diff options
| author | Rich Megginson <rmeggins@redhat.com> | 2008-11-05 18:21:06 +0000 |
|---|---|---|
| committer | Rich Megginson <rmeggins@redhat.com> | 2008-11-05 18:21:06 +0000 |
| commit | 16c994ace5d2eb635bf3847b5fe4c96c46fdd8a2 (patch) | |
| tree | e039e7e872d256c18ba0deeb745f32712612b049 /ldap/servers/plugins/chainingdb | |
| parent | 7e35a10850563a5cd61289b4330279b69b087128 (diff) | |
| download | ds-16c994ace5d2eb635bf3847b5fe4c96c46fdd8a2.tar.gz ds-16c994ace5d2eb635bf3847b5fe4c96c46fdd8a2.tar.xz ds-16c994ace5d2eb635bf3847b5fe4c96c46fdd8a2.zip | |
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 2
Reviewed by: nhosoi (Thanks!)
Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
Diffstat (limited to 'ldap/servers/plugins/chainingdb')
| -rw-r--r-- | ldap/servers/plugins/chainingdb/cb.h | 6 | ||||
| -rw-r--r-- | ldap/servers/plugins/chainingdb/cb_conn_stateless.c | 109 | ||||
| -rw-r--r-- | ldap/servers/plugins/chainingdb/cb_instance.c | 72 |
3 files changed, 107 insertions, 80 deletions
diff --git a/ldap/servers/plugins/chainingdb/cb.h b/ldap/servers/plugins/chainingdb/cb.h index ef39ab26..a8e44985 100644 --- a/ldap/servers/plugins/chainingdb/cb.h +++ b/ldap/servers/plugins/chainingdb/cb.h @@ -114,8 +114,10 @@ #define CB_CONFIG_SIZELIMIT "nsslapd-sizelimit" #define CB_CONFIG_TIMELIMIT "nsslapd-timelimit" #define CB_CONFIG_HOSTURL "nsFarmServerURL" +#define CB_CONFIG_STARTTLS "nsUseStartTLS" #define CB_CONFIG_BINDUSER "nsMultiplexorBindDn" +#define CB_CONFIG_BINDMECH "nsBindMechanism" #define CB_CONFIG_USERPASSWORD "nsMultiplexorCredentials" #define CB_CONFIG_MAXBINDCONNECTIONS "nsBindConnectionsLimit" #define CB_CONFIG_MAXCONNECTIONS "nsOperationConnectionsLimit" @@ -163,6 +165,8 @@ #define CB_DEF_HOPLIMIT "10" /* CB_CONFIG_HOPLIMIT */ #define CB_DEF_MAX_IDLE_TIME "60" /* CB_CONFIG_MAX_IDLE_TIME */ #define CB_DEF_MAX_TEST_TIME "15" /* CB_CONFIG_MAX_TEST_TIME */ +#define CB_DEF_STARTTLS "off" /* CB_CONFIG_STARTTLS */ +#define CB_DEF_BINDMECH LDAP_SASL_SIMPLE /* CB_CONFIG_BINDMECH */ typedef void *cb_config_get_fn_t(void *arg); typedef int cb_config_set_fn_t(void *arg, void *value, char *errorbuf, int phase, int apply); @@ -290,6 +294,8 @@ typedef struct { /* To protect the config set by LDAP */ PRRWLock * rwl_config_lock; + int starttls; /* use starttls with connection */ + char *mech; /* plain, external, or a sasl mech */ } cb_conn_pool; diff --git a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c index adc87ff0..41d7f243 100644 --- a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c +++ b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c @@ -164,6 +164,7 @@ int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,s char *password,*binddn,*hostname; unsigned int port; int secure; + char *mech = NULL;; static char *error1="Can't contact remote server : %s"; static char *error2="Can't bind to remote server : %s"; int isMultiThread = ENABLE_MULTITHREAD_PER_CONN ; /* by default, we enable multiple operations per connection */ @@ -199,6 +200,10 @@ int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,s