[Fedora-directory-commits] mod_restartd mod_restartd-2.2.c,1.2,1.3
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/mod_restartd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28940
Modified Files:
mod_restartd-2.2.c
Log Message:
Resolves: bug 480869
Description: DS console: Can not delete DS instance
Fix Description: needed to add remove to the mod_restartd uri pattern.
Index: mod_restartd-2.2.c
===================================================================
RCS file: /cvs/dirsec/mod_restartd/mod_restartd-2.2.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- mod_restartd-2.2.c 12 Jan 2009 16:47:33 -0000 1.2
+++ mod_restartd-2.2.c 26 Jan 2009 22:27:13 -0000 1.3
@@ -921,7 +921,7 @@
}
}
- ap_regcomp(&uriPat, "/.*/tasks/operation/(start|restart|stop|startconfigds|create)$",
+ ap_regcomp(&uriPat, "/.*/tasks/operation/(start|restart|stop|startconfigds|create|remove)$",
AP_REG_ICASE);
return ret;
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd modutil.c, 1.8, 1.9
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9715/ldapserver/ldap/servers/slapd
Modified Files:
modutil.c
Log Message:
Resolves: bug 481223
Bug Description: Removing Group Member in ADS and Send and Receive Updates Crashes the Directory Server
Reviewed by: nkinder (Thanks!)
Fix Description: I broke this with my earlier fix about sending mods to AD. There are calls which reset the raw entry from AD before the call to mod_already_made. The fix is to only retrieve the raw entry just before we use it, after it may have been reset. I also found a memory leak in the mod init with valueset function I added for the prior fix.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: modutil.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/modutil.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- modutil.c 9 Jan 2009 21:30:56 -0000 1.8
+++ modutil.c 26 Jan 2009 17:35:15 -0000 1.9
@@ -603,6 +603,8 @@
slapi_mod_set_type (smod, type);
if (svs!=NULL) {
Slapi_Value **svary = valueset_get_valuearray(svs);
+ ber_bvecfree(smod->mod->mod_bvalues);
+ smod->mod->mod_bvalues = NULL;
valuearray_get_bervalarray(svary, &smod->mod->mod_bvalues);
smod->num_values = slapi_valueset_count(svs);
smod->num_elements = smod->num_values + 1;
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication windows_protocol_util.c, 1.49, 1.50
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9715/ldapserver/ldap/servers/plugins/replication
Modified Files:
windows_protocol_util.c
Log Message:
Resolves: bug 481223
Bug Description: Removing Group Member in ADS and Send and Receive Updates Crashes the Directory Server
Reviewed by: nkinder (Thanks!)
Fix Description: I broke this with my earlier fix about sending mods to AD. There are calls which reset the raw entry from AD before the call to mod_already_made. The fix is to only retrieve the raw entry just before we use it, after it may have been reset. I also found a memory leak in the mod init with valueset function I added for the prior fix.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: windows_protocol_util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_protocol_util.c,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
--- windows_protocol_util.c 13 Jan 2009 18:28:34 -0000 1.49
+++ windows_protocol_util.c 26 Jan 2009 17:35:14 -0000 1.50
@@ -62,7 +62,7 @@
static Slapi_Entry* windows_entry_already_exists(Slapi_Entry *e);
static void extract_guid_from_entry_bv(Slapi_Entry *e, const struct berval **bv);
#endif
-static void windows_map_mods_for_replay(Private_Repl_Protocol *prp,LDAPMod **original_mods, LDAPMod ***returned_mods, int is_user, char** password, const Slapi_Entry *ad_entry);
+static void windows_map_mods_for_replay(Private_Repl_Protocol *prp,LDAPMod **original_mods, LDAPMod ***returned_mods, int is_user, char** password);
static int is_subject_of_agreement_local(const Slapi_Entry *local_entry,const Repl_Agmt *ra);
static int windows_create_remote_entry(Private_Repl_Protocol *prp,Slapi_Entry *original_entry, Slapi_DN *remote_sdn, Slapi_Entry **remote_entry, char** password);
static int windows_get_local_entry(const Slapi_DN* local_dn,Slapi_Entry **local_entry);
@@ -1290,8 +1290,7 @@
}
- windows_map_mods_for_replay(prp,op->p.p_modify.modify_mods, &mapped_mods, is_user, &password,
- windows_private_get_raw_entry(prp->agmt));
+ windows_map_mods_for_replay(prp,op->p.p_modify.modify_mods, &mapped_mods, is_user, &password);
if (is_user) {
winsync_plugin_call_pre_ad_mod_user_mods_cb(prp->agmt,
windows_private_get_raw_entry(prp->agmt),
@@ -1803,11 +1802,12 @@
error message to that effect.
