OpenLDAP 2.1.10 Release
Fixed slapd acl/group value_find_ex() bug (ITS#2227)
Fixed slapd empty values return filter control bug (ITS#2219)
- Fixed slapd empty oid control bug
Fixed slapd NameAndOptionalUID bug
Fixed slapd reentant gethostbyname bug
- Fixed slapd SASL/EXTERNAL handling
+ Fixed slapd SASL/EXTERNAL handling (ITS#2234)
+ Fixed ldbm/bdb modrdn replog bug (ITS#2235)
Fixed ldapsearch empty baseObject bug
Fixed libldap_r thread stack size
Fixed libldap SASL/EXTERNAL handling
goto done;
}
- if ( ! access_allowed( be, conn, op, e,
- password, NULL, ACL_AUTH, NULL ) )
- {
+ rc = access_allowed( be, conn, op, e,
+ password, NULL, ACL_AUTH, NULL );
+ if ( ! rc ) {
send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
goto done;
goto done;
}
- if ( ! access_allowed( be, conn, op, e,
- krbattr, NULL, ACL_AUTH, NULL ) )
- {
+ rc = access_allowed( be, conn, op, e,
+ krbattr, NULL, ACL_AUTH, NULL );
+ if ( ! rc ) {
send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
goto done;
goto done;
}
- if ( ! access_allowed( be, conn, op, e,
- ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
- {
+ rc = access_allowed( be, conn, op, e,
+ ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL );
+ if ( ! rc ) {
rc = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
rc = LDAP_COMPARE_TRUE;
break;
}
-
}
return_results:
/* LDAP v2 supporting correct attribute handling. */
LDAPRDN *new_rdn = NULL;
LDAPRDN *old_rdn = NULL;
- int rc;
+ int rc;
const char *text;
char textbuf[SLAP_TEXT_BUFLEN];
size_t textlen = sizeof textbuf;
}
/* check write on old entry */
- rc = access_allowed( be, conn, op, e,
- entry, NULL, ACL_WRITE, NULL );
+ rc = access_allowed( be, conn, op, e, entry, NULL, ACL_WRITE, NULL );
switch( opinfo.boi_err ) {
case DB_LOCK_DEADLOCK:
Debug( LDAP_DEBUG_TRACE, "no access to entry\n", 0,
0, 0 );
#endif
+ text = "no write access to old entry";
rc = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
0, 0, 0);
#endif
rc = LDAP_OTHER;
+ text = "old entry's parent does not exist";
goto return_results;
}
/* check parent for "children" acl */
- if ( ! access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE, NULL ) )
- {
+ rc = access_allowed( be, conn, op, p,
+ children, NULL, ACL_WRITE, NULL );
+
+ if ( ! rc ) {
+ rc = LDAP_INSUFFICIENT_ACCESS;
#ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, ERR,
"==>bdb_modrdn: no access to parent\n", 0, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "no access to parent\n", 0,
0, 0 );
#endif
- send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
- NULL, NULL, NULL, NULL );
+ text = "no write access to old parent's children";
goto return_results;
}
p = NULL;
- if ( ! rc )
- {
+ if ( ! rc ) {
+ rc = LDAP_INSUFFICIENT_ACCESS;
#ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, ERR,
"==>bdb_modrdn: no access to parent\n", 0, 0, 0 );
"no access to parent\n",
0, 0, 0 );
#endif
- send_ldap_result( conn, op,
- LDAP_INSUFFICIENT_ACCESS,
- NULL, NULL, NULL, NULL );
+ text = "no write access to old parent";
goto return_results;
}
"& \"\" is not suffix\n",
0, 0, 0);
#endif
+ text = "no write access to old parent";
rc = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
newSuperior = NULL; /* ignore newSuperior */
}
}
+
if ( newSuperior != NULL ) {
if ( newSuperior->bv_len ) {
np_dn = newSuperior;
"bdb_modrdn: newSup(ndn=%s) not here!\n",
np_ndn->bv_val, 0, 0);
#endif
+ text = "new superior not found";
rc = LDAP_OTHER;
goto return_results;
}
#endif
/* check newSuperior for "children" acl */
- if ( !access_allowed( be, conn, op, np, children, NULL, ACL_WRITE, NULL ) ) {
+ rc = access_allowed( be, conn, op, np, children,
+ NULL, ACL_WRITE, NULL );
+
+ if( ! rc ) {
#ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, DETAIL1,
"==>bdb_modrdn: no wr to newSup children\n", 0, 0, 0 );
"bdb_modrdn: no wr to newSup children\n",
0, 0, 0 );
#endif
+ text = "no write access to new superior's children";
rc = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
Debug( LDAP_DEBUG_TRACE, "bdb_modrdn: entry is alias\n",
0, 0, 0 );
#endif
-
+ text = "new superior is an alias";
rc = LDAP_ALIAS_PROBLEM;
goto return_results;
}
Debug( LDAP_DEBUG_TRACE, "bdb_modrdn: entry is referral\n",
0, 0, 0 );
#endif
-
+ text = "new superior is a referral";
rc = LDAP_OTHER;
goto return_results;
}
np = NULL;
- if ( ! rc )
- {
+ if ( ! rc ) {
+ rc = LDAP_INSUFFICIENT_ACCESS;
#ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, ERR,
"==>bdb_modrdn: no access to superior\n", 0, 0, 0 );
"no access to new superior\n",
0, 0, 0 );
#endif
- send_ldap_result( conn, op,
- LDAP_INSUFFICIENT_ACCESS,
- NULL, NULL, NULL, NULL );
+ text = "no write access to new superior's children";
goto return_results;
}
"& \"\" is not suffix\n",
0, 0, 0);
#endif
+ text = "no write access to new superior's children";
rc = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
assert( id != NOID );
- if ( (db = ldbm_cache_open( be, "dn2id", LDBM_SUFFIX, LDBM_WRCREAT ))
- == NULL ) {
+ db = ldbm_cache_open( be, "dn2id", LDBM_SUFFIX, LDBM_WRCREAT );
+ if ( db == NULL ) {
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"dn2id_add: couldn't open/create dn2id%s\n", LDBM_SUFFIX, 0, 0 );
buf[0] = DN_BASE_PREFIX;
ptr.bv_val = buf + 1;
ptr.bv_len = dn->bv_len;
- strcpy( ptr.bv_val, dn->bv_val );
+ AC_MEMCPY( ptr.bv_val, dn->bv_val, dn->bv_len );
+ ptr.bv_val[ dn->bv_len ] = '\0';
ldbm_datum_init( data );
data.dptr = (char *) &id;
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
DBCache *db;
Datum key, data;
+ unsigned char *tmp;
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ENTRY, "dn2id: (%s)\n", dn->bv_val, 0, 0 );
assert( idp );
/* first check the cache */
- if ( (*idp = cache_find_entry_ndn2id( be, &li->li_cache, dn )) != NOID ) {
+ *idp = cache_find_entry_ndn2id( be, &li->li_cache, dn );
+ if ( *idp != NOID ) {
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, DETAIL1, "dn2id: (%s)%ld in cache.\n", dn, *idp, 0 );
#else
return( 0 );
}
- if ( (db = ldbm_cache_open( be, "dn2id", LDBM_SUFFIX, LDBM_WRCREAT ))
- == NULL ) {
+ db = ldbm_cache_open( be, "dn2id", LDBM_SUFFIX, LDBM_WRCREAT );
+ if ( db == NULL ) {
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"dn2id: couldn't open dn2id%s\n", LDBM_SUFFIX, 0, 0 );
key.dsize = dn->bv_len + 2;
key.dptr = ch_malloc( key.dsize );
- sprintf( key.dptr, "%c%s", DN_BASE_PREFIX, dn->bv_val );
+ tmp = (unsigned char *)key.dptr;
+ tmp[0] = DN_BASE_PREFIX;
+ tmp++;
+ AC_MEMCPY( tmp, dn->bv_val, dn->bv_len );
+ tmp[dn->bv_len] = '\0';
data = ldbm_cache_fetch( db, key );
{
DBCache *db;
Datum key;
+ unsigned char *tmp;
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ENTRY, "dn2idl: \"%c%s\"\n", prefix, dn->bv_val, 0 );
return 0;
}
- if ( (db = ldbm_cache_open( be, "dn2id", LDBM_SUFFIX, LDBM_WRCREAT ))
- == NULL ) {
+ db = ldbm_cache_open( be, "dn2id", LDBM_SUFFIX, LDBM_WRCREAT );
+ if ( db == NULL ) {
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"dn2idl: could not open dn2id%s\n", LDBM_SUFFIX, 0, 0 );
key.dsize = dn->bv_len + 2;
key.dptr = ch_malloc( key.dsize );
- sprintf( key.dptr, "%c%s", prefix, dn->bv_val );
+ tmp = (unsigned char *)key.dptr;
+ tmp[0] = prefix;
+ tmp++;
+ AC_MEMCPY( tmp, dn->bv_val, dn->bv_len );
+ tmp[dn->bv_len] = '\0';
*idlp = idl_fetch( be, db, key );
assert( id != NOID );
- if ( (db = ldbm_cache_open( be, "dn2id", LDBM_SUFFIX, LDBM_WRCREAT ))
- == NULL ) {
+ db = ldbm_cache_open( be, "dn2id", LDBM_SUFFIX, LDBM_WRCREAT );
