From cc84163f302d3642550099c9c884cb2a45dc0d07 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Fri, 4 Aug 2006 19:20:59 +0000 Subject: [PATCH] factor connection code out of syncrepl --- servers/slapd/config.c | 149 +++++++++++++++++++++++++++++++++++++ servers/slapd/proto-slap.h | 1 + servers/slapd/syncrepl.c | 111 +-------------------------- 3 files changed, 152 insertions(+), 109 deletions(-) diff --git a/servers/slapd/config.c b/servers/slapd/config.c index ae8c5feb65..ce9b2db975 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -43,6 +43,7 @@ #include "slapi/slapi.h" #endif #include "lutil.h" +#include "lutil_ldap.h" #include "config.h" #ifdef HAVE_TLS @@ -1397,6 +1398,154 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) } #endif +/* + * connect to a client using the bindconf data + * note: should move "version" into bindconf... + */ +int +slap_client_connect( LDAP **ldp, slap_bindconf *sb, int version ) +{ + LDAP *ld = NULL; + int rc; + + /* Init connection to master */ + rc = ldap_initialize( &ld, sb->sb_uri.bv_val ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "ldap_initialize(%s) failed (%d)\n", + sb->sb_uri.bv_val, rc, 0 ); + return rc; + } + + if ( version != 0 ) { + ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, + (const void *)&version ); + } + +#ifdef HAVE_TLS + if ( sb->sb_tls_do_init ) { + rc = bindconf_tls_set( sb, ld ); + + } else if ( sb->sb_tls_ctx ) { + rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, + sb->sb_tls_ctx ); + } + + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "TLS context initialization failed\n", + 0, 0, 0 ); + return rc; + } +#endif + + /* Bind */ + if ( sb->sb_tls ) { + rc = ldap_start_tls_s( ld, NULL, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "%s, ldap_start_tls failed (%d)\n", + sb->sb_tls == SB_TLS_CRITICAL ? + "Error" : "Warning", + rc, 0 ); + if ( sb->sb_tls == SB_TLS_CRITICAL ) { + goto done; + } + } + } + + if ( sb->sb_method == LDAP_AUTH_SASL ) { +#ifdef HAVE_CYRUS_SASL + void *defaults; + + if ( sb->sb_secprops != NULL ) { + rc = ldap_set_option( ld, + LDAP_OPT_X_SASL_SECPROPS, sb->sb_secprops); + + if( rc != LDAP_OPT_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "slap_client_connect: " + "error, ldap_set_option " + "(%s,SECPROPS,\"%s\") failed!\n", + sb->sb_uri.bv_val, sb->sb_secprops, 0 ); + goto done; + } + } + + defaults = lutil_sasl_defaults( ld, + sb->sb_saslmech.bv_val, + sb->sb_realm.bv_val, + sb->sb_authcId.bv_val, + sb->sb_cred.bv_val, + sb->sb_authzId.bv_val ); + + rc = ldap_sasl_interactive_bind_s( ld, + sb->sb_binddn.bv_val, + sb->sb_saslmech.bv_val, + NULL, NULL, + LDAP_SASL_QUIET, + lutil_sasl_interact, + defaults ); + + lutil_sasl_freedefs( defaults ); + + /* FIXME: different error behaviors according to + * 1) return code + * 2) on err policy : exit, retry, backoff ... + */ + if ( rc != LDAP_SUCCESS ) { + static struct berval bv_GSSAPI = BER_BVC( "GSSAPI" ); + + Debug( LDAP_DEBUG_ANY, "do_syncrep1: " + "ldap_sasl_interactive_bind_s failed (%d)\n", + rc, 0, 0 ); + + /* FIXME (see above comment) */ + /* if Kerberos credentials cache is not active, retry */ + if ( ber_bvcmp( &sb->sb_saslmech, &bv_GSSAPI ) == 0 && + rc == LDAP_LOCAL_ERROR ) + { + rc = LDAP_SERVER_DOWN; + } + + goto done; + } +#else /* HAVE_CYRUS_SASL */ + /* Should never get here, we trapped this at config time */ + assert(0); + Debug( LDAP_DEBUG_SYNC, "not compiled with SASL support\n", 0, 0, 0 ); + rc = LDAP_OTHER; + goto done; +#endif + + } else if ( sb->sb_method == LDAP_AUTH_SIMPLE ) { + rc = ldap_sasl_bind_s( ld, + sb->sb_binddn.bv_val, LDAP_SASL_SIMPLE, + &sb->sb_cred, NULL, NULL, NULL ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, "do_syncrep1: " + "ldap_sasl_bind_s failed (%d)\n", rc, 0, 0 ); + goto done; + } + } + +done:; + if ( rc ) { + if ( ld ) { + ldap_unbind_ext( ld, NULL, NULL ); + *ldp = NULL; + } + + } else { + *ldp = ld; + } + + return rc; +} + /* -------------------------------------- */ diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 17c299d37b..7ce5595f48 