hostname=pool->hostname; port=pool->port; secure=pool->secure; + if (pool->starttls) { + secure = 2; + } + mech=pool->mech; PR_RWLock_Unlock(pool->rwl_config_lock); @@ -348,12 +353,8 @@ int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,s /* For now, bind even if no user to detect error */ /* earlier */ if (pool->bindit) { - int msgid; - LDAPMessage *res=NULL; - int parse_rc; PRErrorCode prerr = 0; LDAPControl **serverctrls=NULL; - char **referrals=NULL; char *plain = NULL; int ret = -1; @@ -381,14 +382,21 @@ int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,s } /* Password-based client authentication */ + rc = slapi_ldap_bind(ld, binddn, plain, mech, NULL, &serverctrls, + &bind_to, NULL); - if (( msgid = ldap_simple_bind( ld, binddn, plain)) <0) { - rc=ldap_get_lderrno( ld, NULL, NULL ); - prerr=PR_GetError(); - } if ( ret == 0 ) slapi_ch_free_string(&plain); /* free plain only if it has been duplicated */ - if ( rc != LDAP_SUCCESS ) { + if ( rc == LDAP_TIMEOUT ) { + if (cb_debug_on()) { + slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, + "Can't bind to server <%s> port <%d>. (%s)\n", + hostname, port, "time-out expired"); + } + rc = LDAP_CONNECT_ERROR; + goto unlock_and_return; + } else if ( rc != LDAP_SUCCESS ) { + prerr=PR_GetError(); if (cb_debug_on()) { slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, "Can't bind to server <%s> port <%d>. " @@ -405,67 +413,11 @@ int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,s goto unlock_and_return; } - rc = ldap_result( ld, msgid, 0, &bind_to, &res ); - switch (rc) { - case -1: - rc = ldap_get_lderrno( ld, NULL, NULL ); - if (cb_debug_on()) { - slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, - "Can't bind to server <%s> port <%d>. " - "(LDAP error %d - %s; " - SLAPI_COMPONENT_NAME_NSPR " error %d - %s)\n", - hostname, port, rc, - ldap_err2string(rc), - prerr, slapd_pr_strerror(prerr)); - } - if ( errmsg ) { - *errmsg = PR_smprintf(error2,ldap_err2string(rc)); - } - rc = LDAP_CONNECT_ERROR; - goto unlock_and_return; - case 0: - if (cb_debug_on()) { - slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, - "Can't bind to server <%s> port <%d>. (%s)\n", - hostname, port, "time-out expired"); - } - rc = LDAP_CONNECT_ERROR; - goto unlock_and_return; - default: - - parse_rc = ldap_parse_result( ld, res, &rc, NULL, - NULL, &referrals, &serverctrls, 1 ); - - if ( parse_rc != LDAP_SUCCESS ) { - if (cb_debug_on()) { - slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, - "Can't bind to server <%s> port <%d>. (%s)\n", - hostname, port, ldap_err2string(parse_rc)); - } - if ( errmsg ) { - *errmsg = PR_smprintf(error2,ldap_err2string(parse_rc)); - } - rc = parse_rc; - goto unlock_and_return; - } - - if ( rc != LDAP_SUCCESS ) { - if (cb_debug_on()) { - slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, - "Can't bind to server <%s> port <%d>. (%s)\n", - hostname, port, ldap_err2string(rc)); - } - if ( errmsg ) { - *errmsg = PR_smprintf(error2, ldap_err2string(rc)); - } - goto unlock_and_return; - } - - if ( serverctrls ) + if ( serverctrls ) + { + int i; + for( i = 0; serverctrls[ i ] != NULL; ++i ) { - int i; - for( i = 0; serverctrls[ i ] != NULL; ++i ) - { if ( !