[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication windows_protocol_util.c, 1.45, 1.46
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4170/ldap/servers/plugins/replication
Modified Files:
windows_protocol_util.c
Log Message:
Resolves: 381361
Summary: Add support for synchronizing the cn attribute between DS and AD.
Index: windows_protocol_util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_protocol_util.c,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- windows_protocol_util.c 7 Jan 2009 21:45:55 -0000 1.45
+++ windows_protocol_util.c 9 Jan 2009 17:24:29 -0000 1.46
@@ -81,6 +81,8 @@
static int windows_update_remote_entry(Private_Repl_Protocol *prp,Slapi_Entry *remote_entry,Slapi_Entry *local_entry);
static int is_guid_dn(Slapi_DN *remote_dn);
static int map_windows_tombstone_dn(Slapi_Entry *e, Slapi_DN **dn, Private_Repl_Protocol *prp, int *exists);
+static int windows_check_mods_for_rdn_change(Private_Repl_Protocol *prp, LDAPMod **original_mods,
+ Slapi_Entry *local_entry, Slapi_DN *remote_dn, char **newrdn);
/* Controls the direction of flow for mapped attributes */
@@ -207,13 +209,13 @@
{ FAKE_STREET_ATTR_NAME, "street", fromwindowsonly, always, normal},
{ "userParameters", "ntUserParms", bidirectional, always, normal},
{ "userWorkstations", "ntUserWorkstations", bidirectional, always, normal},
- { "sAMAccountName", "ntUserDomainId", bidirectional, always, normal},
- /* cn is a naming attribute in AD, so we don't want to change it after entry creation */
- { "cn", "cn", towindowsonly, createonly, normal},
+ { "sAMAccountName", "ntUserDomainId", bidirectional, always, normal},
+ /* AD uses cn as it's naming attribute. We handle it as a special case */
+ { "cn", "cn", towindowsonly, createonly, normal},
/* However, it isn't a naming attribute in DS (we use uid) so it's safe to accept changes inbound */
- { "name", "cn", fromwindowsonly, always, normal},
- { "manager", "manager", bidirectional, always, dnmap},
- { "seealso", "seealso", bidirectional, always, dnmap},
+ { "name", "cn", fromwindowsonly, always, normal},
+ { "manager", "manager", bidirectional, always, dnmap},
+ { "seealso", "seealso", bidirectional, always, dnmap},
{NULL, NULL, -1}
};
@@ -224,7 +226,7 @@
/* IETF schema has 'street' and 'streetaddress' as aliases, but Microsoft does not */
{ "streetAddress", "street", towindowsonly, always, normal},
{ FAKE_STREET_ATTR_NAME, "street", fromwindowsonly, always, normal},
- { "member", "uniquemember", bidirectional, always, dnmap},
+ { "member", "uniquemember", bidirectional, always, dnmap},
{NULL, NULL, -1}
};
@@ -1229,6 +1231,7 @@
case SLAPI_OPERATION_MODIFY:
{
LDAPMod **mapped_mods = NULL;
+ char *newrdn = NULL;
windows_map_mods_for_replay(prp,op->p.p_modify.modify_mods, &mapped_mods, is_user, &password);
if (is_user) {
@@ -1249,6 +1252,17 @@
&mapped_mods);
}
+ /* Check if a naming attribute is being modified. */
+ if (windows_check_mods_for_rdn_change(prp, op->p.p_modify.modify_mods, local_entry, remote_dn, &newrdn)) {
+ /* Issue MODRDN */
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "%s: renaming remote entry \"%s\" with new RDN of \"%s\"\n",
+ agmt_get_long_name(prp->agmt), slapi_sdn_get_dn(remote_dn), newrdn);
+ return_value = windows_conn_send_rename(prp->conn, slapi_sdn_get_dn(remote_dn),
+ newrdn, NULL, 1 /* delete old RDN */,
+ NULL, NULL /* returned controls */);
+ slapi_ch_free_string(&newrdn);
+ }
+
/* It's possible that the mapping process results in an empty mod list, in which case we don't bother with the replay */
if ( mapped_mods == NULL || *(mapped_mods)== NULL )
{
@@ -1550,11 +1564,12 @@
{
Slapi_Attr *new_attr = NULL;
- /* AD treats streetAddress as a single-valued attribute, while we define it
- * as a multi-valued attribute as it's defined in rfc 4519. We only
+ /* AD treats cn and streetAddress as a single-valued attributes, while we define
+ * them as multi-valued attribute as it's defined in rfc 4519. We only
* sync the first value to AD to avoid a constraint violation.