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -608,6 +608,7 @@ LDAP_SLAPD_F (int) bindconf_unparse LDAP_P(( LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P(( slap_bindconf *bc, LDAP *ld )); LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc )); +LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb, int version )); LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be, const char *fname, int lineno, int argc, char **argv )); LDAP_SLAPD_F (char *) anlist_unparse LDAP_P(( AttributeName *, char *, ber_len_t buflen )); diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c index 311acd85d0..1d72a08934 100644 --- a/servers/slapd/syncrepl.c +++ b/servers/slapd/syncrepl.c @@ -423,118 +423,11 @@ do_syncrep1( psub = &si->si_be->be_nsuffix[0]; - /* Init connection to master */ - rc = ldap_initialize( &si->si_ld, si->si_bindconf.sb_uri.bv_val ); + rc = slap_client_connect( &si->si_ld, &si->si_bindconf, LDAP_VERSION3 ); if ( rc != LDAP_SUCCESS ) { - Debug( LDAP_DEBUG_ANY, - "do_syncrep1: ldap_initialize failed (%s)\n", - si->si_bindconf.sb_uri.bv_val, 0, 0 ); - return rc; - } - - op->o_protocol = LDAP_VERSION3; - ldap_set_option( si->si_ld, LDAP_OPT_PROTOCOL_VERSION, - (const void *)&op->o_protocol ); - -#ifdef HAVE_TLS - if ( si->si_bindconf.sb_tls_do_init ) { - rc = bindconf_tls_set( &si->si_bindconf, si->si_ld ); - } else if ( si->si_bindconf.sb_tls_ctx ) { - rc = ldap_set_option( si->si_ld, LDAP_OPT_X_TLS_CTX, - si->si_bindconf.sb_tls_ctx ); - } - if ( rc ) { - Debug( LDAP_DEBUG_ANY, - "do_syncrep1: TLS context initialization failed\n", 0, 0, 0 ); - return rc; - } -#endif - - /* Bind to master */ - - if ( si->si_bindconf.sb_tls ) { - rc = ldap_start_tls_s( si->si_ld, NULL, NULL ); - if( rc != LDAP_SUCCESS ) { - Debug( LDAP_DEBUG_ANY, - "%s: ldap_start_tls failed (%d)\n", - si->si_bindconf.sb_tls == SB_TLS_CRITICAL ? "Error" : "Warning", - rc, 0 ); - if( si->si_bindconf.sb_tls == SB_TLS_CRITICAL ) goto done; - } - } - - if ( si->si_bindconf.sb_method == LDAP_AUTH_SASL ) { -#ifdef HAVE_CYRUS_SASL - void *defaults; - - if ( si->si_bindconf.sb_secprops != NULL ) { - rc = ldap_set_option( si->si_ld, - LDAP_OPT_X_SASL_SECPROPS, si->si_bindconf.sb_secprops); - - if( rc != LDAP_OPT_SUCCESS ) { - Debug( LDAP_DEBUG_ANY, "Error: ldap_set_option " - "(%s,SECPROPS,\"%s\") failed!\n", - si->si_bindconf.sb_uri.bv_val, si->si_bindconf.sb_secprops, 0 ); - goto done; - } - } - - defaults = lutil_sasl_defaults( si->si_ld, - si->si_bindconf.sb_saslmech.bv_val, - si->si_bindconf.sb_realm.bv_val, - si->si_bindconf.sb_authcId.bv_val, - si->si_bindconf.sb_cred.bv_val, - si->si_bindconf.sb_authzId.bv_val ); - - rc = ldap_sasl_interactive_bind_s( si->si_ld, - si->si_bindconf.sb_binddn.bv_val, - si->si_bindconf.sb_saslmech.bv_val, - NULL, NULL, - LDAP_SASL_QUIET, - lutil_sasl_interact, - defaults ); - - lutil_sasl_freedefs( defaults ); - - /* FIXME: different error behaviors according to - * 1) return code - * 2) on err policy : exit, retry, backoff ... - */ - if ( rc != LDAP_SUCCESS ) { - static struct berval bv_GSSAPI = BER_BVC( "GSSAPI" ); - - Debug( LDAP_DEBUG_ANY, "do_syncrep1: " - "ldap_sasl_interactive_bind_s failed (%d)\n", - rc, 0, 0 ); - - /* FIXME (see above comment) */ - /* if Kerberos credentials cache is not active, retry */ - if ( ber_bvcmp( &si->si_bindconf.sb_saslmech, &bv_GSSAPI ) == 0 && - rc == LDAP_LOCAL_ERROR ) - { - rc = LDAP_SERVER_DOWN; - } - - goto done; - } -#else /* HAVE_CYRUS_SASL */ - /* Should never get here, we trapped this at config time */ - assert(0); - Debug( LDAP_DEBUG_SYNC, "not compiled with SASL support\n", 0, 0, 0 ); - rc = LDAP_OTHER; goto done; -#endif - - } else if ( si->si_bindconf.sb_method == LDAP_AUTH_SIMPLE ) { - rc = ldap_sasl_bind_s( si->si_ld, - si->si_bindconf.sb_binddn.bv_val, LDAP_SASL_SIMPLE, - &si->si_bindconf.sb_cred, NULL, NULL, NULL ); - if ( rc != LDAP_SUCCESS ) { - Debug( LDAP_DEBUG_ANY, "do_syncrep1: " - "ldap_sasl_bind_s failed (%d)\n", rc, 0, 0 ); - goto done; - } } + op->o_protocol = LDAP_VERSION3; /* Set SSF to strongest of TLS, SASL SSFs */ op->o_sasl_ssf = 0; -- 2.39.5