(strcmp( serverctrls[ i ]->ldctl_oid, LDAP_CONTROL_PWEXPIRED)) ) { /* Bind is successful but password has expired */ @@ -487,12 +439,8 @@ int cb_get_connection(cb_conn_pool * pool, LDAP ** lld, cb_outgoing_conn ** cc,s binddn, hostname, port, password_expiring); } } - } - ldap_controls_free(serverctrls); - } - - if (referrals) - charray_free(referrals); + } + ldap_controls_free(serverctrls); } } @@ -896,6 +844,7 @@ int cb_ping_farm(cb_backend_instance *cb, cb_outgoing_conn * cnx,time_t end_time LDAP *ld; LDAPMessage *result; time_t now; + int secure; if (cb->max_idle_time <=0) /* Heart-beat disabled */ return LDAP_SUCCESS; @@ -904,8 +853,12 @@ int cb_ping_farm(cb_backend_instance *cb, cb_outgoing_conn * cnx,time_t end_time now = current_time(); if (end_time && ((now <= end_time) || (end_time <0))) return LDAP_SUCCESS; - - ld=slapi_ldap_init(cb->pool->hostname,cb->pool->port,cb->pool->secure,0); + + secure = cb->pool->secure; + if (cb->pool->starttls) { + secure = 2; + } + ld=slapi_ldap_init(cb->pool->hostname,cb->pool->port,secure,0); if (NULL == ld) { cb_update_failed_conn_cpt( cb ); return LDAP_SERVER_DOWN; @@ -914,6 +867,8 @@ int cb_ping_farm(cb_backend_instance *cb, cb_outgoing_conn * cnx,time_t end_time timeout.tv_sec=cb->max_test_time; timeout.tv_usec=0; + /* NOTE: This will fail if we implement the ability to disable + anonymous bind */ rc=ldap_search_ext_s(ld ,NULL,LDAP_SCOPE_BASE,"objectclass=*",attrs,1,NULL, NULL, &timeout, 1,&result); if ( LDAP_SUCCESS != rc ) { diff --git a/ldap/servers/plugins/chainingdb/cb_instance.c b/ldap/servers/plugins/chainingdb/cb_instance.c index 15e266bd..0e79b7e3 100644 --- a/ldap/servers/plugins/chainingdb/cb_instance.c +++ b/ldap/servers/plugins/chainingdb/cb_instance.c @@ -53,7 +53,9 @@ /* Get functions */ static void *cb_instance_hosturl_get(void *arg); +static void *cb_instance_starttls_get(void *arg); static void *cb_instance_binduser_get(void *arg); +static void *cb_instance_bindmech_get(void *arg); static void *cb_instance_userpassword_get(void *arg); static void *cb_instance_maxbconn_get(void *arg); static void *cb_instance_maxconn_get(void *arg); @@ -77,7 +79,9 @@ static void *cb_instance_max_test_get(void *arg); /* Set functions */ static int cb_instance_hosturl_set(void *arg, void *value, char *errorbuf, int phase, int apply); +static int cb_instance_starttls_set(void *arg, void *value, char *errorbuf, int phase, int apply); static int cb_instance_binduser_set(void *arg, void *value, char *errorbuf, int phase, int apply); +static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int phase, int apply); static int cb_instance_userpassword_set(void *arg, void *value, char *errorbuf, int phase, int apply); static int cb_instance_maxbconn_set(void *arg, void *value, char *errorbuf, int phase, int apply); static int cb_instance_maxconn_set(void *arg, void *value, char *errorbuf, int phase, int apply); @@ -120,6 +124,8 @@ cb_instance_config_info