*/
static int
-mod_already_made(Private_Repl_Protocol *prp, Slapi_Mod *smod, const Slapi_Entry *ad_entry)
+mod_already_made(Private_Repl_Protocol *prp, Slapi_Mod *smod)
{
int retval = 0;
int op = 0;
const char *type = NULL;
+ const Slapi_Entry *ad_entry = windows_private_get_raw_entry(prp->agmt);
if (!slapi_mod_isvalid(smod)) { /* bogus */
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
@@ -2062,7 +2062,7 @@
static void
-windows_map_mods_for_replay(Private_Repl_Protocol *prp,LDAPMod **original_mods, LDAPMod ***returned_mods, int is_user, char** password, const Slapi_Entry *ad_entry)
+windows_map_mods_for_replay(Private_Repl_Protocol *prp,LDAPMod **original_mods, LDAPMod ***returned_mods, int is_user, char** password)
{
Slapi_Mods smods = {0};
Slapi_Mods mapped_smods = {0};
@@ -2216,7 +2216,7 @@
}
}
/* Otherwise we do not copy this mod at all */
- if (mysmod && !mod_already_made(prp, mysmod, ad_entry)) { /* make sure this mod is still valid to send */
+ if (mysmod && !mod_already_made(prp, mysmod)) { /* make sure this mod is still valid to send */
slapi_mods_add_ldapmod(&mapped_smods, slapi_mod_get_ldapmod_passout(mysmod));
}
if (mysmod) {
15 years, 2 months
[Fedora-directory-commits] coolkey/applet/src/com/redhat/ckey/applet CardEdge.java, 1.4, 1.4.2.1
by Jack Magne
Author: jmagne
Update of /cvs/dirsec/coolkey/applet/src/com/redhat/ckey/applet
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1416
Modified Files:
Tag: COOLKEY_330J_BRANCH
CardEdge.java
Log Message:
Fix to allow tokens with small amounts of volatile memory to run. Bug#480111.
Index: CardEdge.java
===================================================================
RCS file: /cvs/dirsec/coolkey/applet/src/com/redhat/ckey/applet/CardEdge.java,v
retrieving revision 1.4
retrieving revision 1.4.2.1
diff -u -r1.4 -r1.4.2.1
--- CardEdge.java 12 Nov 2007 19:24:51 -0000 1.4
+++ CardEdge.java 24 Jan 2009 00:54:20 -0000 1.4.2.1
@@ -122,9 +122,9 @@
private static final byte VERSION_PROTOCOL_MAJOR = 1;
private static final byte VERSION_PROTOCOL_MINOR = 1;
private static final byte VERSION_APPLET_MAJOR = 1;
- private static final byte VERSION_APPLET_MINOR = 3;
- private static final short BUILDID_MAJOR = (short) 0x4734;
- private static final short BUILDID_MINOR = (short) 0xb002;
+ private static final byte VERSION_APPLET_MINOR = 4;
+ private static final short BUILDID_MAJOR = (short) 0x4979;
+ private static final short BUILDID_MINOR = (short) 0x178d;
private static final short ZEROS = 0;
// * Enable pin size check
@@ -484,6 +484,7 @@
private byte[] keyTries; // persistent
private byte[] issuerInfo; // persistent
+
/**
* Instance variable array declarations - TRANSIENT
* Allocated by JCSystem.makeTransientXxxxxArray calls below.
@@ -524,6 +525,7 @@
signatures = new Signature [MAX_NUM_KEYS];
default_nonce = new byte [NONCE_SIZE];
issuerInfo = new byte [ISSUER_INFO_SIZE];
+ iobuf = new byte [IOBUF_ALLOC];
for (byte i = 0; i < MAX_NUM_KEYS; i++) {
keyTries[i] = MAX_KEY_TRIES;
@@ -2792,8 +2794,8 @@
private void initTransient()
{
- iobuf = JCSystem.makeTransientByteArray(IOBUF_ALLOC,
- JCSystem.CLEAR_ON_DESELECT);
+ //iobuf = JCSystem.makeTransientByteArray(IOBUF_ALLOC,
+ // JCSystem.CLEAR_ON_DESELECT);
ciph_dirs = JCSystem.makeTransientByteArray(MAX_NUM_KEYS,
JCSystem.CLEAR_ON_DESELECT);
//
15 years, 2 months
[Fedora-directory-commits] coolkey/src/libckyapplet cky_card.c, 1.1, 1.2
by Jack Magne
Author: jmagne
Update of /cvs/dirsec/coolkey/src/libckyapplet
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27302
Modified Files:
cky_card.c
Log Message:
Fix to allow protocol T1 cards to work. Bug# 479880.
