diff options
author | Pete Rowley <prowley@redhat.com> | 2007-02-27 02:57:30 +0000 |
---|---|---|
committer | Pete Rowley <prowley@redhat.com> | 2007-02-27 02:57:30 +0000 |
commit | 1d09ab058e31cdcd26cd009fcc4d5c32cc77fb18 (patch) | |
tree | 5504949e0add034f339005e42d719f3124c4108d /ldap/servers | |
parent | 3dcb55f473152a3c49ed8903855cdab8a08a4bce (diff) | |
download | ds-1d09ab058e31cdcd26cd009fcc4d5c32cc77fb18.tar.gz ds-1d09ab058e31cdcd26cd009fcc4d5c32cc77fb18.tar.xz ds-1d09ab058e31cdcd26cd009fcc4d5c32cc77fb18.zip |
Add LDAPI
Diffstat (limited to 'ldap/servers')
-rw-r--r-- | ldap/servers/slapd/back-ldif/close.c | 8 | ||||
-rw-r--r-- | ldap/servers/slapd/bind.c | 46 | ||||
-rw-r--r-- | ldap/servers/slapd/configdse.c | 2 | ||||
-rw-r--r-- | ldap/servers/slapd/connection.c | 22 | ||||
-rw-r--r-- | ldap/servers/slapd/daemon.c | 463 | ||||
-rw-r--r-- | ldap/servers/slapd/fe.h | 2 | ||||
-rw-r--r-- | ldap/servers/slapd/getsocketpeer.c | 143 | ||||
-rw-r--r-- | ldap/servers/slapd/getsocketpeer.h | 40 | ||||
-rw-r--r-- | ldap/servers/slapd/libglobs.c | 289 | ||||
-rw-r--r-- | ldap/servers/slapd/main.c | 20 | ||||
-rw-r--r-- | ldap/servers/slapd/passwd_extop.c | 2 | ||||
-rw-r--r-- | ldap/servers/slapd/pblock.c | 12 | ||||
-rw-r--r-- | ldap/servers/slapd/proto-slap.h | 23 | ||||
-rw-r--r-- | ldap/servers/slapd/pw_mgmt.c | 24 | ||||
-rw-r--r-- | ldap/servers/slapd/saslbind.c | 2 | ||||
-rw-r--r-- | ldap/servers/slapd/slap.h | 32 | ||||
-rw-r--r-- | ldap/servers/slapd/slapi-plugin.h | 2 | ||||
-rw-r--r-- | ldap/servers/slapd/start_tls_extop.c | 5 |
18 files changed, 1063 insertions, 74 deletions
diff --git a/ldap/servers/slapd/back-ldif/close.c b/ldap/servers/slapd/back-ldif/close.c index 379ea96f..e30e298c 100644 --- a/ldap/servers/slapd/back-ldif/close.c +++ b/ldap/servers/slapd/back-ldif/close.c @@ -92,10 +92,10 @@ ldif_back_close( Slapi_PBlock *pb ) { LDIF *db; - LDAPDebug( LDAP_DEBUG_TRACE, "ldbm backend syncing\n", 0, 0, 0 ); + LDAPDebug( LDAP_DEBUG_TRACE, "ldif backend syncing\n", 0, 0, 0 ); slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &db ); ldif_free_db(db); - LDAPDebug( LDAP_DEBUG_TRACE, "ldbm backend done syncing\n", 0, 0, 0 ); + LDAPDebug( LDAP_DEBUG_TRACE, "ldif backend done syncing\n", 0, 0, 0 ); } /* @@ -108,8 +108,8 @@ ldif_back_close( Slapi_PBlock *pb ) void ldif_back_flush( Slapi_PBlock *pb ) { - LDAPDebug( LDAP_DEBUG_TRACE, "ldbm backend flushing\n", 0, 0, 0 ); - LDAPDebug( LDAP_DEBUG_TRACE, "ldbm backend done flushing\n", 0, 0, 0 ); + LDAPDebug( LDAP_DEBUG_TRACE, "ldif backend flushing\n", 0, 0, 0 ); + LDAPDebug( LDAP_DEBUG_TRACE, "ldif backend done flushing\n", 0, 0, 0 ); return; } diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index 6c4453cd..29772657 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -126,6 +126,7 @@ do_bind( Slapi_PBlock *pb ) char **supported, **pmech; char authtypebuf[256]; /* >26 (strlen(SLAPD_AUTH_SASL)+SASL_MECHNAMEMAX+1) */ Slapi_Entry *bind_target_entry = NULL; + int auto_bind = 0; LDAPDebug( LDAP_DEBUG_TRACE, "do_bind\n", 0, 0, 0 ); @@ -250,14 +251,31 @@ do_bind( Slapi_PBlock *pb ) slapi_pblock_get (pb, SLAPI_PWPOLICY, &pw_response_requested); } - log_bind_access(pb, dn, method, version, saslmech, NULL); + PR_Lock( pb->pb_conn->c_mutex ); /* According to RFC2251, * "if the bind fails, the connection will be treated as anonymous". */ - PR_Lock( pb->pb_conn->c_mutex ); - bind_credentials_clear( pb->pb_conn, PR_FALSE, /* conn is already locked */ + bind_credentials_clear( pb->pb_conn, PR_FALSE, /* do not lock conn */ PR_FALSE /* do not clear external creds. */ ); + + /* LDAPI might have auto bind on, binding as anon should + mean bind as self in this case + */ +#if defined(ENABLE_AUTOBIND) + if((0 == dn || 0 == dn[0]) && pb->pb_conn->c_unix_local) + { + slapd_bind_local_user(pb->pb_conn); + + if(pb->pb_conn->c_dn) + { + auto_bind = 1; /* flag the bind method */ + dn = slapi_ch_strdup(pb->pb_conn->c_dn); + slapi_sdn_init_dn_passin(&sdn,dn); + } + } +#endif /* ENABLE_AUTOBIND */ + /* Clear the password policy flag that forbid operation * other than Bind, Modify, Unbind : * With a new bind, the flag should be reset so that the new @@ -266,6 +284,8 @@ do_bind( Slapi_PBlock *pb ) pb->pb_conn->c_needpw = 0; PR_Unlock( pb->pb_conn->c_mutex ); + log_bind_access(pb, dn, method, version, saslmech, NULL); + switch ( version ) { case LDAP_VERSION2: if (method == LDAP_AUTH_SIMPLE @@ -502,22 +522,31 @@ do_bind( Slapi_PBlock *pb ) /* get the entry now, so that we can give it to check_account_lock and reslimit_update_from_dn */ if (! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) { bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(&sdn)); - rc = check_account_lock ( pb, bind_target_entry, pw_response_requested); + rc = check_account_lock ( pb, bind_target_entry, pw_response_requested,0); } slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database ); set_db_default_result_handlers(pb); - if ( (rc != 1) && (((rc = (*be->be_bind)( pb )) + if ( (rc != 1) && (auto_bind || (((rc = (*be->be_bind)( pb )) == SLAPI_BIND_SUCCESS ) || rc - == SLAPI_BIND_ANONYMOUS )) { + == SLAPI_BIND_ANONYMOUS ))) { long t; { char* authtype = NULL; + + if(auto_bind) + rc = SLAPI_BIND_SUCCESS; + switch ( method ) { case LDAP_AUTH_SIMPLE: if (cred.bv_len != 0) { authtype = SLAPD_AUTH_SIMPLE; } +#if defined(ENABLE_AUTOBIND) + else if(auto_bind) { + authtype = SLAPD_AUTH_OS; + } +#endif /* ENABLE_AUTOBIND */ break; case LDAP_AUTH_SASL: /* authtype = SLAPD_AUTH_SASL && saslmech: */ @@ -529,7 +558,8 @@ do_bind( Slapi_PBlock *pb ) } if ( rc == SLAPI_BIND_SUCCESS ) { - bind_credentials_set( pb->pb_conn, + if(!auto_bind) + bind_credentials_set( pb->pb_conn, authtype, slapi_ch_strdup( slapi_sdn_get_ndn(&sdn)), NULL, NULL, NULL, bind_target_entry ); @@ -545,7 +575,7 @@ do_bind( Slapi_PBlock *pb ) } } - if ( rc != SLAPI_BIND_ANONYMOUS && + if ( 0 == auto_bind && rc != SLAPI_BIND_ANONYMOUS && ! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) { /* check if need new password before sending diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c index ebe9aa6b..f640964a 100644 --- a/ldap/servers/slapd/configdse.c +++ b/ldap/servers/slapd/configdse.c @@ -65,6 +65,8 @@ static void get_log_max_size( LDAPMod *mod, static const char *requires_restart[] = { "cn=config:nsslapd-port", "cn=config:nsslapd-secureport", + "cn=config:" CONFIG_LDAPI_FILENAME_ATTRIBUTE, + "cn=config:" CONFIG_LDAPI_SWITCH_ATTRIBUTE, "cn=config:nsslapd-workingdir", "cn=config:nsslapd-plugin", "cn=config:nsslapd-sslclientauth", diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c index 9d4dfe28..8ac98770 100644 --- a/ldap/servers/slapd/connection.c +++ b/ldap/servers/slapd/connection.c @@ -511,21 +511,27 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb) { int i = 1; int ret = 0; - /* Set TCP_CORK here */ - ret = setsockopt(conn->c_sd,IPPROTO_TCP,TCP_CORK,&i,sizeof(i)); - if (ret < 0) { - LDAPDebug(LDAP_DEBUG_ANY, "Failed to set TCP_CORK on connection %d\n",conn->c_connid, 0, 0); + /* Set TCP_CORK here but only if this is not LDAPI */ + if(!conn->c_unix_local) + { + ret = setsockopt(conn->c_sd,IPPROTO_TCP,TCP_CORK,&i,sizeof(i)); + if (ret < 0) { + LDAPDebug(LDAP_DEBUG_ANY, "Failed to set TCP_CORK on