diff options
| author | Rich Megginson <rmeggins@redhat.com> | 2008-11-04 18:23:08 +0000 |
|---|---|---|
| committer | Rich Megginson <rmeggins@redhat.com> | 2008-11-04 18:23:08 +0000 |
| commit | 42d4235a9cf49b9235f44e2a9965e820b629bd9f (patch) | |
| tree | ff0a0228b0b1c7d4a196cf9eef139820ecc4aae9 /ldap/servers/slapd/slapi2nspr.c | |
| parent | 485b3ddd27e4c1ac66b0c5aada1dae793bcc54dc (diff) | |
| download | ds-42d4235a9cf49b9235f44e2a9965e820b629bd9f.tar.gz ds-42d4235a9cf49b9235f44e2a9965e820b629bd9f.tar.xz ds-42d4235a9cf49b9235f44e2a9965e820b629bd9f.zip | |
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 1
Reviewed by: nkinder, nhosoi, ssorce (Thanks!)
Fix Description: I've created two new functions to handle the client side of LDAP in the server - slapi_ldap_init_ext and slapi_ldap_bind. These two functions are designed to work with any connection type (ldap, ldaps, ldap+starttls, and eventually ldapi) and bind type (plain, sasl, client cert). The secure flag has been extended to use a value of 2 to mean use startTLS. One tricky part is that there is no place to store the startTLS flag in init to pass to bind, so we store that in the clientcontrols field which is currently unused. We do that because the semantics of ldap_init are not to do any network traffic, but defer that until the bind operation (or whatever the first actual operation is e.g. start_tls). I plan to replace all of the places in the code that do ldap init and bind with these functions.
I started with replication. I extended the transport to add tls for startTLS and the bind method to add sasl/gssapi and sasl/digest-md5. I removed a lot of code from repl5_connection that is now done with just slapi_ldap_init_ext and slapi_ldap_bind. One tricky part of the replication code is that it polls the connection for write available, using some ldap sdk internals. I had to fix that code to work within the public ldap api since nspr and sasl muck with the internals in different incompatible ways.
Finally, there is a lot of new kerberos code in the server. The way the server does sasl/gssapi auth with its keytab is similar to the way it does client cert auth with its ssl server cert. One big difference is that the server cannot pass the kerberos identity and credentials through the ldap/sasl/gssapi layers directly. Instead, we have to create a memory credentials cache and set the environment variable to point to it. This allows the sasl/gssapi layer to grab the credentials for use with kerberos. The way the code is written, it should also allow "external" kerberos auth e.g. if someone really wants to do some script which does a periodic kinit to refresh the file based cache, that should also work.
I added some kerberos configure options. configure tries to first use krb5-config to get the compiler and linker information. If that fails, it just looks for some standard system libraries. Note that Solaris does not allow direct use of the kerberos api until Solaris 11, so most likely Solaris builds will have to use --without-kerberos (--with-kerberos is on by default).
Fixed a bug in kerberos.m4 found by nkinder.
ssorce has pointed out a few problems with my kerberos usage that will be addressed in the next patch.