*/
- if (0 == slapi_attr_type_cmp(new_type, "streetAddress", SLAPI_TYPE_CMP_SUBTYPE)) {
+ if ((0 == slapi_attr_type_cmp(new_type, "streetAddress", SLAPI_TYPE_CMP_SUBTYPE)) ||
+ (0 == slapi_attr_type_cmp(new_type, "cn", SLAPI_TYPE_CMP_SUBTYPE))) {
if (slapi_valueset_count(vs) > 1) {
int i = 0;
Slapi_Value *value = NULL;
@@ -1570,7 +1585,7 @@
slapi_valueset_add_value_ext(vs, new_value, SLAPI_VALUE_FLAG_PASSIN);
}
}
- }
+ }
slapi_entry_add_valueset(new_entry,type,vs);
@@ -1716,6 +1731,166 @@
return return_value;
}
+
+static int
+windows_check_mods_for_rdn_change(Private_Repl_Protocol *prp, LDAPMod **original_mods,
+ Slapi_Entry *local_entry, Slapi_DN *remote_dn, char **newrdn)
+{
+ int ret = 0;
+ int need_rename = 0;
+ int got_entry = 0;
+ Slapi_Entry *remote_entry = NULL;
+ Slapi_Attr *remote_rdn_attr = NULL;
+ Slapi_Value *remote_rdn_val = NULL;
+ Slapi_Mods smods = {0};
+ Slapi_Mod *smod = slapi_mod_new();
+ Slapi_Mod *last_smod = smod;
+
+ LDAPDebug( LDAP_DEBUG_TRACE, "=> windows_check_mods_for_rdn_change\n", 0, 0, 0 );
+
+ /* Iterate through the original mods, looking for a modification to the RDN attribute */
+ slapi_mods_init_byref(&smods, original_mods);
+ smod = slapi_mods_get_first_smod(&smods, last_smod);
+ while(smod) {
+ /* Check if this is modifying the naming attribute (cn) */
+ if (slapi_attr_types_equivalent(slapi_mod_get_type(smod), "cn")) {
+ /* Fetch the remote entry so we can compare the new values
+ * against the existing remote value. We only need to do
+ * this once for all mods. */
+ if (!got_entry) {
+ windows_get_remote_entry(prp, remote_dn, &remote_entry);
+ if (remote_entry) {
+ /* Fetch and duplicate the cn attribute so we can perform comparisions */
+ slapi_entry_attr_find(remote_entry, "cn", &remote_rdn_attr);
+ if (remote_rdn_attr) {
+ remote_rdn_attr = slapi_attr_dup(remote_rdn_attr);
+ slapi_attr_first_value(remote_rdn_attr, &remote_rdn_val);
+ }
+ slapi_entry_free(remote_entry);
+ }
+ got_entry = 1;
+
+ /* If we didn't get the remote value for some odd reason, just bail out. */
+ if (!remote_rdn_val) {
+ slapi_mod_done(smod);
+ goto done;
+ }
+ }
+
+ if (SLAPI_IS_MOD_REPLACE(slapi_mod_get_operation(smod))) {
+ /* For a replace, we just need to check if the old value that AD
+ * has is still present after the operation. If not, we rename
+ * the entry in AD using the first new value as the RDN. */
+ Slapi_Value *new_val = NULL;
+ struct berval *bval = NULL;
+
+ /* Assume that we're going to need to do a rename. */
+ ret = 1;
+
+ /* Get the first new value, which is to be used as the RDN if we decide
+ * that a rename is necessary. */
+ bval = slapi_mod_get_first_value(smod);
+ if (bval && bval->bv_val) {
+ /* Fill in new RDN to return to caller. */
+ slapi_ch_free_string(newrdn);
+ *newrdn = slapi_ch_smprintf("cn=%s", bval->bv_val);
+
+ /* Loop through all new values to check if they match
+ * the value present in AD. */
+ do {
+ new_val = slapi_value_new_berval(bval);
+ if (slapi_value_compare(remote_rdn_attr, remote_rdn_val, new_val) == 0) {