Index: cky_card.c
===================================================================
RCS file: /cvs/dirsec/coolkey/src/libckyapplet/cky_card.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- cky_card.c 9 Jun 2006 18:44:17 -0000 1.1
+++ cky_card.c 24 Jan 2009 00:08:01 -0000 1.2
@@ -129,6 +129,7 @@
SCardGetStatusChangeFn SCardGetStatusChange;
SCardCancelFn SCardCancel;
SCARD_IO_REQUEST *SCARD_PCI_T0_;
+ SCARD_IO_REQUEST *SCARD_PCI_T1_;
} SCard;
#define GET_ADDRESS(library, scard, name) \
@@ -195,6 +196,12 @@
if( status != CKYSUCCESS ) {
goto fail;
}
+
+ status = ckyShLibrary_getAddress( library,
+ (void**) &scard->SCARD_PCI_T1_, MAKE_DLL_SYMBOL(g_rgSCardT1Pci));
+ if( status != CKYSUCCESS ) {
+ goto fail;
+ }
return scard;
fail:
@@ -884,6 +891,7 @@
SCARDHANDLE cardHandle;
unsigned long lastError;
CKYBool inTransaction;
+ unsigned long protocol;
};
static void
@@ -894,6 +902,7 @@
conn->cardHandle = 0;
conn->lastError = 0;
conn->inTransaction = 0;
+ conn->protocol = SCARD_PROTOCOL_T0;
}
CKYCardConnection *
@@ -934,14 +943,13 @@
{
CKYStatus ret;
unsigned long rv;
- unsigned long protocol;
ret = CKYCardConnection_Disconnect(conn);
if (ret != CKYSUCCESS) {
return ret;
}
rv = conn->scard->SCardConnect( conn->ctx->context, readerName,
- SCARD_SHARE_SHARED, SCARD_PROTOCOL_T0, &conn->cardHandle, &protocol);
+ SCARD_SHARE_SHARED, SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, &conn->cardHandle, &conn->protocol);
if (rv != SCARD_S_SUCCESS) {
conn->lastError = rv;
return CKYSCARDERR;
@@ -978,7 +986,7 @@
unsigned long protocol;
rv = conn->scard->SCardReconnect(conn->cardHandle,
- SCARD_SHARE_SHARED, SCARD_PROTOCOL_T0, init, &protocol);
+ SCARD_SHARE_SHARED, SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1 , init, &protocol);
if (rv != SCARD_S_SUCCESS) {
conn->lastError = rv;
return CKYSCARDERR;
@@ -1039,10 +1047,17 @@
return ret;
}
- rv = conn->scard->SCardTransmit(conn->cardHandle,
- conn->scard->SCARD_PCI_T0_,
- CKYBuffer_Data(&apdu->apduBuf), CKYBuffer_Size(&apdu->apduBuf),
- NULL, response->data, &response->len);
+ if( conn->protocol == SCARD_PROTOCOL_T0 ) {
+ rv = conn->scard->SCardTransmit(conn->cardHandle,
+ conn->scard->SCARD_PCI_T0_,
+ CKYBuffer_Data(&apdu->apduBuf), CKYBuffer_Size(&apdu->apduBuf),
+ NULL, response->data, &response->len);
+ } else {
+ rv = conn->scard->SCardTransmit(conn->cardHandle,
+ conn->scard->SCARD_PCI_T1_,
+ CKYBuffer_Data(&apdu->apduBuf), CKYBuffer_Size(&apdu->apduBuf),
+ NULL, response->data, &response->len);
+ }
if (rv != SCARD_S_SUCCESS) {
conn->lastError =rv;
15 years, 2 months
[Fedora-directory-commits] console/src/com/netscape/management/client/security CertInstallCertNamePage.java, 1.1.1.1, 1.2
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/console/src/com/netscape/management/client/security
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30150/console/src/com/netscape/management/client/security
Modified Files:
CertInstallCertNamePage.java
Log Message:
Resolves: bug 481176
Bug Description: Null Point Exception Attempting to Install CA Certifcate
Reviewed by: nhosoi (Thanks!)