Changed the log level in ldap_sasl_get_val - pointed out by nkinder
Platforms tested: Fedora 9, Fedora 8
Flag Day: yes
Doc impact: oh yes
Diffstat (limited to 'ldap/servers/slapd/slapi2nspr.c')
| -rw-r--r-- | ldap/servers/slapd/slapi2nspr.c | 127 |
1 files changed, 0 insertions, 127 deletions
diff --git a/ldap/servers/slapd/slapi2nspr.c b/ldap/servers/slapd/slapi2nspr.c index ebe2e451..18eebfb0 100644 --- a/ldap/servers/slapd/slapi2nspr.c +++ b/ldap/servers/slapd/slapi2nspr.c @@ -46,9 +46,6 @@ */ #include "slap.h" -#include "snmp_collator.h" -#include <ldap_ssl.h> -#include <ldappr.h> #include <nspr.h> /* @@ -213,127 +210,3 @@ slapi_notify_condvar( Slapi_CondVar *cvar, int notify_all ) return( prrc == PR_SUCCESS ? 1 : 0 ); } - -#ifdef MEMPOOL_EXPERIMENTAL -void _free_wrapper(void *ptr) -{ - slapi_ch_free(&ptr); -} -#endif - -/* - * Function: slapi_ldap_init() - * Description: just like ldap_ssl_init() but also arranges for the LDAP - * session handle returned to be safely shareable by multiple threads - * if "shared" is non-zero. - * Returns: - * an LDAP session handle (NULL if some local error occurs). - */ -LDAP * -slapi_ldap_init( char *ldaphost, int ldapport, int secure, int shared ) -{ - LDAP *ld; - int io_timeout_ms; - - - if ( secure && slapd_SSL_client_init() != 0 ) { - return( NULL ); - } - - /* - * Leverage the libprldap layer to take care of all the NSPR integration. - * Note that ldapssl_init() uses libprldap implicitly. - */ - -#ifdef MEMPOOL_EXPERIMENTAL - { - /* - * slapi_ch_malloc functions need to be set to LDAP C SDK - */ - struct ldap_memalloc_fns memalloc_fns; - memalloc_fns.ldapmem_malloc = (LDAP_MALLOC_CALLBACK *)slapi_ch_malloc; - memalloc_fns.ldapmem_calloc = (LDAP_CALLOC_CALLBACK *)slapi_ch_calloc; - memalloc_fns.ldapmem_realloc = (LDAP_REALLOC_CALLBACK *)slapi_ch_realloc; - memalloc_fns.ldapmem_free = (LDAP_FREE_CALLBACK *)_free_wrapper; - } - /* - * MEMPOOL_EXPERIMENTAL: - * These LDAP C SDK init function needs to be revisited. - * In ldap_init called via ldapssl_init and prldap_init initializes - * options and set default values including memalloc_fns, then it - * initializes as sasl client by calling sasl_client_init. In - * sasl_client_init, it creates mechlist using the malloc function - * available at the moment which could mismatch the malloc/free functions - * set later. - */ -#endif - if ( secure ) { - ld = ldapssl_init( ldaphost, ldapport, secure ); - } else { - ld = prldap_init( ldaphost, ldapport, shared ); - } - - /* Update snmp interaction table */ - if ( ld == NULL) { - set_snmp_interaction_row( ldaphost, ldapport, -1); - } else { - set_snmp_interaction_row( ldaphost, ldapport, 0); - } - - if ( ld != NULL ) { - /* - * Set the outbound LDAP I/O timeout based on the server config. - */ - io_timeout_ms = config_get_outbound_ldap_io_timeout(); - if ( io_timeout_ms > 0 ) { - if ( prldap_set_session_option( ld, NULL, PRLDAP_OPT_IO_MAX_TIMEOUT, - io_timeout_ms ) != LDAP_SUCCESS ) { - slapi_log_error( SLAPI_LOG_FATAL, "slapi_ldap_init", - "failed: unable to set outbound I/O timeout to %dms\n", - io_timeout_ms ); - slapi_ldap_unbind( ld ); - return( NULL ); - } - } - - /* - * Set SSL strength (server certificate validity checking). - */ - if ( secure ) { - int ssl_strength; - - if ( config_get_ssl_check_hostname()) { - /* check hostname against name in certificate */ - ssl_strength = LDAPSSL_AUTH_CNCHECK; - } else { - /* verify certificate only */ - ssl_strength = LDAPSSL_AUTH_CERT; - } - - if ( ldapssl_set_strength( ld, ssl_strength ) != 0 ) { - int prerr = PR_GetError(); - - slapi_log_error( SLAPI_LOG_FATAL, "slapi_ldap_init", - "failed: unable to set SSL strength to %d (" - SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - ssl_strength, prerr, slapd_pr_strerror( prerr )); - - } - } - } - - return( ld ); -} - - -/* - * Function: slapi_ldap_unbind() - * Purpose: release an LDAP session obtained from a call to slapi_ldap_init(). - */ -void -slapi_ldap_unbind( LDAP *ld ) -{ - if ( ld != NULL ) { - ldap_unbind( ld ); - } -} |