connection %d\n",conn->c_connid, 0, 0); + } } #endif do_search( pb ); #if defined(LINUX) - /* Clear TCP_CORK to flush any unsent data */ + /* Clear TCP_CORK to flush any unsent data but only if not LDAPI*/ i = 0; - ret = setsockopt(conn->c_sd,IPPROTO_TCP,TCP_CORK,&i,sizeof(i)); - if (ret < 0) { - LDAPDebug(LDAP_DEBUG_ANY, "Failed to clear TCP_CORK on connection %d\n",conn->c_connid, 0, 0); + if(!conn->c_unix_local) + { + ret = setsockopt(conn->c_sd,IPPROTO_TCP,TCP_CORK,&i,sizeof(i)); + if (ret < 0) { + LDAPDebug(LDAP_DEBUG_ANY, "Failed to clear TCP_CORK on connection %d\n",conn->c_connid, 0, 0); + } } } #endif diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c index 61523d7e..d34d801d 100644 --- a/ldap/servers/slapd/daemon.c +++ b/ldap/servers/slapd/daemon.c @@ -92,6 +92,10 @@ #include "fe.h" +#if defined(ENABLE_LDAPI) +#include "getsocketpeer.h" +#endif /* ENABLE_LDAPI */ + /* * Define the backlog number for use in listen() call. * We use the same definition as in ldapserver/include/base/systems.h @@ -125,6 +129,7 @@ static int readsignalpipe = SLAPD_INVALID_SOCKET; #define FDS_SIGNAL_PIPE 0 #define FDS_N_TCPS 1 #define FDS_S_TCPS 2 +#define FDS_I_UNIX 3 static int get_configured_connection_table_size(); #ifdef RESOLVER_NEEDS_LOW_FILE_DESCRIPTORS @@ -135,11 +140,11 @@ static void get_loopback_by_addr( void ); static int createlistensocket(unsigned short port, const PRNetAddr *listenaddr); #endif static PRFileDesc *createprlistensocket(unsigned short port, - const PRNetAddr *listenaddr, int secure); + const PRNetAddr *listenaddr, int secure, int local); static const char *netaddr2string(const PRNetAddr *addr, char *addrbuf, size_t addrbuflen); static void set_shutdown (int); -static void setup_pr_read_pds(Connection_Table *ct, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRIntn *num_to_read); +static void setup_pr_read_pds(Connection_Table *ct, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRFileDesc *i_unix, PRIntn *num_to_read); #ifdef HPUX10 static void* catch_signals(); @@ -274,7 +279,7 @@ syn_scan (int sock) static int accept_and_configure(int s, PRFileDesc *pr_acceptfd, PRNetAddr *pr_netaddr, - int addrlen, int secure, PRFileDesc **pr_clonefd) + int addrlen, int secure, int local, PRFileDesc **pr_clonefd) { int ns = 0; @@ -290,7 +295,7 @@ accept_and_configure(int s, PRFileDesc *pr_acceptfd, PRNetAddr *pr_netaddr, return(SLAPD_INVALID_SOCKET); } - ns = configure_pr_socket( pr_clonefd, secure ); + ns = configure_pr_socket( pr_clonefd, secure, local ); #else /* Windows */ if( secure ) { @@ -316,7 +321,7 @@ accept_and_configure(int s, PRFileDesc *pr_acceptfd, PRNetAddr *pr_netaddr, return(SLAPD_INVALID_SOCKET); } - ns = configure_pr_socket( pr_clonefd, secure ); + ns = configure_pr_socket( pr_clonefd, secure, local ); } else { /* !secure */ struct sockaddr *addr; /* NOT IPv6 enabled */ @@ -364,11 +369,11 @@ static void set_timeval_ms(struct timeval *t, int ms); #endif /* GGOODREPL static void handle_timeout( void ); */ static void handle_pr_read_ready(Connection_Table *ct, PRIntn num_poll); -static int handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, int secure ); +static int handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, int secure, int local ); #ifdef _WIN32 static void unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, int n_tcps, PRFileDesc *s_tcps); #else -static void unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, PRFileDesc *n_tcps, PRFileDesc *s_tcps); +static void unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRFileDesc *i_unix); #endif static int write_pid_file(); static int init_shutdown_detect(); @@ -392,13 +397,13 @@ int daemon_pre_setuid_init(daemon_ports_t *ports) &ports->n_listenaddr); #else ports->n_socket = createprlistensocket(ports->n_port, - &ports->n_listenaddr, 0); + &ports->n_listenaddr, 0, 0); #endif } if ( config_get_security() && (0 != ports->s_port) ) { ports->s_socket = createprlistensocket((unsigned short)ports->s_port, - &ports->s_listenaddr, 1); + &ports->s_listenaddr, 1, 0); #ifdef XP_WIN32 ports->s_socket_native = PR_FileDesc2NativeHandle(ports->s_socket); #endif @@ -409,6 +414,15 @@ int daemon_pre_setuid_init(daemon_ports_t *ports) #endif } +#ifndef XP_WIN32 +#if defined(ENABLE_LDAPI) + /* ldapi */ + if(0 != ports->i_port) { + ports->i_socket = createprlistensocket(1, &ports->i_listenaddr, 0, 1); + } +#endif /* ENABLE_LDAPI */ +#endif + return( rc ); } @@ -460,8 +474,8 @@ time_thread(void *nothing) void slapd_daemon( daemon_ports_t *ports ) { - /* We are passed a pair of ports---one for regular connections, the - * other for SSL connections. + /* We are passed some ports---one for regular connections, one + * for SSL connections, one for ldapi connections. */ /* Previously there was a ton of code #defined on NET_SSL. * This looked horrible, so now I'm doing it this way: @@ -475,6 +489,7 @@ void slapd_daemon( daemon_ports_t *ports ) #else PRFileDesc *n_tcps = NULL; PRFileDesc *tcps = 0; + PRFileDesc *i_unix = 0; #endif PRFileDesc *s_tcps = NULL; PRIntn num_poll = 0; @@ -504,16 +519,24 @@ void slapd_daemon( daemon_ports_t *ports ) s_tcps = ports->s_socket; #ifdef XP_WIN32 s_tcps_native = ports->s_socket_native; +#else +#if defined(ENABLE_LDAPI) + i_unix = ports->i_socket; +#endif /* ENABLE_LDAPI */ #endif createsignalpipe(); init_shutdown_detect(); + if ( #if defined( XP_WIN32 ) - if ( (n_tcps == SLAPD_INVALID_SOCKET) && + (n_tcps == SLAPD_INVALID_SOCKET) && #else - if ( (n_tcps == NULL) && + (n_tcps == NULL) && +#if defined(ENABLE_LDAPI) + (i_unix == NULL) && +#endif /* ENABLE_LDAPI */ #endif (s_tcps == NULL) ) { /* nothing to do */ LDAPDebug( LDAP_DEBUG_ANY, @@ -521,7 +544,7 @@ void slapd_daemon( daemon_ports_t *ports ) exit( 1 ); } - unfurl_banners(the_connection_table,ports,n_tcps,s_tcps); + unfurl_banners(the_connection_table,ports,n_tcps,s_tcps,i_unix); init_op_threads (); detect_timeout_support(); @@ -580,6 +603,21 @@ void slapd_daemon( daemon_ports_t *ports ) g_set_shutdown( SLAPI_SHUTDOWN_EXIT ); } +#if !defined( XP_WIN32 ) +#if defined(ENABLE_LDAPI) + if( i_unix != NULL && + PR_Listen(i_unix, DAEMON_LISTEN_SIZE) == PR_FAILURE) { + PRErrorCode prerr = PR_GetError(); + slapi_log_error(SLAPI_LOG_FATAL, "slapd_daemon", + "listen() on %s failed: error %d (%s)\n", + ports->i_listenaddr.local.path, + prerr, + slapd_pr_strerror( prerr )); + g_set_shutdown( SLAPI_SHUTDOWN_EXIT ); + } +#endif /* ENABLE_LDAPI */ +#endif + /* Now we write the pid file, indicating that the server is finally and listening for connections */ write_pid_file(); @@ -593,6 +631,8 @@ void slapd_daemon( daemon_ports_t *ports ) #endif int select_return = 0; int secure = 0; /* is a new connection an SSL one ? */ + int local = 0; /* is new connection an ldapi one? */ + #ifndef _WIN32 PRErrorCode prerr; #endif @@ -603,7 +643,7 @@ void slapd_daemon( daemon_ports_t *ports ) /* This select needs to timeout to give the server a chance to test for shutdown */ select_return = select(connection_table_size, &readfds, NULL, 0, &wakeup_timer); #else - setup_pr_read_pds(the_connection_table,n_tcps,s_tcps,&num_poll); + setup_pr_read_pds(the_connection_table,n_tcps,s_tcps,i_unix,&num_poll); select_return = POLL_FN(the_connection_table->fd, num_poll, pr_timeout); #endif