diff options
| -rw-r--r-- | ldap/servers/plugins/chainingdb/cb_instance.c | 39 | ||||
| -rw-r--r-- | ldap/servers/plugins/replication/repl5_agmtlist.c | 33 |
2 files changed, 66 insertions, 6 deletions
diff --git a/ldap/servers/plugins/chainingdb/cb_instance.c b/ldap/servers/plugins/chainingdb/cb_instance.c index 0e5dda25..19c05bab 100644 --- a/ldap/servers/plugins/chainingdb/cb_instance.c +++ b/ldap/servers/plugins/chainingdb/cb_instance.c @@ -722,7 +722,18 @@ static int cb_instance_hosturl_set(void *arg, void *value, char *errorbuf, int p return(LDAP_INVALID_SYNTAX); } - if (apply) { + if (ludp && (ludp->lud_options & LDAP_URL_OPT_SECURE) && inst && inst->rwl_config_lock) { + int isgss = 0; + PR_RWLock_Rlock(inst->rwl_config_lock); + isgss = inst->pool->mech && !PL_strcasecmp(inst->pool->mech, "GSSAPI"); + PR_RWLock_Unlock(inst->rwl_config_lock); + if (isgss) { + PR_snprintf (errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use LDAPS if using GSSAPI - please change the %s to use something other than GSSAPI before changing connection to use LDAPS", CB_CONFIG_BINDMECH); + rc = LDAP_UNWILLING_TO_PERFORM; + } + } + + if ((LDAP_SUCCESS == rc) && apply) { PR_RWLock_Wlock(inst->rwl_config_lock); @@ -1346,7 +1357,18 @@ static int cb_instance_starttls_set(void *arg, void *value, char *errorbuf, int cb_backend_instance * inst=(cb_backend_instance *) arg; int rc = LDAP_SUCCESS; - if (apply) { + if (value && inst && inst->rwl_config_lock) { + int isgss = 0; + PR_RWLock_Rlock(inst->rwl_config_lock); + isgss = inst->pool->mech && !PL_strcasecmp(inst->pool->mech, "GSSAPI"); + PR_RWLock_Unlock(inst->rwl_config_lock); + if (isgss) { + PR_snprintf (errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use startTLS if using GSSAPI - please change the %s to use something other than GSSAPI before changing connection to use startTLS", CB_CONFIG_BINDMECH); + rc = LDAP_UNWILLING_TO_PERFORM; + } + } + + if ((LDAP_SUCCESS == rc) && apply) { PR_RWLock_Wlock(inst->rwl_config_lock); inst->pool->starttls=(int) ((uintptr_t)value); PR_RWLock_Unlock(inst->rwl_config_lock); @@ -1374,7 +1396,18 @@ static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int cb_backend_instance * inst=(cb_backend_instance *) arg; int rc=LDAP_SUCCESS; - if (apply) { + if (value && !PL_strcasecmp((char *) value, "GSSAPI") && inst && inst->rwl_config_lock) { + int secure = 0; + PR_RWLock_Rlock(inst->rwl_config_lock); + secure = inst->pool->secure || inst->pool->starttls; + PR_RWLock_Unlock(inst->rwl_config_lock); + if (secure) { + PR_snprintf (errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if using SSL or TLS - please change the connection to use no security before changing %s to use GSSAPI", CB_CONFIG_BINDMECH); + rc = LDAP_UNWILLING_TO_PERFORM; + } + } + + if ((LDAP_SUCCESS == rc) && apply) { PR_RWLock_Wlock(inst->rwl_config_lock); if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) && ( phase != CB_CONFIG_PHASE_STARTUP )) { diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c index 6793903c..510757b6 100644 --- a/ldap/servers/plugins/replication/repl5_agmtlist.c +++ b/ldap/servers/plugins/replication/repl5_agmtlist.c @@ -48,6 +48,7 @@ */ #include "repl5.h" +#include <plstr.h> #define AGMT_CONFIG_BASE "cn=mapping tree, cn=config" #define CONFIG_FILTER "(objectclass=nsds5replicationagreement)" @@ -373,8 +374,22 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5TransportInfo)) { + /* do not allow GSSAPI if using TLS/SSL */ + char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5TransportInfo); + /* if some value was set, and the value was not set to LDAP (i.e. was set to use security), + and we're already using gssapi, deny the change */ + if (tmpstr && PL_strcasecmp(tmpstr, "LDAP") && (BINDMETHOD_SASL_GSSAPI == agmt_get_bindmethod(agmt))) + { + /* Report the error to the client */ + PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if using SSL or TLS - please change %s to a value other than SASL/GSSAPI before changing %s to use security", type_nsds5ReplicaBindMethod, type_nsds5TransportInfo); + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback: " + "%s", errortext); + + *returncode = LDAP_UNWILLING_TO_PERFORM; + rc = SLAPI_DSE_CALLBACK_ERROR; + } /* New Transport info */ - if (agmt_set_transportinfo_from_entry(agmt, e) != 0) + else if (agmt_set_transportinfo_from_entry(agmt, e) != 0) { slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: " "failed to update transport info for agreement %s\n", @@ -386,8 +401,19 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaBindMethod)) { - /* New replica bind method */ - if (agmt_set_bind_method_from_entry(agmt, e) != 0) + /* do not allow GSSAPI if using TLS/SSL */ + char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBindMethod); + if (tmpstr && !PL_strcasecmp(tmpstr, "SASL/GSSAPI") && agmt_get_transport_flags(agmt)) + { + /* Report the error to the client */ + PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if using SSL or TLS - please change %s to LDAP before changing %s to use SASL/GSSAPI", type_nsds5TransportInfo, type_nsds5ReplicaBindMethod); + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback: " + "%s", errortext); + + *returncode = LDAP_UNWILLING_TO_PERFORM; + rc = SLAPI_DSE_CALLBACK_ERROR; + } + else if (agmt_set_bind_method_from_entry(agmt, e) != 0) { slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: " "failed to update bind method for agreement %s\n", @@ -395,6 +421,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry *returncode = LDAP_OPERATIONS_ERROR; rc = SLAPI_DSE_CALLBACK_ERROR; } + slapi_ch_free_string(&tmpstr); } else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicatedAttributeList)) |