Kurt Zeilenga [Sun, 18 Jul 1999 00:33:30 +0000 (00:33 +0000)]
Import patches mistakenly applied to OPENLDAP_DEVEL_REFERRALS.
ldap_modify: delete of last attribute value should delete attribute (ITS#229)
thr_nt: use sleep to yield
Look on connection_read() if it returns positive so it has a chance
to exhaust all protocol units received from the transport layer.
I think this is the necessary fix for the TLS-data-ready/
socket-not-ready issue, but I have not experimented that problem
yet, so I am unsure about its effectiveness.
Now, do we need something like that for connection_write? How would
we go about implementing it?
Move calls to ldap_pvt_tls_accept to connection_read instead of
connection_init so that we get into the select() logic.
Make use of new flags in the connection.
BTW, and before I forget, it sort of works. I have connected with
a Netscape client using a secure connection and did a failed
search (my test database is empty), but the trace looked correct.
Make sure you have your CA certificate in your Netscape preinstalled.
Otherwise, the connection fails with error 0xFFFFFFFF that is rather
uninformative.
Two new flags in Connection. One to indicate that it is a raw TLS
section (that is, not SASL). The second to indicate that we need to
do SSL_accept on this connection.
Definitely, 'dn' and 'distinguishedName' are different things. The
former is a pseudo attribute type used internally by slapd to represent
the distinguished name of an entry and its existance should not be
visible. The latter is an "abstract" attribute type that is not meant
to exist in practice except as supertype of other dn-valued types.
So, the definition of attribute type 2.5.4.49 has been changed to be
just distinguishedName. Work on the OPENLDAP_DEVEL_SCHEMA branch will
treat pseudo attributes especially and will not be visible to the
clients.
Kurt Zeilenga [Fri, 16 Jul 1999 02:45:46 +0000 (02:45 +0000)]
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS.
Includes support for update referral for each replicated backend.
Reworked replication test to use update referral.
Includes major rewrite of response encoding codes (result.c).
Includes reworked alias support and eliminates old suffix alias codes
(can be emulated using named alias).
Includes (untested) support for the Manage DSA IT control.
Works in LDAPv2 world. Still testing in LDAPv3 world.
Added default referral (test009) test.
Set ciphers from slapd.conf.
More error checking and reporting.
Slowly getting there, SSL_accept succeeds now, but connection breaks
immediately after that (my glue logic with slapd is broken).
A couple of options for TLS configuration. Still a conflict here,
the default context is initialized before the config file is read,
so the locations are not know at context initialization.
New routine tls_report_error to analyze errors from OpenSSL
Change temporarily the default protocol from TLSv1 to SSLv3 with
fallback to SSLv2. This seems necessary for slapd to accept connections
from Netscape.
Try to set the cipher list in the default context. Does not semm to
work yet.
Parsing of flag -T was falling through to the default case.
Init the TLS environment if necessary. Lots of things needed here,
in particular, preparing properly the default context.
Our check for SSLeay_add_ssl_algorithms fails with modern versions of
OpenSSL since it has been made a preprocessor macro. Please review
this change to do the right thing w.r.t. rsaref.
Kurt Zeilenga [Sun, 4 Jul 1999 18:46:24 +0000 (18:46 +0000)]
HEADS UP: connections are forced to "anonymous" status upon receiving
of a bind request and, upon failure, are left "anonymous."
Rework ACL code to hide access testing within macros to facilate additions
and eventual redesign.
Addition of #ifdef SLAPD_ACLAUTH to conditional include EXPERIMENTAL
"auth" access controls. Adds ACL_AUTH "auth" access level (above none,
below "compare"). bind requires anonymous access at this level or above access
to "entry"/"userPassword"/"krbName". This allows administrators to restrict
which entries can be bound to. (This will likely become default behavior
after testing has completed).
Kurt Zeilenga [Fri, 2 Jul 1999 19:48:07 +0000 (19:48 +0000)]
More bind changes to support SASL/DIGEST.
Added configuration support for "digest-realm <realm>" configure directive.
Added connection state and bind_in_progress fields to cn=monitor connection
attribute.
Removed numerous memory leaks detected by Mark Meredith.
Make sure the token_val argument to get_token is always initialized
to something, either newly allocated memory or NULL.