switch (select_return) { @@ -629,11 +669,11 @@ void slapd_daemon( daemon_ports_t *ports ) #ifdef _WIN32 /* If so, then handle a new connection */ if ( n_tcps != SLAPD_INVALID_SOCKET && FD_ISSET( n_tcps,&readfds ) ) { - handle_new_connection(the_connection_table,n_tcps,NULL,0); + handle_new_connection(the_connection_table,n_tcps,NULL,0,0); } /* If so, then handle a new connection */ if ( s_tcps != SLAPD_INVALID_SOCKET && FD_ISSET( s_tcps_native,&readfds ) ) { - handle_new_connection(the_connection_table,SLAPD_INVALID_SOCKET,s_tcps,1); + handle_new_connection(the_connection_table,SLAPD_INVALID_SOCKET,s_tcps,1,0); } /* handle new data ready */ handle_read_ready(the_connection_table,&readfds); @@ -650,9 +690,17 @@ void slapd_daemon( daemon_ports_t *ports ) tcps = s_tcps; secure = 1; } +#if defined(ENABLE_LDAPI) + else if ( i_unix != 0 && + the_connection_table->fd[FDS_I_UNIX].out_flags & SLAPD_POLL_FLAGS ) { + tcps = i_unix; + local = 1; + } +#endif /* ENABLE_LDAPI */ + /* If so, then handle a new connection */ if ( tcps != NULL ) { - handle_new_connection(the_connection_table,SLAPD_INVALID_SOCKET,tcps,secure); + handle_new_connection(the_connection_table,SLAPD_INVALID_SOCKET,tcps,secure,local); } /* handle new data ready */ handle_pr_read_ready(the_connection_table, connection_table_size); @@ -674,11 +722,18 @@ void slapd_daemon( daemon_ports_t *ports ) #ifdef _WIN32 if ( n_tcps != SLAPD_INVALID_SOCKET ) { closesocket( n_tcps ); + } #else if ( n_tcps != NULL ) { PR_Close( n_tcps ); -#endif } + + if ( i_unix != NULL ) { + PR_Close( i_unix ); + } + +#endif + if ( s_tcps != NULL ) { PR_Close( s_tcps ); } @@ -934,7 +989,7 @@ static void setup_read_fds(Connection_Table *ct, fd_set *readfds, int n_tcps, in static int first_time_setup_pr_read_pds = 1; static void -setup_pr_read_pds(Connection_Table *ct, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRIntn *num_to_read) +setup_pr_read_pds(Connection_Table *ct, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRFileDesc *i_unix, PRIntn *num_to_read) { Connection *c= NULL; Connection *next= NULL; @@ -999,7 +1054,19 @@ setup_pr_read_pds(Connection_Table *ct, PRFileDesc *n_tcps, PRFileDesc *s_tcps, ct->fd[FDS_S_TCPS].fd = NULL; } -#if !defined(_WIN32) +#if !defined(_WIN32) + /* The fds entry for i_unix is always FDS_I_UNIX */ + if (i_unix != NULL && accept_new_connections) + { + ct->fd[FDS_I_UNIX].fd = i_unix; + ct->fd[FDS_I_UNIX].in_flags = SLAPD_POLL_FLAGS; + ct->fd[FDS_I_UNIX].out_flags = 0; + LDAPDebug( LDAP_DEBUG_HOUSE, + "listening for LDAPI connections on %d\n", socketdesc, 0, 0 ); + } else { + ct->fd[FDS_S_TCPS].fd = NULL; + } + /* The fds entry for the signalpipe is always FDS_SIGNAL_PIPE */ ct->fd[FDS_SIGNAL_PIPE].fd = signalpipe[0]; ct->fd[FDS_SIGNAL_PIPE].in_flags = SLAPD_POLL_FLAGS; @@ -1013,8 +1080,9 @@ setup_pr_read_pds(Connection_Table *ct, PRFileDesc *n_tcps, PRFileDesc *s_tcps, /* count is the number of entries we've place in the fds array. * we always put n_tcps in slot FDS_N_TCPS, s_tcps in slot * FDS_S_TCPS and the signal pipe in slot FDS_SIGNAL_PIPE - * so we now set count to 3 */ - count = 3; + * and i_unix in FDS_I_UNIX + * so we now set count to 4 */ + count = 4; /* Walk down the list of active connections to find * out which connections we should poll over. If a connection @@ -1798,10 +1866,271 @@ daemon_register_connection() connection_type= factory_register_type(SLAPI_EXT_CONNECTION,offsetof(Connection,c_extension)); } } - + +#if defined(ENABLE_LDAPI) +int +slapd_identify_local_user(Connection *conn) +{ + int ret = -1; + uid_t uid = 0; + gid_t gid = 0; + + if(0 == slapd_get_socket_peer(conn->c_prfd, &uid, &gid)) + { + conn->c_local_uid = uid; + conn->c_local_gid = gid; + + ret = 0; + } + + return ret; +} + +#if defined(ENABLE_AUTOBIND) +int +slapd_bind_local_user(Connection *conn) +{ + int ret = -1; + uid_t uid = conn->c_local_uid; + gid_t gid = conn->c_local_gid; + + /* observe configuration for auto binding */ + /* bind at all? */ + if(config_get_ldapi_bind_switch()) + { + /* map users to a dn + root may also map to an entry + */ + + /* require real entry? */ + if(config_get_ldapi_map_entries()) + { + /* get uid type to map to (e.g. uidNumber) */ + char *utype = config_get_ldapi_uidnumber_type(); + /* get gid type to map to (e.g. gidNumber) */ + char *gtype = config_get_ldapi_gidnumber_type(); + /* get base dn for search */ + char *base_dn = config_get_ldapi_search_base_dn(); + + /* search vars */ + Slapi_PBlock *search_pb = 0; + Slapi_Entry **entries = 0; + int result; + + /* filter manipulation vars */ + char *one_type = 0; + char *filter_tpl = 0; + char *filter = 0; + + /* create filter, matching whatever is given */ + if(utype && gtype) + { + filter_tpl = "(&(%s=%u)(%s=%u))"; + } + else + { + if(utype || gtype) + { + filter_tpl = "(%s=%u)"; + if(utype) + one_type = utype; + else + one_type = gtype; + } + else + { + goto entry_map_free; + } + } + + if(one_type) + { + if(one_type == utype) + filter = slapi_ch_smprintf(filter_tpl, + utype, uid); + else + filter = slapi_ch_smprintf(filter_tpl, + gtype, gid); + } + else + { + filter = slapi_ch_smprintf(filter_tpl, + utype, uid, gtype, gid); + } + + /* search for single entry matching types */ + search_pb = slapi_pblock_new(); + + slapi_search_internal_set_pb( + search_pb, + base_dn, + LDAP_SCOPE_SUBTREE, + filter, + NULL, 0, NULL, NULL, + (void*)plugin_get_default_component_id(), + 0); + + slapi_search_internal_pb(search_pb); + slapi_pblock_get( + search_pb, + SLAPI_PLUGIN_INTOP_RESULT, + &result); + if(LDAP_SUCCESS == result) + slapi_pblock_get( + search_pb, + SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, + &entries); + + if(entries) + { + /* zero or multiple entries fail */ + if(entries[0] && 0 == entries[1]) + { + /* observe account locking */ + ret = check_account_lock( + 0, /* pb not req */ + entries[0], + 0, /* no response control */ + 1 /* inactivation only */ + ); + + if(0 == ret) + { + char *auth_dn = slapi_ch_strdup( + slapi_entry_get_ndn( + entries[0])); + + auth_dn = slapi_dn_normalize( + auth_dn); + + bind_credentials_set_nolock( + conn, + SLAPD_AUTH_OS, + auth_dn, + NULL, NULL, + NULL , entries[0]); + + ret = 0; + } + } + } + +entry_map_free: + /* auth_dn consumed by bind creds set */ + slapi_free_search_results_internal(search_pb); + slapi_pblock_destroy(search_pb); + slapi_ch_free_string(&filter); + slapi_ch_free_string(&utype); + slapi_ch_free_string(>ype); + slapi_ch_free_string(&base_dn); + } + + if(ret && 0 == uid) + { + /* map unix root (uidNumber:0)? */ + char *root_dn = config_get_ldapi_root_dn(); + + if(root_dn) + { + Slapi_DN *edn = slapi_sdn_new_dn_byref( + slapi_dn_normalize(root_dn)); + Slapi_Entry *e = 0; + + /* root might be locked too! :) */ + ret = slapi_search_internal_get_entry( + edn, 0, + &e, + (void*)plugin_get_default_component_id() + + ); + + if(0 == ret && e) + { + ret = check_account_lock( + 0, /* pb not req */ + e, + 0, /* no response control */ + 1 /* inactivation only */ + ); + + if(1 == ret) + /* sorry root, + * just not cool enough + */ + goto root_map_free; + } + + /* it's ok not to find the entry, + * dn doesn't have to have an entry + * e.g. cn=Directory Manager + */ + bind_credentials_set_nolock( + conn, SLAPD_AUTH_OS, root_dn, + NULL, NULL, NULL , e); + +root_map_free: + /* root_dn consumed by bind creds set */ + slapi_sdn_free(&edn); + slapi_entry_free(e); + ret = 0; + } + } + + if(ret) + { + /* create phony auth dn? */ + char *base = config_get_ldapi_auto_dn_suffix(); + if(base) + { + char *tpl = "gidNumber=%u+uidNumber=%u,"; + int len = + strlen(tpl) + + strlen(base) + + 51 /* uid,gid,null,w/padding */ + ; + char *dn_str = (char*)slapi_ch_malloc( + len); + char *auth_dn = (char*)slapi_ch_malloc( + len); + + dn_str[0] = 0; + strcpy(dn_str, tpl); + strcat(dn_str, base); + + sprintf(auth_dn, dn_str, gid, uid); + + auth_dn = slapi_dn_normalize(auth_dn); + + bind_credentials_set_nolock( + conn, + SLAPD_AUTH_OS, + auth_dn, + NULL, NULL, NULL , NULL); + + /* auth_dn consumed by bind creds set */ + slapi_ch_free_string(&dn_str); + slapi_ch_free_string(&base); + ret = 0; + } + } + } + +bail: + /* if all fails, the peer is anonymous */ + if(conn->c_dn) + { + /* log the auto bind */ + slapi_log_access(LDAP_DEBUG_STATS, "conn=%d AUTOBIND dn=\"%s\"\n", conn->c_connid, conn->c_dn); + } + + return ret; +} +#endif /* ENABLE_AUTOBIND */ +#endif /* ENABLE_LDAPI */ + /* NOTE: this routine is not reentrant */ static int -handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, int secure) +handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, int secure, int local) { int ns = 0; Connection *conn = NULL; @@ -1810,7 +2139,7 @@ handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, i PRFileDesc *pr_clonefd = NULL; if ( (ns = accept_and_configure( tcps, pr_acceptfd, &from, - sizeof(from), secure, &pr_clonefd)) == SLAPD_INVALID_SOCKET ) { + sizeof(from), secure, local, &pr_clonefd)) == SLAPD_INVALID_SOCKET ) { return -1; } @@ -1935,6 +2264,21 @@ handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, i connection_table_move_connection_on_to_active_list(the_connection_table,conn); } +#if defined(ENABLE_LDAPI) +#if !defined( XP_WIN32 ) + /* ldapi */ + if( local ) + { + conn->c_unix_local = 1; + slapd_identify_local_user(conn); + +#if defined(ENABLE_AUTOBIND) + slapd_bind_local_user(conn); +#endif /* ENABLE_AUTOBIND */ + } +#endif +#endif /* ENABLE_LDAPI */ + PR_Unlock( conn->c_mutex ); connection_new_private(conn); @@ -2019,7 +2363,7 @@ static void unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, int n_tcps, PRFileDesc *s_tcps) #else static void -unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, PRFileDesc *n_tcps, PRFileDesc *s_tcps) +unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, PRFileDesc *n_tcps, PRFileDesc *s_tcps, PRFileDesc *i_unix) #endif { slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); @@ -2079,6 +2423,18 @@ unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, PRFileDesc *n_tcps, P netaddr2string(&ports->s_listenaddr, addrbuf, sizeof(addrbuf)), ports->s_port, 0 ); } + +#if !defined( XP_WIN32 ) +#if defined(ENABLE_LDAPI) + if ( i_unix != NULL ) { /* LDAPI */ + LDAPDebug( LDAP_DEBUG_ANY, + "Listening on %s for LDAPI requests\n", + ports->i_listenaddr.local.path, + 0, 0 ); + } +#endif /* ENABLE_LDAPI */ +#endif + } #if defined( _WIN32 ) @@ -2273,7 +2629,7 @@ suppressed: static PRFileDesc * createprlistensocket(PRUint16 port, const PRNetAddr *listenaddr, - int secure) + int secure, int local) { PRFileDesc *sock; PRNetAddr sa_server; @@ -2281,16 +2637,26 @@ createprlistensocket(PRUint16 port, const PRNetAddr *listenaddr, PRSocketOptionData pr_socketoption; char addrbuf[ 256 ]; char *logname = "createprlistensocket"; + int socktype = PR_AF_INET6; + char *socktype_s = "PR_AF_INET"; if (!port) goto suppressed; PR_ASSERT( listenaddr != NULL ); +#if defined(ENABLE_LDAPI) + if(local) { /* ldapi */ + socktype = PR_AF_LOCAL; + socktype_s = "PR_AF_LOCAL"; + } +#endif /* ENABLE_LDAPI */ + /* create TCP socket */ - if ((sock = PR_OpenTCPSocket(PR_AF_INET6)) == SLAPD_INVALID_SOCKET) { + if ((sock = PR_OpenTCPSocket(socktype)) == SLAPD_INVALID_SOCKET) { prerr = PR_GetError(); slapi_log_error(SLAPI_LOG_FATAL, logname, - "PR_OpenTCPSocket(PR_AF_INET6) failed: %s error %d (%s)\n", + "PR_OpenTCPSocket(%s) failed: %s error %d (%s)\n", + socktype_s, SLAPI_COMPONENT_NAME_NSPR, prerr, slapd_pr_strerror(prerr)); goto failed; } @@ -2307,17 +2673,44 @@ createprlistensocket(PRUint16 port, const PRNetAddr *listenaddr, /* set up listener address, including port */ memcpy(&sa_server, listenaddr, sizeof(sa_server)); - PRLDAP_SET_PORT( &sa_server, port ); + + if(!local) + PRLDAP_SET_PORT( &sa_server, port ); if ( PR_Bind(sock, &sa_server) == PR_FAILURE) { prerr = PR_GetError(); - slapi_log_error(SLAPI_LOG_FATAL, logname, + if(!local) + { + slapi_log_error(SLAPI_LOG_FATAL, logname, "PR_Bind() on %s port %d failed: %s error %d (%s)\n", netaddr2string(&sa_server, addrbuf, sizeof(addrbuf)), port, SLAPI_COMPONENT_NAME_NSPR, prerr, slapd_pr_strerror(prerr)); + } +#if defined(ENABLE_LDAPI) + else + { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "PR_Bind() on %s file %s failed: %s error %d (%s)\n", + netaddr2string(&sa_server, addrbuf, sizeof(addrbuf)), + sa_server.local.path, + SLAPI_COMPONENT_NAME_NSPR, prerr, slapd_pr_strerror(prerr)); + } +#endif /* ENABLE_LDAPI */ + goto failed; } +#if defined(ENABLE_LDAPI) + if(local) + { + if(chmod(listenaddr->local.path, + S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH)) + { + slapi_log_error(SLAPI_LOG_FATAL, logname, "err: %d", errno); + } + } +#endif /* ENABLE_LDAPI */ + return( sock ); failed: @@ -2536,7 +2929,7 @@ PRFileDesc * get_ssl_listener_fd() -int configure_pr_socket( PRFileDesc **pr_socket, int secure ) +int configure_pr_socket( PRFileDesc **pr_socket, int secure, int local ) { int ns = 0; int reservedescriptors = config_get_reservedescriptors(); @@ -2617,7 +3010,7 @@ int configure_pr_socket( PRFileDesc **pr_socket, int secure ) } /* else (secure) */ - if ( !enable_nagle ) { + if ( !enable_nagle && !local ) { pr_socketoption.option = PR_SockOpt_NoDelay; pr_socketoption.value.no_delay = 1; @@ -2628,7 +3021,7 @@ int configure_pr_socket( PRFileDesc **pr_socket, int secure ) SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror( prerr ), 0 ); } - } else { + } else if( !local) { pr_socketoption.option = PR_SockOpt_NoDelay; pr_socketoption.value.no_delay = 0; if ( PR_SetSocketOption( *pr_socket, &pr_socketoption ) == PR_FAILURE) { diff --git a/ldap/servers/slapd/fe.h b/ldap/servers/slapd/fe.h index d4773f00..a92327c8 100644 --- a/ldap/servers/slapd/fe.h +++ b/ldap/servers/slapd/fe.h @@ -173,7 +173,7 @@ int secure_write_function( int ignore, const void *buffer, int count, struct lex int read_function(int ignore, void *buffer, int count, struct lextiof_socket_private *handle ); int write_function(int ignore, const void *buffer, int count, struct lextiof_socket_private *handle ); PRFileDesc * get_ssl_listener_fd(); -int configure_pr_socket( PRFileDesc **pr_socket, int secure ); +int configure_pr_socket( PRFileDesc **pr_socket, int secure, int local ); void configure_ns_socket( int * ns ); /* diff --git a/ldap/servers/slapd/getsocketpeer.c b/ldap/servers/slapd/getsocketpeer.c new file mode 100644 index 00000000..9a6cd362 --- /dev/null +++ b/ldap/servers/slapd/getsocketpeer.c @@ -0,0 +1,143 @@ +/** BEGIN COPYRIGHT BLOCK + * This Program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; version 2 of the License. + * + * This Program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with + * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place, Suite 330, Boston, MA 02111-1307 USA. + * + * In addition, as a special exception, Red Hat, Inc. gives You the additional + * right to link the code of this Program with code not covered under the GNU + * General Public License ("Non-GPL Code") and to distribute linked combinations * including the two, subject to the limitations in this paragraph. Non-GPL Code * permitted under this exception must only link to the code of this Program + * through those well defined interfaces identified in the file named EXCEPTION + * found in the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline functions from * the Approved Interfaces without causing the resulting work to be covered by + * the GNU General Public License. Only Red Hat, Inc. may make changes or + * additions to the list of Approved Interfaces. You must obey the GNU General + * Public License in all respects for all of the Program code and other code used + * in conjunction with the Program except the Non-GPL Code covered by this + * exception. If you modify this file, you may extend this exception to your + * version of the file, but you are not obligated to do so. If you do not wish to + * provide this exception without modification, you must delete this exception + * statement from your version and license this file solely under the GPL without + * exception. + * + * + * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifdef HAVE_CONFIG_H +# include <config.h> +#endif + +#if defined(ENABLE_LDAPI) + +#if defined(HAVE_GETPEERUCRED) +#include <ucred.h> +#endif + +#include <sys/types.h> +#include <unistd.h> +#include <sys/socket.h> + +/* nspr secrets - we need to do an end run around nspr + in order to do things it does not support + */ +#include <private/pprio.h> + +int slapd_get_socket_peer(PRFileDesc *nspr_fd, uid_t *uid, gid_t *gid) +{ + int ret = -1; + int fd = PR_FileDesc2NativeHandle(nspr_fd); /* naughty private func */ + +#if defined(SO_PEERCRED) /* linux */ + + struct ucred creds; + socklen_t len = sizeof(creds); + + if(0 == getsockopt(fd, SOL_SOCKET, SO_PEERCRED, (void*)&creds, &len )) + { + if(sizeof(creds) == len) + { + if(uid) + *uid = creds.uid; + if(gid) + *gid = creds.gid; + + ret = 0; + } + } + +#elif 0 /*defined(HAVE_GETPEERUCRED)*/ /* solaris */ + + ucred_t *creds = 0; + + if(0 == getpeerucred(fd, &creds)) + { + if(uid) + { + uid = ucred_getruid(creds); + if(-1 != uid) + ret = 0; + } + + if(gid) + { + gid = ucred_getrgid(creds); + if(-1 == gid) + ret = -1; + else + ret = 0; + } + + ucred_free(creds); + } + +#elif 0 /* defined(HAVE_GETPEEREID) */ /* osx / some BSDs */ + + if(0 == getpeereid(fd, &uid, &gid)) + ret = 0; + +#else 0 /* hpux / some BSDs - file descriptor cooperative auth */ + + struct msghdr msg; + struct iovec iov; + char dummy[8]; + int fd[2]; + + memset(msg, 0, sizeof(msg)); + + iov.iov_base = dummy; + iov.iov_len = sizeof(dummy); + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_accrights = (char*)fd; + msg.msg_accrightslen = sizeof(fd); + + if(recvmsg(fd, &msg, MSG_PEEK) >= 0 && msg.msg_accrightslen == sizeof(int)) + { + struct stat st; + + ret = fstat(fd[0], &st); + close(fd[0]); + + if(0 == ret && S_ISFIFO(st.st_mode) && + 0 == st.st_mode & (S_IRWXG|S_IRWXO)) + { + if(uid) + uid = st.st_uid; + + if(gid) + gid = st.st_gid; + } + } + +#endif + + return ret; +} + +#endif /* ENABLE_LDAPI */ diff --git a/ldap/servers/slapd/getsocketpeer.h b/ldap/servers/slapd/getsocketpeer.h new file mode 100644 index 00000000..50879e10 --- /dev/null +++ b/ldap/servers/slapd/getsocketpeer.h @@ -0,0 +1,40 @@ +/** BEGIN COPYRIGHT BLOCK + * This Program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; version 2 of the License. + * + * This Program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with + * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place, Suite 330, Boston, MA 02111-1307 USA. + * + * In addition, as a special exception, Red Hat, Inc. gives You the additional + * right to link the code of this Program with code not covered under the GNU + * General Public License ("Non-GPL Code") and to distribute linked combinations * including the two, subject to the limitations in this paragraph. Non-GPL Code * permitted under this exception must only link to the code of this Program + * through those well defined interfaces identified in the file named EXCEPTION + * found in the source code files (the "Approved Interfaces"). The files of + * Non-GPL Code may instantiate templates or use macros or inline functions from * the Approved Interfaces without causing the resulting work to be covered by + * the GNU General Public License. Only Red Hat, Inc. may make changes or + * additions to the list of Approved Interfaces. You must obey the GNU General + * Public License in all respects for all of the Program code and other code used + * in conjunction with the Program except the Non-GPL Code covered by this + * exception. If you modify this file, you may extend this exception to your + * version of the file, but you are not obligated to do so. If you do not wish to + * provide this exception without modification, you must delete this exception + * statement from your version and license this file solely under the GPL without + * exception. + * + * + * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ +#ifdef HAVE_CONFIG_H +# include <config.h> +#endif +#if defined(ENABLE_LDAPI) +#if !defined(GETSOCKETPEER_H) +#define GETSOCKETPEER_H +int slapd_get_socket_peer(PRFileDesc *nspr_fd, uid_t *uid, gid_t *gid); +#endif +#endif /* ENABLE_LDAPI */ diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index 0c9338fc..313f3ae9 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -459,6 +459,33 @@ static struct config_get_and_set { {CONFIG_LISTENHOST_ATTRIBUTE, config_set_listenhost, NULL, 0, (void**)&global_slapdFrontendConfig.listenhost, CONFIG_STRING, NULL}, + {CONFIG_LDAPI_FILENAME_ATTRIBUTE, config_set_ldapi_filename, + NULL, 0, + (void**)&global_slapdFrontendConfig.ldapi_filename, CONFIG_STRING, NULL}, + {CONFIG_LDAPI_SWITCH_ATTRIBUTE, config_set_ldapi_switch, + NULL, 0, + (void**)&global_slapdFrontendConfig.ldapi_switch, CONFIG_ON_OFF, NULL}, + {CONFIG_LDAPI_BIND_SWITCH_ATTRIBUTE, config_set_ldapi_bind_switch, + NULL, 0, + (void**)&global_slapdFrontendConfig.ldapi_bind_switch, CONFIG_ON_OFF, NULL}, + {CONFIG_LDAPI_ROOT_DN_ATTRIBUTE, config_set_ldapi_root_dn, + NULL, 0, + (void**)&global_slapdFrontendConfig.ldapi_root_dn, CONFIG_STRING, NULL}, + {CONFIG_LDAPI_MAP_ENTRIES_ATTRIBUTE, config_set_ldapi_map_entries, + NULL, 0, + (void**)&global_slapdFrontendConfig.ldapi_map_entries, CONFIG_ON_OFF, NULL}, + {CONFIG_LDAPI_UIDNUMBER_TYPE_ATTRIBUTE, config_set_ldapi_uidnumber_type, + NULL, 0, + (void**)&global_slapdFrontendConfig.ldapi_uidnumber_type, CONFIG_STRING, NULL}, + {CONFIG_LDAPI_GIDNUMBER_TYPE_ATTRIBUTE, config_set_ldapi_gidnumber_type, + NULL, 0, + (void**)&global_slapdFrontendConfig.ldapi_gidnumber_type, CONFIG_STRING, NULL}, + {CONFIG_LDAPI_SEARCH_BASE_DN_ATTRIBUTE, config_set_ldapi_search_base_dn, + NULL, 