diff options
-rw-r--r-- | ldap/servers/slapd/configdse.c | 50 | ||||
-rw-r--r-- | ldap/servers/slapd/libglobs.c | 39 | ||||
-rw-r--r-- | ldap/servers/slapd/proto-slap.h | 2 | ||||
-rw-r--r-- | ldap/servers/slapd/slap.h | 2 |
4 files changed, 84 insertions, 9 deletions
diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c index 91b85800..3b87cb67 100644 --- a/ldap/servers/slapd/configdse.c +++ b/ldap/servers/slapd/configdse.c @@ -123,6 +123,22 @@ ignore_attr_type(const char *attr_type) return 0; } +/* these attr types are allowed to delete */ +static int +allowed_to_delete_attrs(const char *attr_type) +{ + if (attr_type) { + char **ap = config_get_allowed_to_delete_attrs(); + for ( ; ap && *ap; ap++) { + if (strcasecmp (attr_type, *ap) == 0) { + return 1; + } + } + } + + return 0; +} + int read_config_dse (Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, int *returncode, char *returntext, void *arg) { @@ -395,14 +411,32 @@ modify_config_dse(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, in config_attr = (char *)mods[i]->mod_type; if (ignore_attr_type(config_attr)) continue; - - if ((mods[i]->mod_op & LDAP_MOD_DELETE) || - (mods[i]->mod_op & LDAP_MOD_ADD)) { - rc= LDAP_UNWILLING_TO_PERFORM; - PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "%s attributes is not allowed", - (mods[i]->mod_op & LDAP_MOD_DELETE) ? "Deleting" : "Adding"); - } else if (mods[i]->mod_op & LDAP_MOD_REPLACE) { - if ( (checked_all_maxdiskspace_and_mlogsize == 0 ) && + + if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { + if (apply_mods) { /* log warning once */ + slapi_log_error (SLAPI_LOG_FATAL, NULL, + "Warning: Adding configuration attribute \"%s\"\n", + config_attr); + } + rc = config_set(config_attr, mods[i]->mod_bvalues, + returntext, apply_mods); + } else if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { + /* Need to allow deleting some configuration attrs */ + if (allowed_to_delete_attrs(config_attr)) { + rc = config_set(config_attr, mods[i]->mod_bvalues, + returntext, apply_mods); + if (apply_mods) { /* log warning once */ + slapi_log_error (SLAPI_LOG_FATAL, NULL, + "Warning: Deleting configuration attribute \"%s\"\n", + config_attr); + } + } else { + rc= LDAP_UNWILLING_TO_PERFORM; + PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, + "Deleting attributes is not allowed"); + } + } else if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op)) { + if (( checked_all_maxdiskspace_and_mlogsize == 0 ) && ((strcasecmp( mods[i]->mod_type, CONFIG_ERRORLOG_MAXLOGDISKSPACE_ATTRIBUTE) == 0) || (strcasecmp( mods[i]->mod_type, CONFIG_ERRORLOG_MAXLOGSIZE_ATTRIBUTE) == 0) || (strcasecmp( mods[i]->mod_type, CONFIG_ACCESSLOG_MAXLOGDISKSPACE_ATTRIBUTE) == 0) || diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index b88a69a8..a7cc1bc2 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -628,7 +628,11 @@ static struct config_get_and_set { {CONFIG_ENTRYUSN_GLOBAL, config_set_entryusn_global, NULL, 0, (void**)&global_slapdFrontendConfig.entryusn_global, CONFIG_ON_OFF, - (ConfigGetFunc)config_get_entryusn_global} + (ConfigGetFunc)config_get_entryusn_global}, + {CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE, config_set_allowed_to_delete_attrs, + NULL, 0, + (void**)&global_slapdFrontendConfig.allowed_to_delete_attrs, + CONFIG_STRING, (ConfigGetFunc)config_get_allowed_to_delete_attrs} #ifdef MEMPOOL_EXPERIMENTAL ,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch, NULL, 0, @@ -1007,6 +1011,10 @@ FrontendConfig_init () { cfg->auditlog_exptimeunit = slapi_ch_strdup("month"); cfg->entryusn_global = LDAP_OFF; + slapi_ch_array_add(&(cfg->allowed_to_delete_attrs), + slapi_ch_strdup("nsslapd-listenhost")); + slapi_ch_array_add(&(cfg->allowed_to_delete_attrs), + slapi_ch_strdup("nsslapd-securelistenhost")); #ifdef MEMPOOL_EXPERIMENTAL cfg->mempool_switch = LDAP_ON; @@ -5557,6 +5565,35 @@ config_set_entryusn_global( const char *attrname, char *value, return retVal; } +char ** +config_get_allowed_to_delete_attrs(void) +{ + char **retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->allowed_to_delete_attrs; + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +int +config_set_allowed_to_delete_attrs( const char *attrname, char *value, + char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + if (apply) { + CFG_LOCK_WRITE(slapdFrontendConfig); + slapi_ch_array_free(slapdFrontendConfig->allowed_to_delete_attrs); + slapdFrontendConfig->allowed_to_delete_attrs = + slapi_str2charray_ext(value, " ", 0); + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + return retVal; +} + /* * This function is intended to be used from the dse code modify callback. It * is "optimized" for that case because it takes a berval** of values, which is diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 6f5ae54d..089c1746 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -372,6 +372,7 @@ int config_set_accesslogbuffering(const char *attrname, char *value, char *error int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply); int config_set_force_sasl_external(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_entryusn_global( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_allowed_to_delete_attrs( const char *attrname, char *value, char *errorbuf, int apply ); #if !defined(_WIN32) && !defined(AIX) @@ -512,6 +513,7 @@ int config_get_system_page_bits(); #endif int config_get_force_sasl_external(); int config_get_entryusn_global(void); +char **config_get_allowed_to_delete_attrs(void); int is_abspath(const char *); char* rel2abspath( char * ); diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 1f4afd91..cac60eb2 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -1906,6 +1906,7 @@ typedef struct _slapdEntryPoints { #define CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE "nsslapd-outbound-ldap-io-timeout" #define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external" #define CONFIG_ENTRYUSN_GLOBAL "nsslapd-entryusn-global" +#define CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE "nsslapd-allowed-to-delete-attrs" #ifdef MEMPOOL_EXPERIMENTAL #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool" @@ -2123,6 +2124,7 @@ typedef struct _slapdFrontendConfig { #endif /* MEMPOOL_EXPERIMENTAL */ int force_sasl_external; /* force SIMPLE bind to be SASL/EXTERNAL if client cert credentials were supplied */ int entryusn_global; /* Entry USN: Use global counter */ + char **allowed_to_delete_attrs;/* charray of config attrs allowed to delete */ } slapdFrontendConfig_t; /* possible values for slapdFrontendConfig_t.schemareplace */ |