Fixed slapd thread pool init issue (ITS#4513)
Added slapd syncrepl mandatory searchbase check
Fixed slapadd cn=config issue (ITS#4194)
+ Fixed slapd-ldap proxyAuthz of bound identity/override (ITS#4497)
+ Fixed slapd-ldap/meta protocol version propagation (ITS#4488)
Fixed slapd-ldap fd cleanup (ITS#4474)
Fixed slapd-ldif deadlock (ITS#4500)
Fixed slapo-accesslog log purging issue (ITS#4505)
argument, resulting in the underlying library automatically
call the first server of the list that responds, e.g.
-\fBuri "ldap://host/ ldap://backup-host"\fP
+\fBuri "ldap://host/ ldap://backup-host/"\fP
The URI list is space- or comma-separated.
-This statement is mandatory.
+.\"This statement is mandatory.
.\".TP
.\".B server <hostport>
.\"Obsolete option; same as `uri ldap://<hostport>/'.
.BR acl-passwd .
.RE
+.TP
+.B chase-referrals {YES|no}
+enable/disable automatic referral chasing, which is delegated to the
+underlying libldap, with rebinding eventually performed if the
+\fBrebind-as-user\fP directive is used. The default is to chase referrals.
+
+.TP
+.B conn-ttl <time>
+This directive causes a cached connection to be dropped an recreated
+after a given ttl, regardless of being idle or not.
+
+.TP
+.B idassert-authzFrom <authz-regexp>
+if defined, selects what
+.I local
+identities are authorized to exploit the identity assertion feature.
+The string
+.B <authz-regexp>
+follows the rules defined for the
+.I authzFrom
+attribute.
+See
+.BR slapd.conf (5),
+section related to
+.BR authz-policy ,
+for details on the syntax of this field.
+
.HP
.hy 0
.B idassert-bind
.RE
.TP
-.B idassert-authzFrom <authz-regexp>
-if defined, selects what
-.I local
-identities are authorized to exploit the identity assertion feature.
-The string
-.B <authz-regexp>
-follows the rules defined for the
-.I authzFrom
-attribute.
-See
-.BR slapd.conf (5),
-section related to
-.BR authz-policy ,
-for details on the syntax of this field.
+.B idle-timeout <time>
+This directive causes a cached connection to be dropped an recreated
+after it has been idle for the specified time.
+
+.TP
+.B protocol\-version {0,2,3}
+This directive indicates what protocol version must be used to contact
+the remote server.
+If set to 0 (the default), the proxy uses the same protocol version
+used by the client, otherwise the requested protocol is used.
+The proxy returns \fIunwillingToPerform\fP if an operation that is
+incompatible with the requested protocol is attempted.
.TP
-.B proxy-whoami {NO|yes}
+.B proxy\-whoami {NO|yes}
Turns on proxying of the WhoAmI extended operation. If this option is
given, back-ldap will replace slapd's original WhoAmI routine with its
own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
for rebinds when chasing referrals. Useful when
\fBchase-referrals\fP is set to \fByes\fP, useless otherwise.
-.TP
-.B chase-referrals {YES|no}
-enable/disable automatic referral chasing, which is delegated to the
-underlying libldap, with rebinding eventually performed if the
-\fBrebind-as-user\fP directive is used. The default is to chase referrals.
-
-.TP
-.B tls {[try-]start|[try-]propagate}
-execute the StartTLS extended operation when the connection is initialized;
-only works if the URI directive protocol scheme is not \fBldaps://\fP.
-\fBpropagate\fP issues the StartTLS operation only if the original
-connection did.
-The \fBtry-\fP prefix instructs the proxy to continue operations
-if the StartTLS operation failed; its use is highly deprecated.
-
.TP
.B t-f-support {NO|yes|discover}
enable if the remote server supports absolute filters
so the client will not know if the operation eventually succeeded or not.
.TP
-.B idle-timeout <time>
-This directive causes a cached connection to be dropped an recreated
-after it has been idle for the specified time.
-
-.TP
-.B conn-ttl <time>
-This directive causes a cached connection to be dropped an recreated
-after a given ttl, regardless of being idle or not.