+ if ( db == NULL ) {
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"dn2id_delete: couldn't open db2id%s\n", LDBM_SUFFIX, 0, 0 );
buf[0] = DN_BASE_PREFIX;
ptr.bv_val = buf + 1;
ptr.bv_len = dn->bv_len;
- strcpy( ptr.bv_val, dn->bv_val );
+ AC_MEMCPY( ptr.bv_val, dn->bv_val, dn->bv_len );
+ ptr.bv_val[dn->bv_len] = '\0';
rc = ldbm_cache_delete( db, key );
/* something bad happened to ldbm cache */
return( NULL );
- } else if ( id != NOID ) {
+ }
+
+ if ( id != NOID ) {
/* try to return the entry */
if ((e = id2entry_rw( be, id, rw )) != NULL ) {
return( e );
Datum data;
ID_BLOCK *idl;
ID_BLOCK **tmp;
- int nids;
- unsigned i;
+ unsigned i, nids, nblocks;
idl = idl_fetch_one( be, db, key );
#ifndef USE_INDIRECT_NIDS
/* count the number of blocks & allocate space for pointers to them */
- for ( i = 0; !ID_BLOCK_NOID(idl, i); i++ )
+ for ( nblocks = 0; !ID_BLOCK_NOID(idl, nblocks); nblocks++ )
; /* NULL */
#else
- i = ID_BLOCK_NIDS(idl);
+ nblocks = ID_BLOCK_NIDS(idl);
#endif
- tmp = (ID_BLOCK **) ch_malloc( (i + 1) * sizeof(ID_BLOCK *) );
+ tmp = (ID_BLOCK **) ch_malloc( nblocks * sizeof(ID_BLOCK *) );
/* read in all the blocks */
cont_alloc( &data, &key );
nids = 0;
-#ifndef USE_INDIRECT_NIDS
- for ( i = 0; !ID_BLOCK_NOID(idl, i); i++ ) {
-#else
- for ( i = 0; i < ID_BLOCK_NIDS(idl); i++ ) {
-#endif
+ for ( i = 0; i < nblocks; i++ ) {
cont_id( &data, ID_BLOCK_ID(idl, i) );
if ( (tmp[i] = idl_fetch_one( be, db, data )) == NULL ) {
nids += ID_BLOCK_NIDS(tmp[i]);
}
- tmp[i] = NULL;
cont_free( &data );
idl_free( idl );
nids = 0;
/* copy in all the ids from the component blocks */
- for ( i = 0; tmp[i] != NULL; i++ ) {
+ for ( i = 0; i < nblocks; i++ ) {
if ( tmp[i] == NULL ) {
continue;
}
int rc = CAN_ROLLBACK;
int rc_id = 0;
ID id = NOID;
- const char *text = NULL;
- char textbuf[SLAP_TEXT_BUFLEN];
- size_t textlen = sizeof textbuf;
+ const char *text = NULL;
+ char textbuf[SLAP_TEXT_BUFLEN];
+ size_t textlen = sizeof textbuf;
/* Added to support newSuperior */
Entry *np = NULL; /* newSuperior Entry */
struct berval *np_ndn = NULL; /* newSuperior ndn */
isroot = be_isroot( be, &op->o_ndn );
if ( ! isroot ) {
if ( be_issuffix( be, (struct berval *)&slap_empty_bv ) || be_isupdate( be, &op->o_ndn ) ) {
+ int can_access;
p = (Entry *)&slap_entry_root;
- rc = access_allowed( be, conn, op, p,
+ can_access = access_allowed( be, conn, op, p,
children, NULL, ACL_WRITE, NULL );
p = NULL;
/* check parent for "children" acl */
- if ( ! rc ) {
+ if ( ! can_access ) {
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"ldbm_back_modrdn: no access to parent \"\"\n", 0,0,0 );
if ( ! isroot ) {
if ( be_issuffix( be, (struct berval *)&slap_empty_bv ) || be_isupdate( be, &op->o_ndn ) ) {
+ int can_access;
np = (Entry *)&slap_entry_root;
- rc = access_allowed( be, conn, op, np,
+ can_access = access_allowed( be, conn, op, np,
children, NULL, ACL_WRITE, NULL );
np = NULL;
/* check parent for "children" acl */
- if ( ! rc ) {
+ if ( ! can_access ) {
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"ldbm_back_modrdn: no access "
"type(s)/values(s) of newrdn\n",
0, 0, 0 );
#endif
- rc = LDAP_INVALID_DN_SYNTAX;
- text = "unknown type(s) used in RDN";
goto return_results;
}
"the old_rdn type(s)/value(s)\n",
0, 0, 0 );
#endif
- rc = LDAP_OTHER;
- text = "cannot parse RDN from old DN";
goto return_results;
}
}
0, 0, 0 );
#endif
- rc = slap_modrdn2mods( be, conn, op, e, old_rdn, new_rdn,
- deleteoldrdn, &mod );
- if ( rc != LDAP_SUCCESS ) {
+ if ( slap_modrdn2mods( be, conn, op, e, old_rdn, new_rdn,
+ deleteoldrdn, &mod ) != LDAP_SUCCESS ) {
goto return_results;
}
new_dn.bv_val = NULL;
new_ndn.bv_val = NULL;
+ /* NOTE: after this you must not free new_dn or new_ndn!