cb_the_instance_config[] = { {CB_CONFIG_HOPLIMIT,CB_CONFIG_TYPE_INT,CB_DEF_HOPLIMIT,&cb_instance_hoplimit_get, &cb_instance_hoplimit_set,CB_ALWAYS_SHOW}, {CB_CONFIG_MAX_IDLE_TIME,CB_CONFIG_TYPE_INT,CB_DEF_MAX_IDLE_TIME,&cb_instance_max_idle_get, &cb_instance_max_idle_set,CB_ALWAYS_SHOW}, {CB_CONFIG_MAX_TEST_TIME,CB_CONFIG_TYPE_INT,CB_DEF_MAX_TEST_TIME,&cb_instance_max_test_get, &cb_instance_max_test_set,CB_ALWAYS_SHOW}, +{CB_CONFIG_STARTTLS,CB_CONFIG_TYPE_ONOFF,CB_DEF_STARTTLS,&cb_instance_starttls_get, &cb_instance_starttls_set,CB_ALWAYS_SHOW}, +{CB_CONFIG_BINDMECH,CB_CONFIG_TYPE_STRING,CB_DEF_BINDMECH,&cb_instance_bindmech_get, &cb_instance_bindmech_set,CB_ALWAYS_SHOW}, {NULL, 0, NULL, NULL, NULL, 0} }; @@ -256,9 +262,9 @@ void cb_instance_free(cb_backend_instance * inst) { slapi_destroy_mutex(inst->pool->conn.conn_list_mutex); slapi_destroy_mutex(inst->monitor_availability.cpt_lock); slapi_destroy_mutex(inst->monitor_availability.lock_timeLimit); - slapi_ch_free((void **) &inst->configDn); - slapi_ch_free((void **) &inst->monitorDn); - slapi_ch_free((void **) &inst->inst_name); + slapi_ch_free_string(&inst->configDn); + slapi_ch_free_string(&inst->monitorDn); + slapi_ch_free_string(&inst->inst_name); charray_free(inst->every_attribute); slapi_ch_free((void **) &inst->bind_pool); @@ -1324,6 +1330,66 @@ static int cb_instance_bindretry_set(void *arg, void *value, char *errorbuf, int } +static void *cb_instance_starttls_get(void *arg) +{ + cb_backend_instance * inst=(cb_backend_instance *) arg; + uintptr_t data; + + PR_RWLock_Rlock(inst->rwl_config_lock); + data=inst->pool->starttls; + PR_RWLock_Unlock(inst->rwl_config_lock); + return (void *) data; +} + +static int cb_instance_starttls_set(void *arg, void *value, char *errorbuf, int phase, int apply) +{ + cb_backend_instance * inst=(cb_backend_instance *) arg; + int rc = LDAP_SUCCESS; + + if (apply) { + PR_RWLock_Wlock(inst->rwl_config_lock); + inst->pool->starttls=(int) ((uintptr_t)value); + PR_RWLock_Unlock(inst->rwl_config_lock); + if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) && + ( phase != CB_CONFIG_PHASE_STARTUP )) { + rc=CB_REOPEN_CONN; /* reconnect with the new starttls setting */ + } + } + return rc; +} + +static void *cb_instance_bindmech_get(void *arg) +{ + cb_backend_instance * inst=(cb_backend_instance *) arg; + char * data; + + PR_RWLock_Rlock(inst->rwl_config_lock); + data = slapi_ch_strdup(inst->pool->mech); + PR_RWLock_Unlock(inst->rwl_config_lock); + return data; +} + +static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int phase, int apply) +{ + cb_backend_instance * inst=(cb_backend_instance *) arg; + int rc=LDAP_SUCCESS; + + if (apply) { + PR_RWLock_Wlock(inst->rwl_config_lock); + if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) && + ( phase != CB_CONFIG_PHASE_STARTUP )) { + + /* Dynamic modif */ + charray_add(&inst->pool->waste_basket,inst->pool->mech); + rc=CB_REOPEN_CONN; + } + + inst->pool->mech=slapi_ch_strdup((char *) value); + PR_RWLock_Unlock(inst->rwl_config_lock); + } + return rc; +} + /* Finds an entry in a config_info array with the given name. Returns |