Fix Description: The problem is that the certificate is not recognized by NSS as a CA certificate because it is missing some flags and the basic constraint extension for CAs. The wizard code wrongly assumed that any certificate being installed in this context is a CA cert. I changed the code to handle other types of certs. However, this doesn't fix the problem where the CA cert shows up under Server Certs instead of CA Certs, because only "real" CA certs with the proper settings will show up under the CA Certs list.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: CertInstallCertNamePage.java
===================================================================
RCS file: /cvs/dirsec/console/src/com/netscape/management/client/security/CertInstallCertNamePage.java,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- CertInstallCertNamePage.java 18 Jul 2005 00:34:15 -0000 1.1.1.1
+++ CertInstallCertNamePage.java 23 Jan 2009 20:45:06 -0000 1.2
@@ -41,8 +41,15 @@
if (dataModel.getValue("certtype").equals(Integer.toString(CertInstallWizard.CA))) {
CertificateList certList = (CertificateList)(dataModel.getValue("certlist"));
Vector cert = (Vector)(certList.getCACerts());
- certName.setText(KeyCertUtility.getCertName((Hashtable)(cert.elementAt(0)), _tokenName, _consoleInfo, _sie));
-
+ if ((cert == null) || cert.isEmpty()) {
+ cert = (Vector)(certList.getServerCerts());
+ }
+ if ((cert == null) || cert.isEmpty()) {
+ cert = (Vector)(certList.getCerts());
+ }
+ if ((cert != null) && !cert.isEmpty()) {
+ certName.setText(KeyCertUtility.getCertName((Hashtable)(cert.elementAt(0)), _tokenName, _consoleInfo, _sie));
+ }
certName.setEnabled(false);
certType.setText(resource.getString("CertInstallCertNamePage", "caCert"));
} else {
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/acl acllas.c, 1.15, 1.16
by Noriko Hosoi
Author: nhosoi
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/acl
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29803
Modified Files:
acllas.c
Log Message:
Resolves: #208076
Summary: userattr="parent[1].<attribute>#LDAPURL" does not work
Description: It turned out userattr="parent[1].<attribute>#LDAPURL" was not
implemented. The functionality has been implemented with this change.
Index: acllas.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/acl/acllas.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- acllas.c 5 Dec 2008 22:41:50 -0000 1.15
+++ acllas.c 23 Jan 2009 20:44:14 -0000 1.16
@@ -248,6 +248,7 @@
char *n_clientdn,
struct acl_pblock *aclpb);
static int acllas__verify_client (Slapi_Entry* e, void *callback_data);
+static int acllas__verify_ldapurl (Slapi_Entry* e, void *callback_data);
static char* acllas__dn_parent( char *dn, int level);
static int acllas__get_members (Slapi_Entry* e, void *callback_data);
static int acllas__client_match_URL (struct acl_pblock *aclpb,
@@ -1129,6 +1130,7 @@
char *attr;
int result;
char *clientdn;
+ Acl_PBlock *aclpb
};
#define ACLLAS_MAX_LEVELS 10
int
@@ -1360,6 +1362,237 @@
return rc;
}
+
+/***************************************************************************
+*
+* DS_LASLdapUrlAttrEval
+*
+*
+* Input:
+* attr_name The string "ldapurl" - in lower case.
+* comparator CMP_OP_EQ or CMP_OP_NE only
+* attr_pattern A comma-separated list of users
+* cachable Always set to FALSE.
+* subject Subject property list
+* resource Resource property list
+* auth_info Authentication info, if any
+* las_info LAS info to pass the resource entry
+*
+* Returns:
+* retcode The usual LAS return codes.
+*
+* Error Handling:
+* None.
+*
+**************************************************************************/
+int
+DS_LASLdapUrlAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
+ char *attr_pattern, int *cachable, void **LAS_cookie,
+ PList_t subject, PList_t resource, PList_t auth_info,
+ PList_t global_auth, lasInfo lasinfo)
+{
+
+ char *n_currEntryDn = NULL;
+ char *s_attrName = NULL, *attrName = NULL;
+ char *ptr;
+ int matched;
+ int rc, len, i;
+ int levels[ACLLAS_MAX_LEVELS];
+ int numOflevels =0;
+ struct userdnattr_info info;
+ char *attrs[2] = { LDAP_ALL_USER_ATTRS, NULL };
+ int got_undefined = 0;
+
+ /*
+ ** The ldapurlAttr syntax is
+ ** userdnattr = <attribute> or
+ ** userdnattr = parent[0,2,4].attribute"
+ ** Ex:
+ ** userdnattr = manager; or
+ ** userdnattr = "parent[0,2,4].manager";
+ **
+ ** Here 0 means current level, 2 means grandfather and
+ ** 4 (great great grandfather)
+ **
+ ** The function of this LAS is to compare the value of the
+ ** attribute in the Slapi_Entry with the "ldapurl".
