From 80fb1c7aada872dd984964b87035d5850f223f01 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Thu, 14 Jan 2010 10:58:12 -0800 Subject: ldclt: -e randombinddnfromfile fails with LDAP_UNWILLING_TO_PERFORM (53) https://bugzilla.redhat.com/show_bug.cgi?id=555189 Resolves: bug 555189 Bug Description: ldclt code is not passing the password correctly to ldap_sasl_bind_s. The server receives NULL credential. Due to the default configuration: nsslapd-allow-unauthenticated-binds: off the unauthenticated bind fails with LDAP_UNWILLING_TO_PERFORM. Reviewed by: rmeggins@redhat.com Files: see diff Branch: HEAD Fix Description: When "-e randombinddnfromfile=file" is given, bind dn and password pair is retrieved from the file and is supposed to pass to ldap_sasl_bind_s. Although the password was read from the file, but it was not set to the berval "cred" which was passed to ldap_sasl_bind_s. Therefore, the bind operation tried to bind with bind dn and NULL password, which now fails since it's considered as an unauthenticated bind. This change fixes the problem. Also, a usage typo is being fixed. Platforms tested: Fedora 11 Flag Day: no Doc impact: no --- ldap/servers/slapd/tools/ldclt/ldapfct.c | 53 +++++++++++++++++++++----------- ldap/servers/slapd/tools/ldclt/ldclt.use | 2 +- ldap/servers/slapd/tools/ldclt/ldcltU.c | 4 +-- 3 files changed, 38 insertions(+), 21 deletions(-) diff --git a/ldap/servers/slapd/tools/ldclt/ldapfct.c b/ldap/servers/slapd/tools/ldclt/ldapfct.c index ac8250aa..359b5fe1 100644 --- a/ldap/servers/slapd/tools/ldclt/ldapfct.c +++ b/ldap/servers/slapd/tools/ldclt/ldapfct.c @@ -770,10 +770,12 @@ connectToServer ( binddn = ""; passwd = NULL; } else { - binddn = tttctx->bufBindDN; - passwd = tttctx->bufPasswd; - cred.bv_val = (char *)passwd; - cred.bv_len = strlen(passwd); + binddn = tttctx->bufBindDN?tttctx->bufBindDN:mctx.bindDN; + passwd = tttctx->bufPasswd?tttctx->bufPasswd:mctx.passwd; + if (passwd) { + cred.bv_val = (char *)passwd; + cred.bv_len = strlen(passwd); + } } if (mctx.mode & LDAP_V2) @@ -931,22 +933,35 @@ connectToServer ( ((!(tttctx->binded)) || (mctx.mode & BIND_EACH_OPER))) { struct berval *servercredp = NULL; + char *binddn = NULL; + char *passwd = NULL; if (buildNewBindDN (tttctx) < 0) /*JLS 05-01-01*/ - return (-1); /*JLS 05-01-01*/ + return (-1); /*JLS 05-01-01*/ + if (tttctx->bufPasswd) { + binddn = tttctx->bufBindDN; + passwd = tttctx->bufPasswd; + } else if (mctx.passwd) { + binddn = mctx.bindDN; + passwd = mctx.passwd; + } + if (passwd) { + cred.bv_val = passwd; + cred.bv_len = strlen(passwd); + } if (mctx.mode & VERY_VERBOSE) - printf ("ldclt[%d]: T%03d: Before ldap_simple_bind_s (%s, %s)\n", - mctx.pid, tttctx->thrdNum, tttctx->bufBindDN, - mctx.passwd?tttctx->bufPasswd:"NO PASSWORD PROVIDED"); - ret = ldap_sasl_bind_s (tttctx->ldapCtx, tttctx->bufBindDN, LDAP_SASL_SIMPLE, - &cred, NULL, NULL, &servercredp); /*JLS 05-01-01*/ + printf ("ldclt[%d]: T%03d: Before ldap_simple_bind_s (%s, %s)\n", + mctx.pid, tttctx->thrdNum, binddn, + passwd?passwd:"NO PASSWORD PROVIDED"); + ret = ldap_sasl_bind_s (tttctx->ldapCtx, binddn, + LDAP_SASL_SIMPLE, &cred, NULL, NULL, &servercredp); /*JLS 05-01-01*/ ber_bvfree(servercredp); if (mctx.mode & VERY_VERBOSE) - printf ("ldclt[%d]: T%03d: After ldap_simple_bind_s (%s, %s)\n", - mctx.pid, tttctx->thrdNum, tttctx->bufBindDN, - mctx.passwd?tttctx->bufPasswd:"NO PASSWORD PROVIDED"); + printf ("ldclt[%d]: T%03d: After ldap_simple_bind_s (%s, %s)\n", + mctx.pid, tttctx->thrdNum, binddn, + passwd?passwd:"NO PASSWORD PROVIDED"); if (ret == LDAP_SUCCESS) /*JLS 18-12-00*/ - tttctx->binded = 1; /*JLS 18-12-00*/ + tttctx->binded = 1; /*JLS 18-12-00*/ else /*JLS 18-12-00*/ { /*JLS 18-12-00*/ tttctx->binded = 0; /*JLS 18-12-00*/ @@ -2048,10 +2063,12 @@ createMissingNodes ( binddn = ""; passwd = NULL; } else { - binddn = tttctx->bufBindDN; - passwd = tttctx->bufPasswd; - cred.bv_val = (char *)passwd; - cred.bv_len = strlen(passwd); + binddn = tttctx->bufBindDN?tttctx->bufBindDN:mctx.bindDN; + passwd = tttctx->bufPasswd?tttctx->bufPasswd:mctx.passwd; + if (passwd) { + cred.bv_val = (char *)passwd; + cred.bv_len = strlen(passwd); + } } if (mctx.mode & LDAP_V2) diff --git a/ldap/servers/slapd/tools/ldclt/ldclt.use b/ldap/servers/slapd/tools/ldclt/ldclt.use index 4f388e64..96136909 100644 --- a/ldap/servers/slapd/tools/ldclt/ldclt.use +++ b/ldap/servers/slapd/tools/ldclt/ldclt.use @@ -50,7 +50,7 @@ usage: ldclt [-qQvV] [-E ] randombaselow=value : low value for random generator. randombasehigh=value : high value for random generator. randombinddn : random bind DN. - randombinddnfromfile=fine : retrieve bind DN & passwd from file + randombinddnfromfile=file : retrieve bind DN & passwd from file randombinddnlow=value : low value for random generator. randombinddnhigh=value : high value for random generator. rdn=attrname:value : alternate for -f. diff --git a/ldap/servers/slapd/tools/ldclt/ldcltU.c b/ldap/servers/slapd/tools/ldclt/ldcltU.c index 7540c5f4..1233a558 100644 --- a/ldap/servers/slapd/tools/ldclt/ldcltU.c +++ b/ldap/servers/slapd/tools/ldclt/ldcltU.c @@ -100,7 +100,7 @@ * randombaselow=value : low value for random generator. * randombasehigh=value : high value for random generator. * randombinddn : random bind DN. - * randombinddnfromfile=fine : retrieve bind DN & passwd from file + * randombinddnfromfile=file : retrieve bind DN & passwd from file * randombinddnlow=value : low value for random generator. * randombinddnhigh=value : high value for random generator. * rdn=attrname:value : alternate for -f. @@ -195,7 +195,7 @@ void usage () (void) printf (" randombaselow=value : low value for random generator.\n"); (void) printf (" randombasehigh=value : high value for random generator.\n"); (void) printf (" randombinddn : random bind DN.\n"); - (void) printf (" randombinddnfromfile=fine : retrieve bind DN & passwd from file\n"); + (void) printf (" randombinddnfromfile=file : retrieve bind DN & passwd from file\n"); (void) printf (" randombinddnlow=value : low value for random generator.\n"); (void) printf (" randombinddnhigh=value : high value for random generator.\n"); (void) printf (" rdn=attrname:value : alternate for -f.\n"); -- cgit