+ * They are used by cache.
+ */
+
/* add new one */
if ( dn2id_add( be, &e->e_nname, e->e_id ) != 0 ) {
send_ldap_result( conn, op, LDAP_OTHER,
}
/* modify memory copy of entry */
- rc = ldbm_modify_internal( be, conn, op, dn->bv_val, &mod[0], e,
+ rc_id = ldbm_modify_internal( be, conn, op, dn->bv_val, &mod[0], e,
&text, textbuf, textlen );
+ switch ( rc_id ) {
+ case LDAP_SUCCESS:
+ break;
- if( rc != LDAP_SUCCESS ) {
- if( rc != SLAPD_ABANDON ) {
- send_ldap_result( conn, op, rc,
- NULL, text, NULL, NULL );
- }
-
+ case SLAPD_ABANDON:
+ /* too late ... */
+ send_ldap_result( conn, op, rc_id, NULL, text, NULL, NULL );
+ goto return_results;
+
+ default:
/* here we may try to delete the newly added dn */
if ( dn2id_delete( be, &e->e_nname, e->e_id ) != 0 ) {
/* we already are in trouble ... */
;
}
-
goto return_results;
}
(void) cache_update_entry( &li->li_cache, e );
- /* NOTE: after this you must not free new_dn or new_ndn!
- * They are used by cache.
- */
-
/* id2entry index */
if ( id2entry_add( be, e ) != 0 ) {
send_ldap_result( conn, op, LDAP_OTHER,
ok:
if (conn->c_sasl_bindop) {
Statslog( LDAP_DEBUG_STATS,
- "conn=%lu op=%lu BIND authcid=\"%s\"\n",
- conn->c_connid, conn->c_sasl_bindop->o_opid,
+ "conn=%lu op=%lu BIND authcid=\"%s\"\n",
+ conn->c_connid, conn->c_sasl_bindop->o_opid,
auth_identity, 0, 0);
}
for (p=begin; p<=end && *p != '$'; p++) /* empty */ ;
if ( p > end ) return LDAP_INVALID_SYNTAX;
- /* p now points at the $ sign, now use begin and end to delimit the
- serial number */
+ /* p now points at the $ sign, now use
+ * begin and end to delimit the serial number
+ */
while (ASCII_SPACE(*begin)) begin++;
end = p-1;
while (ASCII_SPACE(*end)) end--;
+ if( end <= begin ) return LDAP_INVALID_SYNTAX;
+
bv.bv_len = end-begin+1;
bv.bv_val = begin;
ber_dupbv(serial, &bv);
/* now extract the issuer, remember p was at the dollar sign */
- if ( issuer_dn ) {
- begin = p+1;
- end = assertion->bv_val+assertion->bv_len-1;
- while (ASCII_SPACE(*begin)) begin++;
- /* should we trim spaces at the end too? is it safe always? */
+ begin = p+1;
+ end = assertion->bv_val+assertion->bv_len-1;
+ while (ASCII_SPACE(*begin)) begin++;
+ /* should we trim spaces at the end too? is it safe always? no, no */
+
+ if( end <= begin ) return LDAP_INVALID_SYNTAX;
+ if ( issuer_dn ) {
bv.bv_len = end-begin+1;
bv.bv_val = begin;
+
dnNormalize2( NULL, &bv, issuer_dn );
}
{
BerVarray keys;
struct berval asserted_serial;
+ int ret;
- serial_and_issuer_parse(assertedValue,
- &asserted_serial, NULL);
+ ret = serial_and_issuer_parse( assertedValue, &asserted_serial, NULL );
+ if( ret != LDAP_SUCCESS ) return ret;
keys = ch_malloc( sizeof( struct berval ) * 2 );
integerNormalize( syntax, &asserted_serial, &keys[0] );
* Chadwick in private mail.
*/
{"( 1.2.826.0.1.3344810.7.1 DESC 'Serial Number and Issuer' )",
- 0, NULL, NULL, NULL},
+ 0, UTF8StringValidate, NULL, NULL},
#endif
/* OpenLDAP Experimental Syntaxes */
long
slap_set_size (BerVarray set)
{
- int i;
+ long i;
i = 0;
if (set != NULL) {
while (set[i].bv_val)
i++;
}
- return(i);
+ return i;
}
void
SF_ERROR(syntax);
}
- rc = slap_set_size(set);
+ rc = slap_set_size(set) > 0 ? 1 : 0;
if (results) {
*results = set;
set = NULL;