+ /* We have a match. This means we don't want to rename the entry in AD. */
+ slapi_ch_free_string(newrdn);
+ slapi_value_free(&new_val);
+ ret = 0;
+ break;
+ }
+ slapi_value_free(&new_val);
+ bval = slapi_mod_get_next_value(smod);
+ } while (bval && bval->bv_val);
+ }
+ } else if (SLAPI_IS_MOD_DELETE(slapi_mod_get_operation(smod))) {
+ /* We need to check if the cn in AD is the value being deleted. If
+ * so, set a flag saying that we will need to do a rename. We will either
+ * get a new value added from another mod in this op, or we will need to
+ * use an old value that is left over after the delete operation. */
+ if (slapi_mod_get_num_values(smod) == 0) {
+ /* All values are being deleted, so a rename will be needed. One
+ * of the other mods will be adding the new values(s). */
+ need_rename = 1;
+ } else {
+ Slapi_Value *del_val = NULL;
+ struct berval *bval = NULL;
+
+ bval = slapi_mod_get_first_value(smod);
+ while (bval && bval->bv_val) {
+ /* Is this value the same one that is used as the RDN in AD? */
+ del_val = slapi_value_new_berval(bval);
+ if (slapi_value_compare(remote_rdn_attr, remote_rdn_val, del_val) == 0) {
+ /* We have a match. This means we need to rename the entry in AD. */
+ need_rename = 1;
+ slapi_value_free(&del_val);
+ break;
+ }
+ slapi_value_free(&del_val);
+ bval = slapi_mod_get_next_value(smod);
+ }
+ }
+ } else if (SLAPI_IS_MOD_ADD(slapi_mod_get_operation(smod))) {
+ /* We only need to care about an add if the old value was deleted. */
+ if (need_rename) {
+ /* Just grab the first new value and use it to create the new RDN. */
+ struct berval *bval = slapi_mod_get_first_value(smod);
+
+ if (bval && bval->bv_val) {
+ /* Fill in new RDN to return to caller. */
+ slapi_ch_free_string(newrdn);
+ *newrdn = slapi_ch_smprintf("cn=%s", bval->bv_val);
+ need_rename = 0;
+ ret = 1;
+ }
+ }
+ }
+ }
+
+ /* Get the next mod from this op. */
+ slapi_mod_done(smod);
+
+ /* Need to prevent overwriting old smod with NULL return value and causing a leak. */
+ smod = slapi_mods_get_next_smod(&smods, last_smod);
+ }
+
+done:
+ /* We're done with the mods and the copied cn attr from the remote entry. */
+ slapi_attr_free(&remote_rdn_attr);
+ if (last_smod) {
+ slapi_mod_free(&last_smod);
+ }
+ slapi_mods_done (&smods);
+
+ if (need_rename) {
+ /* We need to perform a rename, but we didn't get the value for the
+ * new RDN from this operation. We fetch the first value from the local
+ * entry to create the new RDN. */
+ if (local_entry) {
+ char *newval = slapi_entry_attr_get_charptr(local_entry, "cn");
+ if (newval) {
+ /* Fill in new RDN to return to caller. */
+ slapi_ch_free_string(newrdn);
+ *newrdn = slapi_ch_smprintf("cn=%s", newval);
+ slapi_ch_free_string(&newval);
+ ret = 1;
+ }
+ }
+ }
+
+ LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_check_mods_for_rdn_change: %d\n", ret, 0, 0 );
+
+ return ret;
+}
+
+
static void
windows_map_mods_for_replay(Private_Repl_Protocol *prp,LDAPMod **original_mods, LDAPMod ***returned_mods, int is_user, char** password)
