Resolves: bug 469261

Bug Description: Support server-to-server SASL - part 2 Reviewed by: nhosoi (Thanks!) Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining: nsUseStartTLS - on or off - tell connection to use startTLS - default is off nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind) The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter. Fixed a bug in the starttls code in slapi_ldap_init_ext. The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out. I fixed a bug in the sasl mapping debug trace code. Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna Platforms tested: Fedora 8, Fedora 9 Flag Day: yes Doc impact: yes
author: Rich Megginson <rmeggins@redhat.com> 2008-11-05 18:21:06 +0000
committer: Rich Megginson <rmeggins@redhat.com> 2008-11-05 18:21:06 +0000
commit: 16c994ace5d2eb635bf3847b5fe4c96c46fdd8a2 (patch)
tree: e039e7e872d256c18ba0deeb745f32712612b049 /ldap/servers/plugins/chainingdb/cb_instance.c
parent: 7e35a10850563a5cd61289b4330279b69b087128 (diff)
1 files changed, 69 insertions, 3 deletions
diff --git a/ldap/servers/plugins/chainingdb/cb_instance.c b/ldap/servers/plugins/chainingdb/cb_instance.c
index 15e266bd..0e79b7e3 100644
--- a/ldap/servers/plugins/chainingdb/cb_instance.c
+++ b/ldap/servers/plugins/chainingdb/cb_instance.c
@@ -53,7 +53,9 @@
 /* Get functions */
 
 static void *cb_instance_hosturl_get(void *arg);
+static void *cb_instance_starttls_get(void *arg);
 static void *cb_instance_binduser_get(void *arg);
+static void *cb_instance_bindmech_get(void *arg);
 static void *cb_instance_userpassword_get(void *arg);
 static void *cb_instance_maxbconn_get(void *arg);
 static void *cb_instance_maxconn_get(void *arg);
@@ -77,7 +79,9 @@ static void *cb_instance_max_test_get(void *arg);
 /* Set functions */
 
 static int cb_instance_hosturl_set(void *arg, void *value, char *errorbuf, int phase, int apply);
+static int cb_instance_starttls_set(void *arg, void *value, char *errorbuf, int phase, int apply);
 static int cb_instance_binduser_set(void *arg, void *value, char *errorbuf, int phase, int apply);
+static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int phase, int apply);
 static int cb_instance_userpassword_set(void *arg, void *value, char *errorbuf, int phase, int apply);
 static int cb_instance_maxbconn_set(void *arg, void *value, char *errorbuf, int phase, int apply);
 static int cb_instance_maxconn_set(void *arg, void *value, char *errorbuf, int phase, int apply);
@@ -120,6 +124,8 @@ cb_instance_config_info cb_the_instance_config[] = {
 {CB_CONFIG_HOPLIMIT,CB_CONFIG_TYPE_INT,CB_DEF_HOPLIMIT,&cb_instance_hoplimit_get, &cb_instance_hoplimit_set,CB_ALWAYS_SHOW},
 {CB_CONFIG_MAX_IDLE_TIME,CB_CONFIG_TYPE_INT,CB_DEF_MAX_IDLE_TIME,&cb_instance_max_idle_get, &cb_instance_max_idle_set,CB_ALWAYS_SHOW},
 {CB_CONFIG_MAX_TEST_TIME,CB_CONFIG_TYPE_INT,CB_DEF_MAX_TEST_TIME,&cb_instance_max_test_get, &cb_instance_max_test_set,CB_ALWAYS_SHOW},
+{CB_CONFIG_STARTTLS,CB_CONFIG_TYPE_ONOFF,CB_DEF_STARTTLS,&cb_instance_starttls_get, &cb_instance_starttls_set,CB_ALWAYS_SHOW},
+{CB_CONFIG_BINDMECH,CB_CONFIG_TYPE_STRING,CB_DEF_BINDMECH,&cb_instance_bindmech_get, &cb_instance_bindmech_set,CB_ALWAYS_SHOW},
 {NULL, 0, NULL, NULL, NULL, 0}
 };
 