+ **
+ ** Ex: ldapurl: ldap:///dc=example,dc=com??sub?(l=Mountain View)
+ ** and in the Slapi_Entry of the bind user has
+ ** l = Mountain View. Compare the bind user's 'l' and the value to
+ ** determine the result.
+ **
+ */
+ s_attrName = attrName = slapi_ch_strdup(attr_pattern);
+
+ /* ignore leading/trailing whitespace */
+ while (ldap_utf8isspace(attrName)) LDAP_UTF8INC(attrName);
+ len = strlen(attrName);
+ ptr = attrName+len-1;
+ while (ptr >= attrName && ldap_utf8isspace(ptr)) {
+ *ptr = '\0';
+ LDAP_UTF8DEC(ptr);
+ }
+
+ /* See if we have a parent[2].attr" rule */
+ if ( (ptr = strstr(attrName, "parent[")) != NULL) {
+ char *word, *str, *next;
+
+ numOflevels = 0;
+ n_currEntryDn = slapi_entry_get_ndn ( lasinfo.resourceEntry );
+ str = attrName;
+
+ word = ldap_utf8strtok_r(str, "[],. ",&next);
+ /* The first word is "parent[" and so it's not important */
+
+ while ((word= ldap_utf8strtok_r(NULL, "[],.", &next)) != NULL) {
+ if (ldap_utf8isdigit(word)) {
+ while (word && ldap_utf8isspace(word)) LDAP_UTF8INC(word);
+ if (numOflevels < ACLLAS_MAX_LEVELS)
+ levels[numOflevels++] = atoi (word);
+ else {
+ /*
+ * Here, ignore the extra levels..it's really
+ * a syntax error which should have been ruled out at parse time
+ */
+ slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
+ "DS_LASLdapUrlattr: Exceeded the ATTR LIMIT:%d: Ignoring extra levels\n",
+ ACLLAS_MAX_LEVELS);
+ }
+ } else {
+ /* Must be the attr name. We can goof of by
+ ** having parent[1,2,a] but then you have to be
+ ** stupid to do that.
+ */
+ char *p = word;
+ if (*--p == '.') {
+ attrName = word;
+ break;
+ }
+ }
+ }
+ info.attr = attrName;
+ info.clientdn = lasinfo.clientDn;
+ info.aclpb = lasinfo.aclpb;
+ info.result = 0;
+ } else {
+ levels[0] = 0;
+ numOflevels = 1;
+
+ }
+
+ /* No attribute name specified--it's a syntax error and so undefined */
+ if (attrName == NULL ) {
+ slapi_ch_free ( (void**) &s_attrName);
+ return LAS_EVAL_FAIL;
+ }
+
+ slapi_log_error( SLAPI_LOG_ACL, plugin_name,"Attr:%s\n" , attrName);
+ matched = ACL_FALSE;
+ for (i = 0; i < numOflevels; i++) {
+ if ( levels[i] == 0 ) { /* parent[0] or the target itself */
+ Slapi_Value *sval = NULL;
+ const struct berval *attrVal;
+ Slapi_Attr *attrs;
+ int i;
+
+ /* Get the attr from the resouce entry */
+ if ( 0 == slapi_entry_attr_find (lasinfo.resourceEntry,
+ attrName, &attrs) ) {
+ i = slapi_attr_first_value ( attrs, &sval );
+ if ( i == -1 ) {
+ /* Attr val not there
+ * so it's value cannot equal other one */
+ matched = ACL_FALSE;
+ continue; /* try next level */
+ }
+ } else {
+ /* Not there so it cannot equal another one */
+ matched = ACL_FALSE;
+ continue; /* try next level */
+ }
+
+ while ( matched != ACL_TRUE && (sval != NULL)) {
+ attrVal = slapi_value_get_berval ( sval );
+ matched = acllas__client_match_URL ( lasinfo.aclpb,
+ lasinfo.clientDn,
+ attrVal->bv_val);
+ if ( matched != ACL_TRUE )
+ i = slapi_attr_next_value ( attrs, i, &sval );
+ if ( matched == ACL_DONT_KNOW ) {
+ got_undefined = 1;
+ }
+ }
+ } else {
+ char *p_dn; /* parent dn */
+ Slapi_PBlock *aPb = NULL;
+
+ p_dn = acllas__dn_parent (n_currEntryDn, levels[i]);
+ if (p_dn == NULL) continue;
+
+ /* use new search internal API */
+ aPb = slapi_pblock_new ();
+
+ /*
+ * This search may be chained if chaining for ACL is
+ * is enabled in the backend and the entry is in
+ * a chained backend.