{
@@ -3247,9 +3422,16 @@
if (!mapdn)
{
int values_equal = 0;
- /* AD has a legth contraint on the initials attribute,
- * so treat is as a special case. */
- if (0 == slapi_attr_type_cmp(type, "initials", SLAPI_TYPE_CMP_SUBTYPE)) {
+ /* We only have to deal with processing the cn here for
+ * operations coming from AD since the mapping for the
+ * to_windows case has the create only flag set. We
+ * just need to check if the value from the AD entry
+ * is already present in the DS entry. */
+ if (0 == slapi_attr_type_cmp(type, "name", SLAPI_TYPE_CMP_SUBTYPE) && !to_windows) {
+ values_equal = attr_compare_present(attr, local_attr);
+ /* AD has a legth contraint on the initials attribute,
+ * so treat is as a special case. */
+ } else if (0 == slapi_attr_type_cmp(type, "initials", SLAPI_TYPE_CMP_SUBTYPE)) {
values_equal = attr_compare_equal(attr, local_attr, AD_INITIALS_LENGTH);
/* If we're getting a streetAddress (a fake attr name is used) from AD, then
* we just check if the value in AD is present in our entry in DS. In this
@@ -3320,6 +3502,7 @@
i = slapi_valueset_next_value(vs, i, &value);
}
}
+
slapi_mods_add_mod_values(smods,LDAP_MOD_REPLACE,
local_type,valueset_get_valuearray(vs));
*do_modify = 1;
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd main.c, 1.30, 1.31
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4170/ldap/servers/slapd
Modified Files:
main.c
Log Message:
Resolves: 381361
Summary: Add support for synchronizing the cn attribute between DS and AD.
Index: main.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/main.c,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- main.c 7 Jan 2009 00:15:44 -0000 1.30
+++ main.c 9 Jan 2009 17:24:30 -0000 1.31
@@ -977,17 +977,23 @@
slapd_print_version(1);
exit(1);
default:
+ {
+ char *rundir = config_get_rundir();
+
/* Ensure that we can read from and write to our rundir */
- if (access(config_get_rundir(), R_OK | W_OK)) {
+ if (access(rundir, R_OK | W_OK)) {
LDAPDebug(LDAP_DEBUG_ANY, "Unable to access nsslapd-rundir: %s\n",
slapd_system_strerror(errno), 0, 0);
LDAPDebug(LDAP_DEBUG_ANY, "Ensure that user \"%s\" has read and write "
"permissions on %s\n",
- slapdFrontendConfig->localuser, config_get_rundir(), 0);
+ slapdFrontendConfig->localuser, rundir, 0);
LDAPDebug(LDAP_DEBUG_ANY, "Shutting down.\n", 0, 0, 0);
+ slapi_ch_free_string(&rundir);
exit(1);
}
+ slapi_ch_free_string(&rundir);
break;
+ }
}
/*
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/cos cos_cache.c, 1.9, 1.10
by Noriko Hosoi
Author: nhosoi
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/cos
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12555
Modified Files:
cos_cache.c
Log Message:
Resolves: #436830
Summary: Memory leak in ns-slapd's Class Of Service
Fix Description: When all the necessary values for the template cache are not
available, the allocated memory should be discarded. One of them pCosPriority
was missed to release.