@@ -256,9 +262,9 @@ void cb_instance_free(cb_backend_instance * inst) {
 		slapi_destroy_mutex(inst->pool->conn.conn_list_mutex);
 		slapi_destroy_mutex(inst->monitor_availability.cpt_lock);
 		slapi_destroy_mutex(inst->monitor_availability.lock_timeLimit);
-		slapi_ch_free((void **) &inst->configDn);
-		slapi_ch_free((void **) &inst->monitorDn);
-		slapi_ch_free((void **) &inst->inst_name);
+		slapi_ch_free_string(&inst->configDn);
+		slapi_ch_free_string(&inst->monitorDn);
+		slapi_ch_free_string(&inst->inst_name);
 		charray_free(inst->every_attribute);
 
 		slapi_ch_free((void **) &inst->bind_pool);
@@ -1324,6 +1330,66 @@ static int cb_instance_bindretry_set(void *arg, void *value, char *errorbuf, int
 }
 
 
+static void *cb_instance_starttls_get(void *arg)
+{
+	cb_backend_instance * inst=(cb_backend_instance *) arg;
+        uintptr_t data;
+
+        PR_RWLock_Rlock(inst->rwl_config_lock);
+        data=inst->pool->starttls;
+        PR_RWLock_Unlock(inst->rwl_config_lock);
+        return (void *) data;
+}
+
+static int cb_instance_starttls_set(void *arg, void *value, char *errorbuf, int phase, int apply)
+{
+	cb_backend_instance * inst=(cb_backend_instance *) arg;
+	int rc = LDAP_SUCCESS;
+
+	if (apply) {
+	        PR_RWLock_Wlock(inst->rwl_config_lock);
+		inst->pool->starttls=(int) ((uintptr_t)value);
+	        PR_RWLock_Unlock(inst->rwl_config_lock);
+		if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) &&
+    			( phase != CB_CONFIG_PHASE_STARTUP )) {
+		    rc=CB_REOPEN_CONN; /* reconnect with the new starttls setting */
+		}
+	}
+	return rc;
+}
+
+static void *cb_instance_bindmech_get(void *arg)
+{
+	cb_backend_instance * inst=(cb_backend_instance *) arg;
+	char * data;
+
+        PR_RWLock_Rlock(inst->rwl_config_lock);
+	data = slapi_ch_strdup(inst->pool->mech);
+        PR_RWLock_Unlock(inst->rwl_config_lock);
+	return data;
+}
+
+static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int phase, int apply)
+{
+	cb_backend_instance * inst=(cb_backend_instance *) arg;
+	int rc=LDAP_SUCCESS;
+
+	if (apply) {
+               	PR_RWLock_Wlock(inst->rwl_config_lock);
+		if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) &&
+    			( phase != CB_CONFIG_PHASE_STARTUP )) {
+
+			/* Dynamic modif */
+			charray_add(&inst->pool->waste_basket,inst->pool->mech);
+			rc=CB_REOPEN_CONN;
+		}
+
+		inst->pool->mech=slapi_ch_strdup((char *) value);
+               	PR_RWLock_Unlock(inst->rwl_config_lock);
+	}
+	return rc;
+}
+
 
 
 /* Finds an entry in a config_info array with the given name.  Returns
author	Rich Megginson <rmeggins@redhat.com>	2008-11-05 18:21:06 +0000
committer	Rich Megginson <rmeggins@redhat.com>	2008-11-05 18:21:06 +0000
commit	16c994ace5d2eb635bf3847b5fe4c96c46fdd8a2 (patch)
tree	e039e7e872d256c18ba0deeb745f32712612b049 /ldap/servers/plugins/chainingdb/cb_instance.c
parent	7e35a10850563a5cd61289b4330279b69b087128 (diff)