+.B tls {[try-]start|[try-]propagate}
+execute the StartTLS extended operation when the connection is initialized;
+only works if the URI directive protocol scheme is not \fBldaps://\fP.
+\fBpropagate\fP issues the StartTLS operation only if the original
+connection did.
+The \fBtry-\fP prefix instructs the proxy to continue operations
+if the StartTLS operation failed; its use is highly deprecated.
.SH BACKWARD COMPATIBILITY
The LDAP backend has been heavily reworked between releases 2.2 and 2.3;
as an error is returned by one target, and the error is immediately
propagated to the client.
+.TP
+.B protocol\-version {0,2,3}
+This directive indicates what protocol version must be used to contact
+the remote server.
+If set to 0 (the default), the proxy uses the same protocol version
+used by the client, otherwise the requested protocol is used.
+The proxy returns \fIunwillingToPerform\fP if an operation that is
+incompatible with the requested protocol is attempted.
+If set before any target specification, it affects all targets, unless
+overridden by any per-target directive.
+
.TP
.B pseudoroot-bind-defer {NO|yes}
This directive, when set to
does not respond.
.RE
-.TP
-.B subtree-exclude "<DN>"
-This directive instructs back-meta to ignore the current target
-for operations whose requestDN is subordinate to
-.BR DN .
-There may be multiple occurrences of the
-.B subtree-exclude
-directive for each of the targets.
-
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking,
.B rewrite* ...
The rewrite options are described in the "REWRITING" section.
+.TP
+.B subtree-exclude "<DN>"
+This directive instructs back-meta to ignore the current target
+for operations whose requestDN is subordinate to
+.BR DN .
+There may be multiple occurrences of the
+.B subtree-exclude
+directive for each of the targets.
+
.TP
.B suffixmassage "<virtual naming context>" "<real naming context>"
All the directives starting with "rewrite" refer to the rewrite engine
ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex );
}
- assert( lc->lc_refcnt >= 0 );
tmplc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc,
ldap_back_conndnlc_cmp );
assert( LDAP_BACK_CONN_TAINTED( lc ) || tmplc == lc );
}
+#ifdef HAVE_TLS
+done:;
+#endif /* HAVE_TLS */
if ( li->li_idle_timeout && lc ) {
lc->lc_time = op->o_time;
}
-done:;
return lc;
}
goto done;
}
- if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+ if ( op->o_tag == LDAP_REQ_BIND ) {
+ ndn = op->o_req_ndn;
+
+ } else if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
ndn = op->o_conn->c_ndn;
} else {
assertedID = slap_empty_bv;
}
+ /* don't idassert the bound DN (ITS#4497) */
+ if ( dn_match( &assertedID, &lc->lc_bound_ndn ) ) {
+ goto done;
+ }
+
if ( op->o_ctrls ) {
for ( i = 0; op->o_ctrls[ i ]; i++ )
/* just count ctrls */ ;
LDAP_BACK_CFG_IDLE_TIMEOUT,
LDAP_BACK_CFG_CONN_TTL,
LDAP_BACK_CFG_NETWORK_TIMEOUT,
+ LDAP_BACK_CFG_VERSION,
LDAP_BACK_CFG_REWRITE,
LDAP_BACK_CFG_LAST
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
+ { "protocol-version", "version", 2, 0, 0,
+ ARG_MAGIC|ARG_INT|LDAP_BACK_CFG_VERSION,
+ ldap_back_cf_gen, "( OLcfgDbAt:3.18 "
+ "NAME 'olcDbProtocolVersion' "
+ "DESC 'protocol version' "
+ "SYNTAX OMsInteger "
+ "SINGLE-VALUE )",
+ NULL, NULL },
{ "suffixmassage", "[virtual]> <real", 2, 3, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
value_add_one( &c->rvalue_vals, &bv );
} break;
+ case LDAP_BACK_CFG_VERSION:
+ if ( li->li_version == 0 ) {
+ return 1;
+ }
+
+ c->value_int = li->li_version;
+ break;
+
default:
/* FIXME: we need to handle all... */