+ */
+ slapi_search_internal_set_pb ( aPb,
+ p_dn,
+ LDAP_SCOPE_BASE,
+ "objectclass=*",
+ &attrs[0],
+ 0,
+ NULL /* controls */,
+ NULL /* uniqueid */,
+ aclplugin_get_identity (ACL_PLUGIN_IDENTITY),
+ 0 /* actions */);
+
+ slapi_search_internal_callback_pb(aPb,
+ &info /* callback_data */,
+ NULL/* result_callback */,
+ acllas__verify_ldapurl,
+ NULL /* referral_callback */);
+ slapi_pblock_destroy(aPb);
+
+ /*
+ * Currently info.result is boolean so
+ * we do not need to check for ACL_DONT_KNOW
+ */
+ if (info.result) {
+ matched = ACL_TRUE;
+ slapi_log_error( SLAPI_LOG_ACL, plugin_name,
+ "userdnAttr matches at level (%d)\n", levels[i]);
+ }
+ }
+ if (matched == ACL_TRUE) {
+ break;
+ }
+ }
+ slapi_ch_free ( (void **) &s_attrName);
+
+ /*
+ * If no terms were undefined, then evaluate as normal.
+ * If there was an undefined term, but another one was TRUE,
+ * then we also evaluate as normal.
+ * Otherwise, the whole expression is UNDEFINED.
+ */
+ if ( matched == ACL_TRUE || !got_undefined ) {
+ if (comparator == CMP_OP_EQ) {
+ rc = (matched == ACL_TRUE ? LAS_EVAL_TRUE : LAS_EVAL_FALSE);
+ } else {
+ rc = (matched == ACL_TRUE ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
+ }
+ } else {
+ rc = LAS_EVAL_FAIL;
+ slapi_log_error( SLAPI_LOG_ACL, plugin_name,
+ "Returning UNDEFINED for userdnattr evaluation.\n");
+ }
+
+ return rc;
+}
+
/***************************************************************************
*
* DS_LASAuthMethodEval
@@ -2764,9 +2997,8 @@
i = slapi_attr_first_value ( attr,&sval );
while ( i != -1 ) {
- attrVal = slapi_value_get_berval ( sval );
- val = slapi_dn_normalize (
- slapi_ch_strdup(attrVal->bv_val));
+ attrVal = slapi_value_get_berval ( sval );
+ val = slapi_dn_normalize(slapi_ch_strdup(attrVal->bv_val));
if (slapi_utf8casecmp((ACLUCHP)val, (ACLUCHP)info->clientdn ) == 0) {
info->result = 1;
@@ -2778,6 +3010,56 @@
}
return 0;
}
+
+/*
+ * acllas__verify_ldapurl
+ *
+ * returns 1 if the attribute exists in the entry and
+ * it's value is equal to the client Dn.
+ * If the attribute is not in the entry, or it is and the
+ * value differs from the clientDn then returns FALSE.
+ *
+ * Verify if client's entry includes the attribute value that
+ * matches the filter in LDAPURL
+ * This is a handler from a search being done at DS_LASLdapUrlAttrEval().
