) { /* @@ -555,8 +519,7 @@ static int test_filter_and( Operation *op, Entry *e, - Filter *flist -) + Filter *flist ) { Filter *f; int rtn = LDAP_COMPARE_TRUE; /* True if empty */ @@ -608,7 +571,6 @@ test_filter_or( Debug( LDAP_DEBUG_FILTER, "=> test_filter_or\n", 0, 0, 0 ); #endif - for ( f = flist; f != NULL; f = f->f_next ) { int rc = test_filter( op, e, f ); @@ -629,7 +591,6 @@ test_filter_or( #else Debug( LDAP_DEBUG_FILTER, "<= test_filter_or %d\n", rtn, 0, 0 ); #endif - return rtn; } @@ -638,8 +599,7 @@ static int test_substrings_filter( Operation *op, Entry *e, - Filter *f -) + Filter *f ) { Attribute *a; @@ -649,7 +609,6 @@ test_substrings_filter( Debug( LDAP_DEBUG_FILTER, "begin test_substrings_filter\n", 0, 0, 0 ); #endif - if ( !access_allowed( op, e, f->f_sub_desc, NULL, ACL_SEARCH, NULL ) ) { @@ -663,12 +622,9 @@ test_substrings_filter( MatchingRule *mr = a->a_desc->ad_type->sat_substr; struct berval *bv; - if( mr == NULL ) { - continue; - } + if( mr == NULL ) continue; - for ( bv = a->a_nvals; bv->bv_val != NULL; bv++ ) - { + for ( bv = a->a_nvals; bv->bv_val != NULL; bv++ ) { int ret; int rc; const char *text; @@ -676,21 +632,17 @@ test_substrings_filter( rc = value_match( &ret, a->a_desc, mr, 0, bv, f->f_sub, &text ); - if( rc != LDAP_SUCCESS ) { - return rc; - } - - if ( ret == 0 ) { - return LDAP_COMPARE_TRUE; - } + if( rc != LDAP_SUCCESS ) return rc; + if ( ret == 0 ) return LDAP_COMPARE_TRUE; } } #ifdef NEW_LOGGING - LDAP_LOG( FILTER, ENTRY, "test_substrings_filter: return FALSE\n", 0, 0, 0 ); + LDAP_LOG( FILTER, ENTRY, "test_substrings_filter: return FALSE\n", + 0, 0, 0 ); #else - Debug( LDAP_DEBUG_FILTER, "end test_substrings_filter 1\n", 0, 0, 0 ); + Debug( LDAP_DEBUG_FILTER, "end test_substrings_filter 1\n", + 0, 0, 0 ); #endif - return LDAP_COMPARE_FALSE; } diff --git a/servers/slapd/init.c b/servers/slapd/init.c index 1c9e947b75..a8a8e812ea 100644 --- a/servers/slapd/init.c +++ b/servers/slapd/init.c @@ -232,9 +232,6 @@ int slap_shutdown( Backend *be ) slap_name, 0, 0 ); #endif - - slap_sasl_destroy(); - /* let backends do whatever cleanup they need to do */ rc = backend_shutdown( be ); @@ -263,6 +260,8 @@ int slap_destroy(void) rc = backend_destroy(); + slap_sasl_destroy(); + entry_destroy(); ldap_pvt_thread_destroy(); diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c index 0a7bd86190..60395e62c6 100644 --- a/servers/slapd/overlays/pcache.c +++ b/servers/slapd/overlays/pcache.c @@ -1072,7 +1072,7 @@ cache_entries( cache_manager *cm = on->on_bi.bi_private; query_manager* qm = cm->qm; int i; - int return_val; + int return_val = 0; Entry *e; struct berval crp_uuid; char uuidbuf[ LDAP_LUTIL_UUIDSTR_BUFSIZE ]; @@ -1224,7 +1224,7 @@ proxy_cache_response( si->tail = NULL; } } - } else if ( rs->sr_type == REP_RESULT && !si->over ) { + } else if ( rs->sr_type == REP_RESULT && si->count ) { if ( cache_entries( op, rs, &uuid ) == 0) { qm->addfunc(qm, &si->query, si->template_id, &uuid); /* If the consistency checker suspended itself, @@ -1608,16 +1608,15 @@ consistency_check( } ldap_pvt_thread_mutex_unlock(&cm->remove_mutex); } - /* If there were no queries, defer processing for a while */ - if ( pause ) { - ldap_pvt_thread_mutex_lock( &syncrepl_rq.rq_mutex ); - cm->cc_paused = 1; - if ( ldap_pvt_runqueue_isrunning( &syncrepl_rq, rtask )) { - ldap_pvt_runqueue_stoptask( &syncrepl_rq, rtask ); - } - ldap_pvt_runqueue_resched( &syncrepl_rq, rtask, 1 ); - ldap_pvt_thread_mutex_unlock( &syncrepl_rq.rq_mutex ); + ldap_pvt_thread_mutex_lock( &syncrepl_rq.rq_mutex ); + if ( ldap_pvt_runqueue_isrunning( &syncrepl_rq, rtask )) { + ldap_pvt_runqueue_stoptask( &syncrepl_rq, rtask ); } + /* If there were no queries, defer processing for a while */ + cm->cc_paused = pause; + ldap_pvt_runqueue_resched( &syncrepl_rq, rtask, pause ); + + ldap_pvt_thread_mutex_unlock( &syncrepl_rq.rq_mutex ); return NULL; } diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 8900f31e6a..99e492c472 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -133,7 +133,10 @@ LDAP_BEGIN_DECL || (c) == '(' || (c) == ')' || !ASCII_PRINTABLE(c) ) #define DN_ESCAPE(c) ((c) == SLAP_ESCAPE_CHAR) -#define DN_SEPARATOR(c) ((c) == ',' || (c) == ';') +/* NOTE: for consistency, this macro must only operate + * on normalized/pretty DN, such that ';' is never used + * as RDN separator, and all occurrences of ';' must be escaped */ +#define DN_SEPARATOR(c) ((c) == ',') #define RDN_ATTRTYPEANDVALUE_SEPARATOR(c) ((c) == '+') /* RFC 2253 */ #define RDN_SEPARATOR(c) (DN_SEPARATOR(c) || RDN_ATTRTYPEANDVALUE_SEPARATOR(c)) #define RDN_NEEDSESCAPE(c) ((c) == '\\' || (c) == '"') diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c index b5c76c6de2..9ed5606acc 100644 --- a/servers/slapd/syncrepl.c +++ b/servers/slapd/syncrepl.c @@ -178,6 +178,9 @@ do_syncrep1( struct sync_cookie *sc = NULL; struct sync_cookie syncCookie = { NULL, -1, NULL }; struct berval *psub; +#ifdef HAVE_TLS + void *ssl; +#endif psub = &si->si_be->be_nsuffix[0]; @@ -302,6 +305,19 @@ do_syncrep1( } } + /* Set SSF to strongest of TLS, SASL SSFs */ + op->o_sasl_ssf = 0; + op->o_tls_ssf = 0; +#ifdef HAVE_TLS + if ( ldap_get_option( si->si_ld, LDAP_OPT_X_TLS_SSL_CTX, &ssl ) == LDAP_SUCCESS && + ssl != NULL ) { + op->o_tls_ssf = ldap_pvt_tls_get_strength( ssl ); + } +#endif /* HAVE_TLS */ + ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &op->o_sasl_ssf ); + op->o_transport_ssf = op->o_ssf = ( op->o_sasl_ssf > op->o_tls_ssf ) ? + op->o_sasl_ssf : op->o_tls_ssf; + /* get syncrepl cookie of shadow replica from subentry */ assert( si->si_rid < 1000 );