Merge branch 'dnsyntax'

6 files changed, 68 insertions, 1 deletions

diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 232d9f2e..54a9c4f4 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -25,6 +25,7 @@ nsslapd-enquote-sup-oc: off
 nsslapd-localhost: %fqdn%
 nsslapd-schemacheck: on
 nsslapd-syntaxcheck: on
+nsslapd-dn-validate-strict: off
 nsslapd-rewrite-rfc1274: off
 nsslapd-return-exact-case: on
 nsslapd-ssl-check-hostname: on
diff --git a/ldap/servers/plugins/syntaxes/dn.c b/ldap/servers/plugins/syntaxes/dn.c
index a6dcceda..80a3f8bf 100644
--- a/ldap/servers/plugins/syntaxes/dn.c
+++ b/ldap/servers/plugins/syntaxes/dn.c
@@ -141,6 +141,7 @@ dn_assertion2keys_sub( Slapi_PBlock *pb, char *initial, char **any, char *final,
 static int dn_validate( struct berval *val )
 {
 	int rc = 0; /* Assume value is valid */
+	char *val_copy = NULL;
 
 	if (val != NULL) {
 		/* Per RFC 4514:
@@ -154,10 +155,22 @@ static int dn_validate( struct berval *val )
 		 * attributeValue = string / hexstring
 		 */
 		if (val->bv_len > 0) {
+			int strict = 0;
 			char *p = val->bv_val;
 			char *end = &(val->bv_val[val->bv_len - 1]);
 			char *last = NULL;
 
+			/* Check if we should be performing strict validation. */
+			strict = config_get_dn_validate_strict();
+			if (!strict) {
+				/* Create a normalized copy of the value to use
+				 * for validation.  The original value will be
+				 * stored in the backend unmodified. */
+				val_copy = PL_strndup(val->bv_val, val->bv_len);
+				p = val_copy;
+				end = slapi_dn_normalize_to_end(p, NULL) - 1;
+			}
+
 			/* Validate one RDN at a time in a loop. */
 			while (p <= end) {
 				if ((rc = rdn_validate(p, end, &last)) != 0) {
@@ -186,6 +199,9 @@ static int dn_validate( struct berval *val )
 		goto exit;
 	}
 exit:
+	if (val_copy) {
+		slapi_ch_free_string(&val_copy);
+	}
 	return rc;
 }
 
diff --git a/ldap/servers/slapd/config.c b/ldap/servers/slapd/config.c
index 1af1b77b..62757572 100644
--- a/ldap/servers/slapd/config.c
+++ b/ldap/servers/slapd/config.c
@@ -241,11 +241,13 @@ slapd_bootstrap_config(const char *configdir)
 			char schemacheck[BUFSIZ];
 			char syntaxcheck[BUFSIZ];
 			char syntaxlogging[BUFSIZ];
+			char dn_validate_strict[BUFSIZ];
 			Slapi_DN plug_dn;
 
 			workpath[0] = loglevel[0] = maxdescriptors[0] = '\0';
 			val[0] = logenabled[0] = schemacheck[0] = syntaxcheck[0] = '\0';
 			syntaxlogging[0] = _localuser[0] = '\0';
+			dn_validate_strict[0] = '\0';
 
 			/* Convert LDIF to entry structures */
 			slapi_sdn_init_dn_byref(&plug_dn, PLUGIN_BASE_DN);
@@ -490,6 +492,20 @@ slapd_bootstrap_config(const char *configdir)
 					}
 				}
 