assert( 0 );
li->li_network_timeout = 0;
break;
+ case LDAP_BACK_CFG_VERSION:
+ li->li_version = 0;
+ break;
+
default:
/* FIXME: we need to handle all... */
assert( 0 );
li->li_network_timeout = (time_t)t;
} break;
+ case LDAP_BACK_CFG_VERSION:
+ switch ( c->value_int ) {
+ case 0:
+ case LDAP_VERSION2:
+ case LDAP_VERSION3:
+ li->li_version = c->value_int;
+ break;
+
+ default:
+ return 1;
+ }
+ break;
+
case LDAP_BACK_CFG_REWRITE:
snprintf( c->msg, sizeof( c->msg ),
"rewrite/remap capabilities have been moved "
}
if ( op->orr_newSup ) {
- int version = LDAP_VERSION3;
+ /* needs LDAPv3 */
+ switch ( li->li_version ) {
+ case LDAP_VERSION3:
+ break;
+
+ case 0:
+ if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) {
+ break;
+ }
+ /* fall thru */
+
+ default:
+ /* op->o_protocol cannot be anything but LDAPv3,
+ * otherwise wouldn't be here */
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ send_ldap_result( op, rs );
+ goto cleanup;
+ }
- ldap_set_option( lc->lc_ld, LDAP_OPT_PROTOCOL_VERSION, &version );
newSup = op->orr_newSup->bv_val;
}
mi->mi_targets[ i ].mt_nretries = nretries;
}
+ } else if ( strcasecmp( argv[ 0 ], "protocol-version" ) == 0 ) {
+ int *version = mi->mi_ntargets ?
+ &mi->mi_targets[ mi->mi_ntargets - 1 ].mt_version
+ : &mi->mi_version;
+
+ if ( argc != 2 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: need value in \"protocol-version <version>\"\n",
+ fname, lineno, 0 );
+ return 1;
+ }
+
+ if ( lutil_atoi( version, argv[ 1 ] ) != 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: unable to parse version \"%s\" in \"protocol-version <version>\"\n",
+ fname, lineno, argv[ 1 ] );
+ return 1;
+ }
+
+ if ( *version != 0 && ( *version < LDAP_VERSION_MIN || *version > LDAP_VERSION_MAX ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: unsupported version \"%s\" in \"protocol-version <version>\"\n",
+ fname, lineno, argv[ 1 ] );
+ return 1;
+ }
+
/* anything else */
} else {
return SLAP_CONF_UNKNOWN;
{
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
metasingleconn_t *msc = &mc->mc_conns[ candidate ];
- int vers;
+ int version;
dncookie dc;
int isauthz = ( candidate == mc->mc_authz_target );
* Set LDAP version. This will always succeed: If the client
* bound with a particular version, then so can we.
*/
- vers = op->o_conn->c_protocol;
- ldap_set_option( msc->msc_ld, LDAP_OPT_PROTOCOL_VERSION, &vers );
+ if ( mt->mt_version != 0 ) {
+ version = mt->mt_version;
+
+ } else if ( op->o_conn->c_protocol != 0 ) {
+ version = op->o_conn->c_protocol;
+
+ } else {
+ version = LDAP_VERSION3;
+ }
+ ldap_set_option( msc->msc_ld, LDAP_OPT_PROTOCOL_VERSION, &version );
/* automatically chase referrals ("chase-referrals [{yes|no}]" statement) */
ldap_set_option( msc->msc_ld, LDAP_OPT_REFERRALS,
dc.rs = rs;
if ( op->orr_newSup ) {
- int version = LDAP_VERSION3;
/*
* NOTE: the newParent, if defined, must be on the
* feature from back-ldap
*/
- /* newSuperior needs LDAPv3; if we got here, we can safely
- * enforce it */
- ldap_set_option( mc->mc_conns[ candidate ].msc_ld,
- LDAP_OPT_PROTOCOL_VERSION, &version );
+ /* needs LDAPv3 */
+ switch ( mi->mi_targets[ candidate ].mt_version ) {
+ case LDAP_VERSION3:
+ break;
+
+ case 0:
+ if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) {
+ break;
+ }
+ /* fall thru */
+ default:
+ /* op->o_protocol cannot be anything but LDAPv3,
+ * otherwise wouldn't be here */
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ maperr = 0;
+ goto cleanup;
+ }
+
/*
* Rewrite the new superior, if defined and required
*/