From: Kurt Zeilenga Date: Sat, 13 May 2006 05:55:00 +0000 (+0000) Subject: + Updated ldapdelete(1) to stdout bug (ITS#4453) X-Git-Tag: OPENLDAP_REL_ENG_2_3_22~6 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=bc835b915cccaf12d5c2dfbcbbcf5bbd55d11dd0;p=openldap + Updated ldapdelete(1) to stdout bug (ITS#4453) + Fixed slapo-ppolicy rebind bug (ITS#4516) + Documentation + Fixed slapd(8) logging header reference (ITS#4509) --- diff --git a/CHANGES b/CHANGES index 80a0bdb220..50ed1cce09 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,7 @@ OpenLDAP 2.3.22 Engineering Fixed libldap_r tpool cleanup Fixed liblutil strtoul(3) usage (ITS#4503) Fixed liblutil time resolution issue (ITS#4514) + Updated ldapdelete(1) to stdout bug (ITS#4453) Updated ldapsearch(1) BASE output (ITS#4504) Fixed slapd backglue issue (ITS#4529) Fixed slapd cn=config (ITS#4512) @@ -29,6 +30,7 @@ OpenLDAP 2.3.22 Engineering Added slapo-accesslog reqOld feature Fixed slapo-auditlog missing return codes Fixed slapo-ppolicy BER tags issue (ITS#4528) + Fixed slapo-ppolicy rebind bug (ITS#4516) Fixed slapo-refint delete prohibit issue (ITS#4442) Fixed slapo-syncprov MODs cause DELs (ITS#4423) Fixed slapo-syncprov/syncrepl sessionlog issue (ITS#4534) @@ -37,6 +39,8 @@ OpenLDAP 2.3.22 Engineering Build Environment Fixed test020-proxycache disabled debug issue (ITS#4491) Fixed OSF1 compilation problem (ITS#4537) + Documentation + Fixed slapd(8) logging header reference (ITS#4509) OpenLDAP 2.3.21 Release Fixed libldap referral chasing issue (ITS#4448) diff --git a/clients/tools/ldapdelete.c b/clients/tools/ldapdelete.c index 27d199b13f..08f54f8848 100644 --- a/clients/tools/ldapdelete.c +++ b/clients/tools/ldapdelete.c @@ -263,8 +263,10 @@ static int dodelete( return rc; } - if( verbose || code != LDAP_SUCCESS || - (matcheddn && *matcheddn) || (text && *text) || (refs && *refs) ) + if( code != LDAP_SUCCESS ) { + tool_perror( "ldap_delete", code, NULL, matcheddn, text, refs ); + } else if ( verbose && + ((matcheddn && *matcheddn) || (text && *text) || (refs && *refs) )) { printf( _("Delete Result: %s (%d)\n"), ldap_err2string( code ), code ); diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 index 727530dc93..8fed87f59e 100644 --- a/doc/man/man8/slapd.8 +++ b/doc/man/man8/slapd.8 @@ -85,7 +85,7 @@ If this option is specified, even with a zero argument, will not fork or disassociate from the invoking terminal. Some general operation and status messages are printed for any value of \fIdebug\-level\fP. \fIdebug\-level\fP is taken as a bit string, with each bit corresponding to a -different kind of debugging information. See for details. +different kind of debugging information. See for details. Remember that if you turn on packet logging, packets containing bind passwords will be output, so if you redirect the log to a logfile, that file should be read-protected. diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c index fb37f669ad..3d2e6227b6 100644 --- a/servers/slapd/overlays/ppolicy.c +++ b/servers/slapd/overlays/ppolicy.c @@ -55,7 +55,7 @@ typedef struct pp_info { * used by all instances */ typedef struct pw_conn { - int restricted; /* TRUE if connection is restricted */ + struct berval dn; /* DN of restricted user */ } pw_conn; static pw_conn *pwcons; @@ -814,7 +814,8 @@ ppolicy_bind_resp( Operation *op, SlapReply *rs ) * that we are disallowed from doing anything * other than change password. */ - pwcons[op->o_conn->c_conn_idx].restricted = 1; + ber_dupbv( &pwcons[op->o_conn->c_conn_idx].dn, + &op->o_conn->c_ndn ); ppb->pErr = PP_changeAfterReset; @@ -972,7 +973,10 @@ ppolicy_bind( Operation *op, SlapReply *rs ) slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; /* Reset lockout status on all Bind requests */ - pwcons[op->o_conn->c_conn_idx].restricted = 0; + if ( !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) { + ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val ); + BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn ); + } /* Root bypasses policy */ if ( !be_isroot_dn( op->o_bd, &op->o_req_ndn )) { @@ -1026,11 +1030,14 @@ ppolicy_bind( Operation *op, SlapReply *rs ) return SLAP_CB_CONTINUE; } -/* Reset the restricted flag for the next session on this connection */ +/* Reset the restricted info for the next session on this connection */ static int ppolicy_connection_destroy( BackendDB *bd, Connection *conn ) { - pwcons[conn->c_conn_idx].restricted = 0; + if ( !BER_BVISEMPTY( &pwcons[conn->c_conn_idx].dn )) { + ch_free( pwcons[conn->c_conn_idx].dn.bv_val ); + BER_BVZERO( &pwcons[conn->c_conn_idx].dn ); + } return SLAP_CB_CONTINUE; } @@ -1048,7 +1055,18 @@ ppolicy_restrict( send_ctrl = 1; } - if ( op->o_conn && pwcons[op->o_conn->c_conn_idx].restricted ) { + if ( op->o_conn && !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) { + /* if the current authcDN doesn't match the one we recorded, + * then an intervening Bind has succeeded and the restriction + * no longer applies. (ITS#4516) + */ + if ( !dn_match( &op->o_conn->c_ndn, + &pwcons[op->o_conn->c_conn_idx].dn )) { + ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val ); + BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn ); + return SLAP_CB_CONTINUE; + } + Debug( LDAP_DEBUG_TRACE, "connection restricted to password changing only\n", 0, 0, 0); if ( send_ctrl ) { @@ -1354,13 +1372,19 @@ ppolicy_modify( Operation *op, SlapReply *rs ) } } - if (pwcons[op->o_conn->c_conn_idx].restricted && !mod_pw_only) { - Debug( LDAP_DEBUG_TRACE, - "connection restricted to password changing only\n", 0, 0, 0 ); - rs->sr_err = LDAP_INSUFFICIENT_ACCESS; - rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password"; - pErr = PP_changeAfterReset; - goto return_results; + if (!BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn ) && !mod_pw_only ) { + if ( dn_match( &op->o_conn->c_ndn, + &pwcons[op->o_conn->c_conn_idx].dn )) { + Debug( LDAP_DEBUG_TRACE, + "connection restricted to password changing only\n", 0, 0, 0 ); + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password"; + pErr = PP_changeAfterReset; + goto return_results; + } else { + ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val ); + BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn ); + } } /*