+				/* see if we need to enable strict dn validation */
+				if (!dn_validate_strict[0] &&
+				    entry_has_attr_and_value(e, CONFIG_DN_VALIDATE_STRICT_ATTRIBUTE,
+				    dn_validate_strict, sizeof(dn_validate_strict)))
+				{
+					if (config_set_dn_validate_strict(CONFIG_DN_VALIDATE_STRICT_ATTRIBUTE,
+					                           dn_validate_strict, errorbuf, CONFIG_APPLY)
+					                           != LDAP_SUCCESS)
+					{
+						LDAPDebug(LDAP_DEBUG_ANY, "%s: %s: %s\n", configfile,
+						          CONFIG_DN_VALIDATE_STRICT_ATTRIBUTE, errorbuf);
+					}
+				}
+
 				/* see if we need to expect quoted schema values */
 				if (entry_has_attr_and_value(e, CONFIG_ENQUOTE_SUP_OC_ATTRIBUTE,
 											 val, sizeof(val)))
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 30ad5f3a..8c13a9b6 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -327,6 +327,9 @@ static struct config_get_and_set {
 	{CONFIG_SYNTAXLOGGING_ATTRIBUTE, config_set_syntaxlogging,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.syntaxlogging, CONFIG_ON_OFF, NULL},
+	{CONFIG_DN_VALIDATE_STRICT_ATTRIBUTE, config_set_dn_validate_strict,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.dn_validate_strict, CONFIG_ON_OFF, NULL},
 	{CONFIG_DS4_COMPATIBLE_SCHEMA_ATTRIBUTE, config_set_ds4_compatible_schema,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.ds4_compatible_schema,
@@ -899,6 +902,7 @@ FrontendConfig_init () {
   cfg->schemacheck = LDAP_ON;
   cfg->syntaxcheck = LDAP_OFF;
   cfg->syntaxlogging = LDAP_OFF;
+  cfg->dn_validate_strict = LDAP_OFF;
   cfg->ds4_compatible_schema = LDAP_OFF;
   cfg->enquote_sup_oc = LDAP_OFF;
   cfg->lastmod = LDAP_ON;
@@ -2459,6 +2463,20 @@ config_set_syntaxlogging( const char *attrname, char *value, char *errorbuf, int
 }
 
 int
+config_set_dn_validate_strict( const char *attrname, char *value, char *errorbuf, int apply ) {
+  int retVal = LDAP_SUCCESS;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  retVal = config_set_onoff ( attrname,
+                              value,
+                              &(slapdFrontendConfig->dn_validate_strict),
+                              errorbuf,
+                              apply);
+
+  return retVal;
+}
+
+int
 config_set_ds4_compatible_schema( const char *attrname, char *value, char *errorbuf, int apply ) {
   int retVal = LDAP_SUCCESS;
   slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
@@ -4093,6 +4111,18 @@ config_get_syntaxlogging() {
 }
 
 int
+config_get_dn_validate_strict() {
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+  int retVal;
+
+  CFG_LOCK_READ(slapdFrontendConfig);
+  retVal = slapdFrontendConfig->dn_validate_strict;
+  CFG_UNLOCK_READ(slapdFrontendConfig);
+
+  return retVal;
+}
+
+int
 config_get_ds4_compatible_schema() {
   slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
   int retVal;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index c561196d..2041a997 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -266,6 +266,7 @@ int config_set_readonly( const char *attrname, char *value, 	char *errorbuf, int
 int config_set_schemacheck( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_syntaxcheck( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_syntaxlogging( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_dn_validate_strict( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_ds4_compatible_schema( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_schema_ignore_trailing_spaces( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_rootdn( const char *attrname, char *value, char *errorbuf, int apply );
@@ -410,6 +411,7 @@ int config_get_security();
 int config_get_schemacheck();
 int config_get_syntaxcheck();
 int config_get_syntaxlogging();
+int config_get_dn_validate_strict();
 int config_get_ds4_compatible_schema();
 int config_get_schema_ignore_trailing_spaces();
 char *config_get_rootdn();
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index cec186f9..724bef93 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1639,7 +1639,8 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_SCHEMACHECK_ATTRIBUTE    "nsslapd-schemacheck"
 #define CONFIG_SYNTAXCHECK_ATTRIBUTE	"nsslapd-syntaxcheck"
 #define CONFIG_SYNTAXLOGGING_ATTRIBUTE	"nsslapd-syntaxlogging"
-#define CONFIG_DS4_COMPATIBLE_SCHEMA_ATTRIBUTE    "nsslapd-ds4-compatible-schema"
+#define CONFIG_DN_VALIDATE_STRICT_ATTRIBUTE     "nsslapd-dn-validate-strict"
+#define CONFIG_DS4_COMPATIBLE_SCHEMA_ATTRIBUTE  "nsslapd-ds4-compatible-schema"
 #define CONFIG_SCHEMA_IGNORE_TRAILING_SPACES    "nsslapd-schema-ignore-trailing-spaces"
 #define CONFIG_SCHEMAREPLACE_ATTRIBUTE	"nsslapd-schemareplace"
 #define CONFIG_LOGLEVEL_ATTRIBUTE       "nsslapd-errorlog-level"
@@ -1856,6 +1857,7 @@ typedef struct _slapdFrontendConfig {
   int schemacheck;
   int syntaxcheck;
   int syntaxlogging;
+  int dn_validate_strict;
   int ds4_compatible_schema;
   int schema_ignore_trailing_spaces;
   int secureport;