+ *
+ */
+static int
+acllas__verify_ldapurl(Slapi_Entry* e, void *callback_data)
+{
+
+ Slapi_Attr *attr;
+ struct userdnattr_info *info;
+ Slapi_Value *sval;
+ const struct berval *attrVal;
+ int rc;
+
+ info = (struct userdnattr_info *) callback_data;
+ info->result = ACL_FALSE;
+
+ rc = slapi_entry_attr_find( e, info->attr, &attr);
+ if (rc != 0 || attr == NULL) {
+ return 0;
+ }
+
+ rc = slapi_attr_first_value ( attr, &sval );
+ if ( rc == -1 ) {
+ return 0;
+ }
+
+ while (rc != -1 && sval != NULL) {
+ attrVal = slapi_value_get_berval ( sval );
+ info->result = acllas__client_match_URL ( info->aclpb,
+ info->clientdn,
+ attrVal->bv_val);
+ if ( info->result == ACL_TRUE ) {
+ return 0;
+ }
+ rc = slapi_attr_next_value ( attr, rc, &sval );
+ }
+ return 0;
+}
+
/*
*
* acllas__get_members
@@ -2847,7 +3129,6 @@
int rc;
int matched = ACL_FALSE;
char *p;
- int URLAttrRule = 0;
lasInfo lasinfo;
int got_undefined = 0;
@@ -2882,7 +3163,10 @@
subject, resource, auth_info, global_auth);
goto done_las;
} else if ( 0 == strncasecmp ( attrValue, "LDAPURL", 7) ) {
- URLAttrRule = 1;
+ matched = DS_LASLdapUrlAttrEval(errp, DS_LAS_USERATTR, comparator,
+ attrName, cachable, LAS_cookie,
+ subject, resource, auth_info, global_auth, lasinfo);
+ goto done_las;
} else if ( 0 == strncasecmp ( attrValue, "ROLEDN", 6)) {
matched = DS_LASRoleDnAttrEval (errp,DS_LAS_ROLEDN, comparator,
attrName, cachable, LAS_cookie,
@@ -2894,7 +3178,6 @@
/* SD 00/16/03 pass NULL in case the req is chained */
char **attrs=NULL;
-
/* Use new search internal API */
Slapi_PBlock *aPb = slapi_pblock_new ();
/*
@@ -2924,54 +3207,23 @@
slapi_log_error ( SLAPI_LOG_ACL, plugin_name,
"DS_LASUserAttrEval: AttrName:%s, attrVal:%s\n", attrName, attrValue );
- if ( URLAttrRule ) {
- Slapi_Value *sval=NULL;
- const struct berval *attrVal;
- Slapi_Attr *attrs;
- int i;
-
- /* Get the attr from the resouce entry */
- if ( 0 == slapi_entry_attr_find (lasinfo.resourceEntry, attrName, &attrs) ) {
- i= slapi_attr_first_value ( attrs, &sval );
- if ( i==-1 ) {
- matched = ACL_FALSE; /* Attr val not there so it's value cannot equal other one */
- goto done_acl;
- }
- } else {
- matched = ACL_FALSE; /* Not there so it cannot equal another one */
- goto done_acl;
- }
-
- while( matched != ACL_TRUE && (sval != NULL)) {
- attrVal = slapi_value_get_berval ( sval );
- matched = acllas__client_match_URL ( lasinfo.aclpb,
- lasinfo.clientDn,
- attrVal->bv_val);
- if ( matched != ACL_TRUE )
- i = slapi_attr_next_value ( attrs, i, &sval );
- if ( matched == ACL_DONT_KNOW ) {
- got_undefined = 1;
- }
- }/* while */
- } else {
- /*
- * Here it's the userAttr = "OU#Directory Server" case.
- * Allocate the Slapi_Value on the stack and init it by reference
- * to avoid having to malloc and free memory.
- */
- Slapi_Value v;
-
- slapi_value_init_string_passin(&v, attrValue);
- rc = slapi_entry_attr_has_syntax_value ( lasinfo.resourceEntry, attrName,
- &v );
- if (rc) {
- rc = slapi_entry_attr_has_syntax_value (
- lasinfo.aclpb->aclpb_client_entry,
- attrName, &v );
- if (rc) matched = ACL_TRUE;
- }
- /* Nothing to free--cool */
+ /*
+ * Here it's the userAttr = "OU#Directory Server" case.
+ * Allocate the Slapi_Value on the stack and init it by reference
+ * to avoid having to malloc and free memory.
+ */
+ Slapi_Value v;
+
+ slapi_value_init_string_passin(&v, attrValue);
+ rc = slapi_entry_attr_has_syntax_value ( lasinfo.resourceEntry, attrName,
+ &v );
+ if (rc) {
+ rc = slapi_entry_attr_has_syntax_value (
+ lasinfo.aclpb->aclpb_client_entry,
+ attrName, &v );
+ if (rc) matched = ACL_TRUE;
}
+ /* Nothing to free--cool */
/*
* Find out what the result is, in
@@ -2979,7 +3231,6 @@
* and got_undefined says whether a logical term evaluated to ACL_DONT_KNOW.
*
*/
-done_acl:
if ( matched == ACL_TRUE || !got_undefined) {
if (comparator == CMP_OP_EQ) {
rc = (matched == ACL_TRUE ? LAS_EVAL_TRUE : LAS_EVAL_FALSE);
15 years, 2 months
[Fedora-directory-commits] adminserver/admserv/cfgstuff admserv.conf.in, 1.12, 1.13
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/adminserver/admserv/cfgstuff
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11725
Modified Files:
admserv.conf.in
Log Message:
Resolves: bug 480869
Bug Description: DS console: Can not delete DS instance
Reviewed by: nkinder (Thanks!)
