From da60a75c5fabda105b941751f6b0115ff734f3f9 Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Tue, 2 Dec 2008 15:29:31 +0000 Subject: Resolves: bug 469261 Bug Description: Support server-to-server SASL - console chaining, server cleanup Reviewed by: nkinder (Thanks!) Fix Description: There are two sets of diffs here. The first set adds tls, gssapi, and digest to the chaining database (aka database link) panels in the console. I had to add support for revert to some of the code to make the Reset button work without having to retrieve the values from the server each time. We already store the original values locally in the _origModel - I added code to allow the use of that in the Reset button. The second set of diffs is for the server. 1) I had to add support for "SIMPLE" for bindMechanism - this translates to LDAP_SASL_SIMPLE for the actual mechanism. This value is NULL, so I had to add handling for NULL values in the cb config code (slapi_ch_* work fine with NULL values). 2) Added some more debugging/tracing code 3) The server to server SSL code would only work if the server were configured to be an SSL server. But for the server to be an SSL client, it only needs NSS initialized and to have the CA cert. It also needs to configured some of the SSL settings and install the correct policy. I changed the server code to do this. Platforms tested: RHEL5 Flag Day: no Doc impact: Yes --- ldap/servers/slapd/ssl.c | 128 +++-------------------------------------------- 1 file changed, 8 insertions(+), 120 deletions(-) (limited to 'ldap/servers/slapd/ssl.c') diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index abb127f9..0b895987 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -459,6 +459,14 @@ slapd_nss_init(int init_ssl, int config_available) rv = -1; } + if(SSLPLCY_Install() != PR_SUCCESS) { + errorCode = PR_GetError(); + slapd_SSL_warn("Security Initialization: Unable to set SSL export policy (" + SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", + errorCode, slapd_pr_strerror(errorCode)); + return -1; + } + /****** end of NSS Initialization ******/ slapi_ch_free_string(&certdir); @@ -622,15 +630,6 @@ slapd_ssl_init() { } freeConfigEntry( &entry ); - if(SSLPLCY_Install() != PR_SUCCESS) { - errorCode = PR_GetError(); - slapd_SSL_warn("Security Initialization: Unable to set SSL export policy (" - SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - errorCode, slapd_pr_strerror(errorCode)); - return -1; - } - - /* ugaston- Cipher preferences must be set before any sslSocket is created * for such sockets to take preferences into account. */ @@ -1040,12 +1039,6 @@ We already do pr_init, we don't need pr_setconcurrency, we already do nss_init a */ -int -slapd_SSL_client_init() -{ - return 0; -} - int slapd_SSL_client_auth (LDAP* ld) { @@ -1205,111 +1198,6 @@ slapd_SSL_client_auth (LDAP* ld) return rc; } -int -slapd_simple_client_bind_s(LDAP* ld, char* DN, char* pw, int LDAPv) -{ - int rc; - PRErrorCode errorCode; - - ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void *) &LDAPv); - rc = ldap_simple_bind_s (ld, DN, pw); - if (rc != 0) { - errorCode = PR_GetError(); - slapd_SSL_warn("ldap_simple_bind_s(%s, %s) %i (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - DN, pw, rc, errorCode, slapd_pr_strerror(errorCode)); - } - LDAPDebug (LDAP_DEBUG_TRACE, "slapd_simple_client_bind_s(%s, %i) %i\n", DN, LDAPv, rc); - return rc; -} - -int -slapd_SSL_client_bind_s (LDAP* ld, char* DN, char* pw, int use_SSL, int LDAPv) -{ - int rc; - struct berval noCred = {0, 0}; - - if (!use_SSL || LDAPv == LDAP_VERSION2) { - rc = slapd_simple_client_bind_s(ld, DN, pw, LDAPv); - } else { - - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_SSL_client_bind_s: Trying SSL Client Authentication\n", - 0, 0, 0); - - rc = slapd_SSL_client_auth(ld); - - if(rc != 0) - { - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_SSL_client_bind_s: SSL Client Auth Failed during replication Bind\n", - 0, 0, 0); - return rc; - } - - rc = ldap_sasl_bind_s (ld, "", LDAP_SASL_EXTERNAL, &noCred, - NULL /* LDAPControl **serverctrls */, - NULL /* LDAPControl **clientctrls */, - NULL /* struct berval **servercredp */); - - } - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_SSL_client_bind_s(%i,%i) %i\n", use_SSL, LDAPv, rc); - return rc; -} - -int -slapd_sasl_ext_client_bind (LDAP* ld, int **msgid) -{ - int rc; - PRErrorCode errorCode; - struct berval noCred = {0, 0}; - - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_sasl_ext_client_bind: Trying SSL Client Authentication\n", - 0, 0, 0); - - rc = slapd_SSL_client_auth(ld); - if(rc != 0) - { - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_sasl_ext_client_bind: SSL Client Auth Failed during replication Bind\n", - 0, 0, 0); - return rc; - } - - rc = ldap_sasl_bind (ld, "", LDAP_SASL_EXTERNAL, &noCred, - NULL, - NULL, - *msgid); - if (rc != 0) { - errorCode = PR_GetError(); - slapd_SSL_warn("ldap_sasl_bind(\"\",LDAP_SASL_EXTERNAL) %i (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - rc, errorCode, slapd_pr_strerror(errorCode)); - } - - LDAPDebug ( - LDAP_DEBUG_TRACE, - "slapd_sasl_ext_client_bind %i\n", rc, 0, 0); - - return rc; -} - - -int slapd_Client_auth(LDAP* ld) -{ - int rc=0; - - rc = slapd_SSL_client_auth (ld); - - return rc; -} - - /* Function for keeping track of the SSL initialization status: * - returns 1: when slapd_ssl_init has been executed */ -- cgit