0, + (void**)&global_slapdFrontendConfig.ldapi_search_base_dn, CONFIG_STRING, NULL}, + {CONFIG_LDAPI_AUTO_DN_SUFFIX_ATTRIBUTE, config_set_ldapi_auto_dn_suffix, + NULL, 0, + (void**)&global_slapdFrontendConfig.ldapi_auto_dn_suffix, CONFIG_STRING, NULL}, {CONFIG_ACCESSLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL, log_set_mindiskspace, SLAPD_ACCESS_LOG, (void**)&global_slapdFrontendConfig.accesslog_minfreespace, CONFIG_INT, NULL}, @@ -750,6 +777,15 @@ FrontendConfig_init () { cfg->port = LDAP_PORT; cfg->secureport = LDAPS_PORT; + cfg->ldapi_filename = slapi_ch_strdup(SLAPD_LDAPI_DEFAULT_FILENAME); + cfg->ldapi_switch = LDAP_ON; + cfg->ldapi_bind_switch = LDAP_OFF; + cfg->ldapi_root_dn = slapi_ch_strdup("cn=Directory Manager"); + cfg->ldapi_map_entries = LDAP_OFF; + cfg->ldapi_uidnumber_type = slapi_ch_strdup("uidNumber"); + cfg->ldapi_gidnumber_type = slapi_ch_strdup("gidNumber"); + cfg->ldapi_search_base_dn = slapi_ch_strdup("dc=example, dc=com"); + cfg->ldapi_auto_dn_suffix = slapi_ch_strdup("cn=peercred,cn=external,cn=auth"); cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS; cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN; cfg->reservedescriptors = SLAPD_DEFAULT_RESERVE_FDS; @@ -991,7 +1027,7 @@ config_set_port( const char *attrname, char *port, char *errorbuf, int apply ) { if ( nPort == 0 ) { LDAPDebug( LDAP_DEBUG_ANY, - "Information: Non-Secure Port Disabled, server only contactable via secure port\n", 0, 0, 0 ); + "Information: Non-Secure Port Disabled\n", 0, 0, 0 ); } if ( apply ) { @@ -1142,6 +1178,163 @@ config_set_listenhost( const char *attrname, char *value, char *errorbuf, int ap } int +config_set_ldapi_filename( const char *attrname, char *value, char *errorbuf, int apply ) { + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + if ( config_value_is_null( attrname, value, errorbuf, 0 )) { + return LDAP_OPERATIONS_ERROR; + } + + if ( apply) { + CFG_LOCK_WRITE(slapdFrontendConfig); + + slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_filename) ); + slapdFrontendConfig->ldapi_filename = slapi_ch_strdup ( value ); + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + return retVal; +} + +int +config_set_ldapi_switch( const char *attrname, char *value, char *errorbuf, int apply ) { + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + retVal = config_set_onoff(attrname, + value, + &(slapdFrontendConfig->ldapi_switch), + errorbuf, + apply); + + return retVal; +} + +int config_set_ldapi_bind_switch( const char *attrname, char *value, char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + retVal = config_set_onoff(attrname, + value, + &(slapdFrontendConfig->ldapi_bind_switch), + errorbuf, + apply); + + return retVal; +} + +int config_set_ldapi_root_dn( const char *attrname, char *value, char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + if ( config_value_is_null( attrname, value, errorbuf, 0 )) { + return LDAP_OPERATIONS_ERROR; + } + + if ( apply) { + CFG_LOCK_WRITE(slapdFrontendConfig); + + slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_root_dn) ); + slapdFrontendConfig->ldapi_root_dn = slapi_ch_strdup ( value ); + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + return retVal; +} + +int config_set_ldapi_map_entries( const char *attrname, char *value, char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + retVal = config_set_onoff(attrname, + value, + &(slapdFrontendConfig->ldapi_map_entries), + errorbuf, + apply); + + return retVal; +} + +int config_set_ldapi_uidnumber_type( const char *attrname, char *value, char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + if ( config_value_is_null( attrname, value, errorbuf, 0 )) { + return LDAP_OPERATIONS_ERROR; + } + + if ( apply) { + CFG_LOCK_WRITE(slapdFrontendConfig); + + slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_uidnumber_type) ); + slapdFrontendConfig->ldapi_uidnumber_type = slapi_ch_strdup ( value ); + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + return retVal; +} + +int config_set_ldapi_gidnumber_type( const char *attrname, char *value, char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + if ( config_value_is_null( attrname, value, errorbuf, 0 )) { + return LDAP_OPERATIONS_ERROR; + } + + if ( apply) { + CFG_LOCK_WRITE(slapdFrontendConfig); + + slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_gidnumber_type) ); + slapdFrontendConfig->ldapi_gidnumber_type = slapi_ch_strdup ( value ); + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + return retVal; +} + +int config_set_ldapi_search_base_dn( const char *attrname, char *value, char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + if ( config_value_is_null( attrname, value, errorbuf, 0 )) { + return LDAP_OPERATIONS_ERROR; + } + + if ( apply) { + CFG_LOCK_WRITE(slapdFrontendConfig); + + slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_search_base_dn) ); + slapdFrontendConfig->ldapi_search_base_dn = slapi_ch_strdup ( value ); + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + return retVal; +} + +int config_set_ldapi_auto_dn_suffix( const char *attrname, char *value, char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + if ( config_value_is_null( attrname, value, errorbuf, 0 )) { + return LDAP_OPERATIONS_ERROR; + } + + if ( apply) { + CFG_LOCK_WRITE(slapdFrontendConfig); + + slapi_ch_free ( (void **) &(slapdFrontendConfig->ldapi_auto_dn_suffix) ); + slapdFrontendConfig->ldapi_auto_dn_suffix = slapi_ch_strdup ( value ); + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + return retVal; +} + + +int config_set_securelistenhost( const char *attrname, char *value, char *errorbuf, int apply ) { int retVal = LDAP_SUCCESS; slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); @@ -3066,6 +3259,100 @@ config_get_port(){ } char * +config_get_ldapi_filename(){ + char *retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_filename); + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + + +int config_get_ldapi_switch(){ + int retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->ldapi_switch; + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +int config_get_ldapi_bind_switch(){ + int retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->ldapi_bind_switch; + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +char *config_get_ldapi_root_dn(){ + char *retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_root_dn); + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +int config_get_ldapi_map_entries(){ + int retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->ldapi_map_entries; + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +char *config_get_ldapi_uidnumber_type(){ + char *retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_uidnumber_type); + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +char *config_get_ldapi_gidnumber_type(){ + char *retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_gidnumber_type); + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +char *config_get_ldapi_search_base_dn(){ + char *retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_search_base_dn); + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +char *config_get_ldapi_auto_dn_suffix(){ + char *retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapi_ch_strdup(slapdFrontendConfig->ldapi_auto_dn_suffix); + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + + +char * config_get_workingdir() { slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); char *retVal; diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c index e0f0203d..d735261e 100644 --- a/ldap/servers/slapd/main.c +++ b/ldap/servers/slapd/main.c @@ -453,6 +453,7 @@ usage( char *name, char *extraname ) static char *extraname; static char *myname; static int n_port = 0; +static int i_port = 0; static int s_port = 0; static char **ldif_file = NULL; static int ldif_files = 0; @@ -612,6 +613,7 @@ write_start_pid_file() } #endif /* WIN32 */ + int main( int argc, char **argv) { @@ -854,6 +856,19 @@ main( int argc, char **argv) return(1); } +#if defined(ENABLE_LDAPI) + if( config_get_ldapi_switch() && + config_get_ldapi_filename() != 0) + { + i_port = ports_info.i_port = 1; /* flag ldapi as on */ + ports_info.i_listenaddr.local.family = PR_AF_LOCAL; + PL_strncpyz(ports_info.i_listenaddr.local.path, + config_get_ldapi_filename(), + sizeof(ports_info.i_listenaddr.local.path)); + unlink(ports_info.i_listenaddr.local.path); + } +#endif /* ENABLE_LDAPI */ + return_value = daemon_pre_setuid_init(&ports_info); if (0 != return_value) { LDAPDebug( LDAP_DEBUG_ANY, "Failed to init daemon\n", @@ -1081,6 +1096,7 @@ main( int argc, char **argv) normalize_oc(); if (n_port) { + } else if (i_port) { } else if ( config_get_security()) { } else { #ifdef _WIN32 @@ -1105,6 +1121,10 @@ main( int argc, char **argv) MessageBox(GetDesktopWindow(), szMessage, " ", MB_ICONEXCLAMATION | MB_OK); } #endif + LDAPDebug( LDAP_DEBUG_ANY, + "Fatal Error---No ports specified. " + "Exiting now.\n", 0, 0, 0 ); + exit(1); } } diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c index 55d81c8a..feff7241 100644 --- a/ldap/servers/slapd/passwd_extop.c +++ b/ldap/servers/slapd/passwd_extop.c @@ -592,7 +592,7 @@ parse_req_done: if (oldPasswd == NULL || *oldPasswd == '\0') { /* If user is authenticated, they already gave their password during - the bind operation (or used sasl or client cert auth) */ + the bind operation (or used sasl or client cert auth or OS creds) */ slapi_pblock_get(pb, SLAPI_CONN_AUTHMETHOD, &authmethod); if (!authmethod || !strcmp(authmethod, SLAPD_AUTH_NONE)) { errMesg = "User must be authenticated to the directory server.\n"; diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c index be59e274..2ca642a1 100644 --- a/ldap/servers/slapd/pblock.c +++ b/ldap/servers/slapd/pblock.c @@ -212,6 +212,8 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value ) (*(char **)value) = SLAPD_AUTH_SIMPLE; } else if (strcasecmp(authtype, SLAPD_AUTH_SSL) == 0) { (*(char **)value) = SLAPD_AUTH_SSL; + } else if (strcasecmp(authtype, SLAPD_AUTH_OS) == 0) { + (*(char **)value) = SLAPD_AUTH_OS; } else if (strncasecmp(authtype, SLAPD_AUTH_SASL, strlen(SLAPD_AUTH_SASL)) == 0) { (*(char **)value) = SLAPD_AUTH_SASL; @@ -2932,7 +2934,15 @@ bind_credentials_set( Connection *conn, char *authtype, char *normdn, char *extauthtype, char *externaldn, CERTCertificate *clientcert, Slapi_Entry * bind_target_entry ) { PR_Lock( conn->c_mutex ); + bind_credentials_set_nolock(conn, authtype, normdn, + extauthtype, externaldn, clientcert, bind_target_entry); + PR_Unlock( conn->c_mutex ); +} +void +bind_credentials_set_nolock( Connection *conn, char *authtype, char *normdn, + char *extauthtype, char *externaldn, CERTCertificate *clientcert, Slapi_Entry * bind_target_entry ) +{ /* clear credentials */ bind_credentials_clear( conn, PR_FALSE /* conn is already locked */, ( extauthtype != NULL ) /* clear external creds. if requested */ ); @@ -2968,6 +2978,4 @@ bind_credentials_set( Connection *conn, char *authtype, char *normdn, reslimit_update_from_entry( conn, bind_target_entry ); } } - - PR_Unlock( conn->c_mutex ); } diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index c7c09a23..6a68d049 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -239,6 +239,15 @@ int config_set_SSL3ciphers( const char *attrname, char *value, char *errorbuf, i int config_set_localhost( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_listenhost( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_securelistenhost( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_ldapi_filename( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_ldapi_switch( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_ldapi_bind_switch( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_ldapi_root_dn( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_ldapi_map_entries( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_ldapi_uidnumber_type( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_ldapi_gidnumber_type( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_ldapi_search_base_dn( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_ldapi_auto_dn_suffix( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_srvtab( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_sizelimit( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_lastmod( const char *attrname, char *value, char *errorbuf, int apply ); @@ -334,6 +343,15 @@ char *config_get_SSL3ciphers(); char *config_get_localhost(); char *config_get_listenhost(); char *config_get_securelistenhost(); +char *config_get_ldapi_filename(); +int config_get_ldapi_switch(); +int config_get_ldapi_bind_switch(); +char *config_get_ldapi_root_dn(); +int config_get_ldapi_map_entries(); +char *config_get_ldapi_uidnumber_type(); +char *config_get_ldapi_gidnumber_type(); +char *config_get_ldapi_search_base_dn(); +char *config_get_ldapi_auto_dn_suffix(); char *config_get_srvtab(); int config_get_sizelimit(); char *config_get_pw_storagescheme(); @@ -738,7 +756,7 @@ int check_pw_syntax( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, char **old_pw, Slapi_Entry *e, int mod_op ); int check_pw_syntax_ext( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, char **old_pw, Slapi_Entry *e, int mod_op, Slapi_Mods *smods ); -int check_account_lock( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req); +int check_account_lock( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req, int account_inactivation_only /*no wire/no pw policy*/); int check_pw_minage( Slapi_PBlock *pb, const Slapi_DN *sdn, struct berval **vals) ; void add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e ); void mod_allowchange_aci(char *val); @@ -961,6 +979,9 @@ void pblock_init( Slapi_PBlock *pb ); void pblock_init_common( Slapi_PBlock *pb, Slapi_Backend *be, Connection *conn, Operation *op ); void pblock_done( Slapi_PBlock *pb ); void bind_credentials_set( Connection *conn, + char *authtype, char *normdn, + char *extauthtype, char *externaldn, CERTCertificate *clientcert , Slapi_Entry * binded); +void bind_credentials_set_nolock( Connection *conn, char *authtype, char *normdn, char *extauthtype, char *externaldn, CERTCertificate *clientcert , Slapi_Entry * binded); void bind_credentials_clear( Connection *conn, PRBool lock_conn, diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c index a383032c..20303f29 100644 --- a/ldap/servers/slapd/pw_mgmt.c +++ b/ldap/servers/slapd/pw_mgmt.c @@ -291,7 +291,7 @@ skip: /* check_account_lock is called before bind opeation; this could be a pre-op. */ int -check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req) { +check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req, int account_inactivation_only) { time_t unlock_time; time_t cur_time; @@ -312,8 +312,11 @@ check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwre if ( bind_target_entry == NULL ) return -1; - dn = slapi_entry_get_ndn(bind_target_entry); - pwpolicy = new_passwdPolicy(pb, dn); + if(!account_inactivation_only) + { + dn = slapi_entry_get_ndn(bind_target_entry); + pwpolicy = new_passwdPolicy(pb, dn); + } /* kexcoff: account inactivation */ /* check if the entry is locked by nsAccountLock attribute - account inactivation feature */ @@ -334,11 +337,12 @@ check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwre if ( (bvp != NULL) && (strcasecmp(bvp->bv_val, "true") == 0) ) { /* account inactivated */ - if (pwresponse_req) { + if (!account_inactivation_only && pwresponse_req) { slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_ACCTLOCKED ); } - send_ldap_result ( pb, LDAP_UNWILLING_TO_PERFORM, NULL, + if(!account_inactivation_only) + send_ldap_result ( pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Account inactivated. Contact system administrator.", 0, NULL ); slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags); @@ -354,7 +358,7 @@ check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwre /* * Check if the password policy has to be checked or not */ - if ( pwpolicy->pw_lockout == 0 ) { + if ( account_inactivation_only || pwpolicy->pw_lockout == 0 ) { goto notlocked; } @@ -412,11 +416,13 @@ check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwre } notlocked: - /* account is not locked. */ - delete_passwdPolicy(&pwpolicy); + /* account is not locked. */ + if(!account_inactivation_only) + delete_passwdPolicy(&pwpolicy); return ( 0 ); locked: - delete_passwdPolicy(&pwpolicy); + if(!account_inactivation_only) + delete_passwdPolicy(&pwpolicy); return (1); } diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c index 53375292..d91cd69b 100644 --- a/ldap/servers/slapd/saslbind.c +++ b/ldap/servers/slapd/saslbind.c @@ -917,7 +917,7 @@ void ids_sasl_check_bind(Slapi_PBlock *pb) { break; } - if ( check_account_lock(pb, bind_target_entry, pwresponse_requested) == 1) { + if ( check_account_lock(pb, bind_target_entry, pwresponse_requested, 0) == 1) { slapi_entry_free(bind_target_entry); break; } diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index acc4a3cb..da7da7b9 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -304,6 +304,10 @@ typedef void (*VFP0)(); /* the default schema sub directory of the config sub directory */ #define SCHEMA_SUBDIR_NAME "schema" +/* LDAPI default configuration */ +#define SLAPD_LDAPI_DEFAULT_FILENAME "/var/run/ldapi" +#define SLAPD_LDAPI_DEFAULT_STATUS "off" + struct subfilt { char *sf_type; char *sf_initial; @@ -1249,6 +1253,9 @@ typedef struct conn { int c_enable_sasl_io; /* Flag to tell us to enable SASL I/O on the next read */ int c_sasl_io; /* Flag to tell us to enable SASL I/O on the next read */ int c_sasl_ssf; /* flag to tell us the SASL SSF */ + int c_unix_local; /* flag true for LDAPI */ + uid_t c_local_uid; /* uid of connecting process */ + gid_t c_local_gid; /* gid of connecting process */ } Connection; #define CONN_FLAG_SSL 1 /* Is this connection an SSL connection or not ? * Used to direct I/O code when SSL is handled differently @@ -1456,6 +1463,11 @@ typedef struct daemon_ports_s { int s_socket_native; #else PRFileDesc *n_socket; + /* ldapi */ + PRNetAddr i_listenaddr; + int i_port; /* used as a flag only */ + PRFileDesc *i_socket; + #endif PRFileDesc *s_socket; } daemon_ports_t; @@ -1640,6 +1652,15 @@ typedef struct _slapdEntryPoints { #define CONFIG_PORT_ATTRIBUTE "nsslapd-port" #define CONFIG_WORKINGDIR_ATTRIBUTE "nsslapd-workingdir" #define CONFIG_LISTENHOST_ATTRIBUTE "nsslapd-listenhost" +#define CONFIG_LDAPI_FILENAME_ATTRIBUTE "nsslapd-ldapifilepath" +#define CONFIG_LDAPI_SWITCH_ATTRIBUTE "nsslapd-ldapilisten" +#define CONFIG_LDAPI_BIND_SWITCH_ATTRIBUTE "nsslapd-ldapiautobind" +#define CONFIG_LDAPI_ROOT_DN_ATTRIBUTE "nsslapd-ldapimaprootdn" +#define CONFIG_LDAPI_MAP_ENTRIES_ATTRIBUTE "nsslapd-ldapimaptoentries" +#define CONFIG_LDAPI_UIDNUMBER_TYPE_ATTRIBUTE "nsslapd-ldapiuidnumbertype" +#define CONFIG_LDAPI_GIDNUMBER_TYPE_ATTRIBUTE "nsslapd-ldapigidnumbertype" +#define CONFIG_LDAPI_SEARCH_BASE_DN_ATTRIBUTE "nsslapd-ldapientrysearchbase" +#define CONFIG_LDAPI_AUTO_DN_SUFFIX_ATTRIBUTE "nsslapd-ldapiautodnsuffix" #define CONFIG_SECURITY_ATTRIBUTE "nsslapd-security" #define CONFIG_SSL3CIPHERS_ATTRIBUTE "nsslapd-SSL3ciphers" #define CONFIG_ACCESSLOG_ATTRIBUTE "nsslapd-accesslog" @@ -1889,6 +1910,15 @@ typedef struct _slapdFrontendConfig { int attrname_exceptions; /* if true, allow questionable attribute names */ int rewrite_rfc1274; /* return attrs for both v2 and v3 names */ char *schemareplace; /* see CONFIG_SCHEMAREPLACE_* #defines below */ + char *ldapi_filename; /* filename for ldapi socket */ + int ldapi_switch; /* switch to turn ldapi on/off */ + int ldapi_bind_switch; /* switch to turn ldapi auto binding on/off */ + char *ldapi_root_dn; /* DN to map root to over LDAPI */ + int ldapi_map_entries; /* turns ldapi entry bind mapping on/off */ + char *ldapi_uidnumber_type; /* type that contains uid number */ + char *ldapi_gidnumber_type; /* type that contains gid number */ + char *ldapi_search_base_dn; /* base dn to search for mapped entries */ + char *ldapi_auto_dn_suffix; /* suffix to be appended to auto gen DNs */ } slapdFrontendConfig_t; #define SLAPD_FULL 0 @@ -1902,6 +1932,8 @@ typedef struct _slapdFrontendConfig { slapdFrontendConfig_t *getFrontendConfig(); +int slapd_bind_local_user(Connection *conn); + /* LP: NO_TIME cannot be -1, it generates wrong GeneralizedTime * And causes some errors on AIX also */ diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h index 0149556a..c624b38c 100644 --- a/ldap/servers/slapd/slapi-plugin.h +++ b/ldap/servers/slapd/slapi-plugin.h @@ -1367,7 +1367,7 @@ int slapi_reslimit_get_integer_limit( Slapi_Connection *conn, int handle, #define SLAPD_AUTH_SIMPLE "simple" #define SLAPD_AUTH_SSL "SSL" #define SLAPD_AUTH_SASL "SASL " /* followed by the mechanism name */ - +#define SLAPD_AUTH_OS "OS" /* Command Line Arguments */ #define SLAPI_ARGC 147 diff --git a/ldap/servers/slapd/start_tls_extop.c b/ldap/servers/slapd/start_tls_extop.c index 93c12775..3b4fadcb 100644 --- a/ldap/servers/slapd/start_tls_extop.c +++ b/ldap/servers/slapd/start_tls_extop.c @@ -275,7 +275,8 @@ start_tls( Slapi_PBlock *pb ) * connection ready. */ secure = 1; - ns = configure_pr_socket( &newsocket, secure ); + ns = configure_pr_socket( &newsocket, secure, 0 /*never local*/ ); + /* ber_sockbuf_set_option( conn->c_sb, LBER_SOCKBUF_OPT_DESC, &newsocket ); @@ -417,7 +418,7 @@ start_tls_graceful_closure( Connection *c, Slapi_PBlock * pb, int is_initiator ) #ifndef _WIN32 secure = 0; - ns = configure_pr_socket( &(c->c_prfd), secure ); + ns = configure_pr_socket( &(c->c_prfd), secure, 0 /*never local*/ ); ber_sockbuf_set_option( c->c_sb, LBER_SOCKBUF_OPT_DESC, &(c->c_prfd) ); |