Fix Description: Enabling the password pipe breaks the other tasks - so the real solution is to enable the password pipe only for the remove task, and leave it disabled for the other tasks.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: admserv.conf.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf.in,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- admserv.conf.in 21 Jan 2009 21:27:04 -0000 1.12
+++ admserv.conf.in 22 Jan 2009 22:03:01 -0000 1.13
@@ -119,7 +119,22 @@
# Handle Stop, Start, Restart, Instance Creation - invoke mod_restartd
# need to add instance creation because you may want to create an instance
# of DS on a low port, and instance creation starts the instance as well
-<LocationMatch /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create|remove)$>
+<LocationMatch /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create)$>
+ AuthUserFile @configdir@/admpw
+ AuthType basic
+ AuthName "Admin Server"
+ Require valid-user
+## turn off the password pipe when using mod_restartd
+ AdminSDK off
+ ADMCgiBinDir @cgibindir@
+ Options +ExecCGI
+ RetainPerms on
+ Order allow,deny
+ Allow from all
+</LocationMatch>
+
+# special case for the remove task - it needs to use the password pipe
+<LocationMatch /*/[tT]asks/[Oo]peration/(?i:remove)$>
AuthUserFile @configdir@/admpw
AuthType basic
AuthName "Admin Server"
15 years, 2 months
[Fedora-directory-commits] fedora-idm-console fedora-idm-console, 1.2, 1.3
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/fedora-idm-console
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22627
Modified Files:
fedora-idm-console
Log Message:
Resolves: bug 480631
Description: Error in shell script "fedora-idm-console" causes problems with arguments containing spaces
Fix Description: use "$@" for Console arguments
Index: fedora-idm-console
===================================================================
RCS file: /cvs/dirsec/fedora-idm-console/fedora-idm-console,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- fedora-idm-console 17 Oct 2007 22:19:44 -0000 1.2
+++ fedora-idm-console 21 Jan 2009 21:30:53 -0000 1.3
@@ -31,4 +31,4 @@
#
# Launch the Console
#
-java -cp @jssjar@:@ldapjdkjar@:$CLASSDEST/@basejar@:$CLASSDEST/@mccjar@:$CLASSDEST/@mcclangjar@:$CLASSDEST/@nmclfjar@:$CLASSDEST/@nmclflangjar@:$CLASSDEST/@themejar@ -Djava.library.path=@libdir@ -Djava.util.prefs.systemRoot="$HOME/.@prefsdir@" -Djava.util.prefs.userRoot="$HOME/.@prefsdir@" com.netscape.management.client.console.Console $*
+java -cp @jssjar@:@ldapjdkjar@:$CLASSDEST/@basejar@:$CLASSDEST/@mccjar@:$CLASSDEST/@mcclangjar@:$CLASSDEST/@nmclfjar@:$CLASSDEST/@nmclflangjar@:$CLASSDEST/@themejar@ -Djava.library.path=@libdir@ -Djava.util.prefs.systemRoot="$HOME/.@prefsdir@" -Djava.util.prefs.userRoot="$HOME/.@prefsdir@" com.netscape.management.client.console.Console "$@"
15 years, 2 months
[Fedora-directory-commits] adminserver/admserv/cfgstuff admserv.conf.in, 1.11, 1.12
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/adminserver/admserv/cfgstuff
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21429/adminserver/admserv/cfgstuff
Modified Files:
admserv.conf.in
Log Message:
Resolves: bug 480869
Bug Description: DS console: Can not delete DS instance
Reviewed by: nhosoi (Thanks!)
Fix Description: The problem is that ds_remove does not get the admin bind dn and password, and attempts to make an anonymous bind. This fails with err=53 because DS 8.1 will not allow anonymous bind by default. The solution is to allow the admin server to pass the dn and password to the ds_remove process.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: admserv.conf.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf.in,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- admserv.conf.in 9 Jun 2008 15:42:46 -0000 1.11
+++ admserv.conf.in 21 Jan 2009 21:27:04 -0000 1.12
@@ -124,8 +124,7 @@
AuthType basic
AuthName "Admin Server"
Require valid-user
-## turn off the password pipe when using mod_restartd
- AdminSDK off
+ AdminSDK on
ADMCgiBinDir @cgibindir@
Options +ExecCGI
RetainPerms on
15 years, 2 months