From 4686de0017884ecd94b188fae4901357c274cfa1 Mon Sep 17 00:00:00 2001 From: William Brown Date: Tue, 14 Nov 2017 16:52:48 +1000 Subject: [PATCH 7/9] Ticket 49218 - Certmap - build and schema Bug Description: This adds support for pluggable certificate mapping libraries. To achieve this, this replaces the existing baked in certificate mapping code. Fix Description: Support building the new types, as well as the schema to make cert types core to the server (rather than requiring admins to manually edit schema). https://pagure.io/389-ds-base/issue/49218 https://pagure.io/lib389/issue/95 https://pagure.io/lib389/issue/84 Author: wibrown Review by: ??? --- Makefile.am | 60 ++++++++++++++++++-------------------- ldap/schema/01core389.ldif | 1 + ldap/schema/30ns-common.ldif | 3 +- ldap/servers/slapd/snmp_collator.c | 3 ++ 4 files changed, 35 insertions(+), 32 deletions(-) diff --git a/Makefile.am b/Makefile.am index e3b30b6..59ec64d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -98,7 +98,8 @@ AM_CPPFLAGS = $(DEBUG_DEFINES) $(GCCSEC_DEFINES) $(ASAN_DEFINES) $(PROFILING_DEF # WARNING: This needs a clean up, because slap.h is a horrible mess and is publically exposed! DSPLUGIN_CPPFLAGS = $(DS_DEFINES) $(DS_INCLUDES) $(PATH_DEFINES) $(SYSTEMD_DEFINES) $(NUNCSTANS_INCLUDES) @openldap_inc@ @ldapsdk_inc@ @nss_inc@ $(NSPR_INCLUDES) @systemd_inc@ # This should give access to internal headers only for tests!!! -DSINTERNAL_CPPFLAGS = -I$(srcdir)/include/ldaputil +# DSINTERNAL_CPPFLAGS = -I$(srcdir)/include/ldaputil +DSINTERNAL_CPPFLAGS = # Flags for Datastructure Library SDS_CPPFLAGS = $(SDS_INCLUDES) $(NSPR_INCLUDES) # Flags for nunc-stans @@ -312,8 +313,7 @@ server_LTLIBRARIES = if RUST_ENABLE server_LTLIBRARIES += librsds.la endif -server_LTLIBRARIES += libsds.la libnunc-stans.la libldaputil.la libslapd.la libns-dshttpd.la - +server_LTLIBRARIES += libsds.la libnunc-stans.la libslapd.la libns-dshttpd.la # this is how to add optional plugins if enable_pam_passthru @@ -346,6 +346,7 @@ endif serverplugin_LTLIBRARIES = libacl-plugin.la \ libaddn-plugin.la \ + libcertmap-plugin.la \ libattr-unique-plugin.la \ libautomember-plugin.la libback-ldbm.la libchainingdb-plugin.la \ libcollation-plugin.la libcos-plugin.la libderef-plugin.la \ @@ -377,14 +378,6 @@ dist_noinst_HEADERS = \ include/base/systems.h \ include/base/systhr.h \ include/base/util.h \ - include/ldaputil/cert.h \ - include/ldaputil/certmap.h \ - include/ldaputil/dbconf.h \ - include/ldaputil/encode.h \ - include/ldaputil/errors.h \ - include/ldaputil/init.h \ - include/ldaputil/ldapauth.h \ - include/ldaputil/ldaputil.h \ include/libaccess/aclerror.h \ include/libaccess/acleval.h \ include/libaccess/aclglobal.h \ @@ -496,7 +489,10 @@ dist_noinst_HEADERS = \ ldap/servers/slapd/slapi_pal.h \ ldap/servers/slapd/slapi-plugin-compat4.h \ ldap/servers/slapd/slapi-plugin.h \ + ldap/servers/slapd/slapi-plugin-v4.h \ ldap/servers/slapd/slapi-private.h \ + ldap/servers/slapd/slapi-private-v4.h \ + ldap/servers/slapd/slapi-internal-v4.h \ ldap/servers/slapd/snmp_collator.h \ ldap/servers/slapd/sslerrstrs.h \ ldap/servers/slapd/statechange.h \ @@ -531,7 +527,6 @@ dist_noinst_HEADERS = \ ldap/systools/pio.h \ lib/base/lexer_pvt.h \ lib/base/plist_pvt.h \ - lib/ldaputil/ldaputili.h \ lib/libaccess/access_plhash.h \ lib/libaccess/aclcache.h \ lib/libaccess/aclpriv.h \ @@ -878,6 +873,7 @@ pkgconfig_DATA = src/pkgconfig/dirsrv.pc \ serverinc_HEADERS = ldap/servers/plugins/replication/repl-session-plugin.h \ ldap/servers/slapd/slapi_pal.h \ ldap/servers/slapd/slapi-plugin.h \ + ldap/servers/slapd/slapi-plugin-v4.h \ ldap/servers/plugins/replication/winsync-plugin.h \ src/nunc-stans/include/nunc-stans.h \ src/libsds/include/sds.h @@ -1030,21 +1026,6 @@ endif libavl_a_SOURCES = ldap/libraries/libavl/avl.c libavl_a_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) -#------------------------ -# libldaputil -#------------------------ -libldaputil_la_SOURCES = lib/ldaputil/cert.c \ - lib/ldaputil/certmap.c \ - lib/ldaputil/dbconf.c \ - lib/ldaputil/encode.c \ - lib/ldaputil/errors.c \ - lib/ldaputil/init.c \ - lib/ldaputil/ldapauth.c \ - lib/ldaputil/vtable.c - -libldaputil_la_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(DSINTERNAL_CPPFLAGS) -I$(srcdir)/lib/ldaputil - - #//////////////////////////////////////////////////////////////// # # Dynamic Server Libraries @@ -1182,8 +1163,8 @@ libns_dshttpd_la_SOURCES = lib/libaccess/access_plhash.cpp \ lib/libsi18n/reshash.c \ lib/libsi18n/txtfile.c -libns_dshttpd_la_CPPFLAGS = -I$(srcdir)/include/base $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) -I$(srcdir)/lib/ldaputil -libns_dshttpd_la_LIBADD = libslapd.la libldaputil.la $(LDAPSDK_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) +libns_dshttpd_la_CPPFLAGS = -I$(srcdir)/include/base $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) +libns_dshttpd_la_LIBADD = libslapd.la $(LDAPSDK_LINK) $(SASL_LINK) $(NSS_LINK) $(NSPR_LINK) # Mark that this is a per version library. libns_dshttpd_la_LDFLAGS = -release @PACKAGE_VERSION@ @@ -1202,6 +1183,8 @@ libslapd_la_SOURCES = ldap/servers/slapd/add.c \ ldap/servers/slapd/backend_manager.c \ ldap/servers/slapd/bitset.c \ ldap/servers/slapd/bulk_import.c \ + ldap/servers/slapd/bvarray_v4.c \ + ldap/servers/slapd/cert_v4.c \ ldap/servers/slapd/charray.c \ ldap/servers/slapd/ch_malloc.c \ ldap/servers/slapd/computed.c \ @@ -1245,7 +1228,9 @@ libslapd_la_SOURCES = ldap/servers/slapd/add.c \ ldap/servers/slapd/opshared.c \ ldap/servers/slapd/pagedresults.c \ ldap/servers/slapd/pblock.c \ + ldap/servers/slapd/pblock_v4.c \ ldap/servers/slapd/plugin.c \ + ldap/servers/slapd/plugin_v4.c \ ldap/servers/slapd/plugin_acl.c \ ldap/servers/slapd/plugin_mmr.c \ ldap/servers/slapd/plugin_internal_op.c \ @@ -1267,6 +1252,8 @@ libslapd_la_SOURCES = ldap/servers/slapd/add.c \ ldap/servers/slapd/security_wrappers.c \ ldap/servers/slapd/slapd_plhash.c \ ldap/servers/slapd/slapi_counter.c \ + ldap/servers/slapd/slapi-plugin-v4.c \ + ldap/servers/slapd/slapi-private-v4.c \ ldap/servers/slapd/slapi2nspr.c \ ldap/servers/slapd/snmp_collator.c \ ldap/servers/slapd/sort.c \ @@ -1281,6 +1268,7 @@ libslapd_la_SOURCES = ldap/servers/slapd/add.c \ ldap/servers/slapd/utf8.c \ ldap/servers/slapd/utf8compare.c \ ldap/servers/slapd/util.c \ + ldap/servers/slapd/upgrade.c \ ldap/servers/slapd/uuid.c \ ldap/servers/slapd/value.c \ ldap/servers/slapd/valueset.c \ @@ -1288,7 +1276,7 @@ libslapd_la_SOURCES = ldap/servers/slapd/add.c \ ldap/servers/slapd/slapi_pal.c \ $(libavl_a_SOURCES) -libslapd_la_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SASL_INCLUDES) @db_inc@ $(SVRCORE_INCLUDES) @kerberos_inc@ @pcre_inc@ $(SDS_CPPFLAGS) +libslapd_la_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SDS_CPPFLAGS) $(SASL_INCLUDES) @db_inc@ $(SVRCORE_INCLUDES) @kerberos_inc@ @pcre_inc@ libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(SVRCORE_LINK) $(NSS_LINK) $(NSPR_LINK) $(KERBEROS_LINK) $(PCRE_LINK) $(THREADLIB) $(SYSTEMD_LINK) libsds.la libslapd_la_LDFLAGS = $(AM_LDFLAGS) $(SLAPD_LDFLAGS) @@ -1423,6 +1411,16 @@ libaddn_plugin_la_DEPENDENCIES = libslapd.la libaddn_plugin_la_LDFLAGS = -avoid-version #------------------------ +# libcertmap-plugin +#------------------------ +libcertmap_plugin_la_SOURCES = ldap/servers/plugins/certmap/certmap.c + +libcertmap_plugin_la_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) @pcre_inc@ +libcertmap_plugin_la_LIBADD = libslapd.la $(NSPR_LINK) $(PCRE_LINK) +libcertmap_plugin_la_DEPENDENCIES = libslapd.la +libcertmap_plugin_la_LDFLAGS = -avoid-version + +#------------------------ # librootdn-access-plugin #------------------------ # @@ -1992,7 +1990,7 @@ ns_slapd_SOURCES = ldap/servers/slapd/abandon.c \ $(GETSOCKETPEER) ns_slapd_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SASL_INCLUDES) $(SVRCORE_INCLUDES) -ns_slapd_LDADD = libnunc-stans.la libslapd.la libldaputil.la $(LDAPSDK_LINK) $(NSS_LINK) $(LIBADD_DL) \ +ns_slapd_LDADD = libnunc-stans.la libslapd.la $(LDAPSDK_LINK) $(NSS_LINK) $(LIBADD_DL) \ $(NSPR_LINK) $(SASL_LINK) $(SVRCORE_LINK) $(LIBNSL) $(LIBSOCKET) $(THREADLIB) $(SYSTEMD_LINK) $(EVENT_LINK) ns_slapd_DEPENDENCIES = libslapd.la libnunc-stans.la # We need to link ns-slapd with the C++ compiler on HP-UX since we load diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif index ab124c8..83d04ef 100644 --- a/ldap/schema/01core389.ldif +++ b/ldap/schema/01core389.ldif @@ -323,4 +323,5 @@ objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation $ ServerKeyExtractFile $ ServerCertExtractFile ) X-ORIGIN 'Netscape' ) objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-host $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN 'Netscape' ) objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' ) +objectClasses: ( 2.16.840.1.113730.3.2.330 NAME 'nsDylibPlugin4' DESC 'A version 4 slapi plugin that is loaded from a platform dylib' SUP top MUST ( cn $ nsslapd-pluginpath $ nsslapd-plugininitfunc $ nsslapd-pluginenabled ) X-ORIGIN '389 Directory Server Project' ) diff --git a/ldap/schema/30ns-common.ldif b/ldap/schema/30ns-common.ldif index b095909..2b6edc1 100644 --- a/ldap/schema/30ns-common.ldif +++ b/ldap/schema/30ns-common.ldif @@ -53,6 +53,7 @@ attributeTypes: ( nsExecRef-oid NAME 'nsExecRef' DESC 'Netscape defined attribut attributeTypes: ( nsLogSuppress-oid NAME 'nsLogSuppress' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsJarfilename-oid NAME 'nsJarfilename' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsClassname-oid NAME 'nsClassname' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2337 NAME 'nsCertSubjectDN' DESC 'An x509 DN from a certificate used to map during a TLS bind process' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN '389 Directory Server Project' ) objectClasses: ( nsAdminDomain-oid NAME 'nsAdminDomain' DESC 'Netscape defined objectclass' SUP organizationalUnit MAY ( nsAdminDomainName ) X-ORIGIN 'Netscape' ) objectClasses: ( nsHost-oid NAME 'nsHost' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( serverHostName $ description $ l $ nsHostLocation $ nsHardwarePlatform $ nsOsVersion ) X-ORIGIN 'Netscape' ) objectClasses: ( nsAdminGroup-oid NAME 'nsAdminGroup' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsAdminGroupName $ description $ nsConfigRoot $ nsAdminSIEDN ) X-ORIGIN 'Netscape' ) @@ -64,4 +65,4 @@ objectClasses: ( nsAdminObject-oid NAME 'nsAdminObject' DESC 'Netscape defined o objectClasses: ( nsConfig-oid NAME 'nsConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( description $ nsServerPort $ nsServerAddress $ nsSuiteSpotUser $ nsErrorLog $ nsPidLog $ nsAccessLog $ nsDefaultAcceptLanguage $ nsServerSecurity ) X-ORIGIN 'Netscape' ) objectClasses: ( nsDirectoryInfo-oid NAME 'nsDirectoryInfo' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsBindDN $ nsBindPassword $ nsDirectoryURL $ nsDirectoryFailoverList $ nsDirectoryInfoRef ) X-ORIGIN 'Netscape' ) objectClasses: ( 2.16.840.1.113730.3.2.329 NAME 'nsMemberOf' DESC 'Allow memberOf assignment on groups for nesting and users' SUP top AUXILIARY MAY ( memberOf ) X-ORIGIN '389 Directory Server Project' ) - +objectClasses: ( 2.16.840.1.113730.3.2.331 NAME 'nsAccount' DESC 'A representation of a user in a directory server' SUP top AUXILIARY MAY ( userCertificate $ nsCertSubjectDN ) X-ORIGIN '389 Directory Server Project' ) diff --git a/ldap/servers/slapd/snmp_collator.c b/ldap/servers/slapd/snmp_collator.c index 5d25597..87e1625 100644 --- a/ldap/servers/slapd/snmp_collator.c +++ b/ldap/servers/slapd/snmp_collator.c @@ -31,6 +31,9 @@ #include "prcvar.h" #include "plstr.h" +#define SLAPI_PRIVATE_V4_ACKNOWLEDGE +#include + #ifdef HPUX /* HP-UX doesn't define SEM_FAILED like other platforms, so * we define it ourselves. */ -- 1.8.3.1