Index: cos_cache.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/cos/cos_cache.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- cos_cache.c 18 Oct 2007 00:08:28 -0000 1.9
+++ cos_cache.c 8 Jan 2009 23:11:43 -0000 1.10
@@ -1190,7 +1190,7 @@
{
while(dnVals[valIndex])
{
- if(dnVals[valIndex]->bv_val)
+ if(dnVals[valIndex]->bv_val)
cos_cache_add_attrval(pSneakyVal,
dnVals[valIndex]->bv_val);
@@ -1269,6 +1269,8 @@
cos_cache_del_attrval_list(&pDn);
if(pAttributes)
cos_cache_del_attr_list(&pAttributes);
+ if(pCosPriority)
+ cos_cache_del_attrval_list(&pCosPriority);
}
}
/*
15 years, 2 months
[Fedora-directory-commits] adminserver configure.ac, 1.27, 1.28 aclocal.m4, 1.42, 1.43 configure, 1.46, 1.47 missing, 1.32, 1.33 install-sh, 1.32, 1.33 Makefile.in, 1.49, 1.50 depcomp, 1.32, 1.33 config.sub, 1.32, 1.33 config.guess, 1.32, 1.33 compile, 1.31, 1.32
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/adminserver
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7919
Modified Files:
configure.ac aclocal.m4 configure missing install-sh
Makefile.in depcomp config.sub config.guess compile
Log Message:
initial version 1.1.7 commit
Index: configure.ac
===================================================================
RCS file: /cvs/dirsec/adminserver/configure.ac,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- configure.ac 14 Jul 2008 23:51:43 -0000 1.27
+++ configure.ac 8 Jan 2009 22:29:38 -0000 1.28
@@ -2,7 +2,7 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
-AC_INIT([dirsrv-admin], [1.1.6], [http://bugzilla.redhat.com/])
+AC_INIT([dirsrv-admin], [1.1.7], [http://bugzilla.redhat.com/])
AC_CONFIG_SRCDIR([admserv/cgi-src40/viewlog.c])
AM_INIT_AUTOMAKE([1.9 foreign subdir-objects])
AM_MAINTAINER_MODE
Index: configure
===================================================================
RCS file: /cvs/dirsec/adminserver/configure,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- configure 3 Sep 2008 21:42:57 -0000 1.46
+++ configure 8 Jan 2009 22:29:38 -0000 1.47
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for dirsrv-admin 1.1.6.
+# Generated by GNU Autoconf 2.59 for dirsrv-admin 1.1.7.
#
# Report bugs to <http://bugzilla.redhat.com/>.
#
@@ -423,8 +423,8 @@
# Identity of this package.
PACKAGE_NAME='dirsrv-admin'
PACKAGE_TARNAME='dirsrv-admin'
-PACKAGE_VERSION='1.1.6'
-PACKAGE_STRING='dirsrv-admin 1.1.6'
+PACKAGE_VERSION='1.1.7'
+PACKAGE_STRING='dirsrv-admin 1.1.7'
PACKAGE_BUGREPORT='http://bugzilla.redhat.com/'
ac_unique_file="admserv/cgi-src40/viewlog.c"
@@ -957,7 +957,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures dirsrv-admin 1.1.6 to adapt to many kinds of systems.
+\`configure' configures dirsrv-admin 1.1.7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1023,7 +1023,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of dirsrv-admin 1.1.6:";;
+ short | recursive ) echo "Configuration of dirsrv-admin 1.1.7:";;
esac
cat <<\_ACEOF
@@ -1202,7 +1202,7 @@
test -n "$ac_init_help" && exit 0
if $ac_init_version; then
cat <<\_ACEOF
-dirsrv-admin configure 1.1.6
+dirsrv-admin configure 1.1.7
generated by GNU Autoconf 2.59
Copyright (C) 2003 Free Software Foundation, Inc.
@@ -1216,7 +1216,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by dirsrv-admin $as_me 1.1.6, which was
+It was created by dirsrv-admin $as_me 1.1.7, which was
generated by GNU Autoconf 2.59. Invocation command line was
$ $0 $@
@@ -1860,7 +1860,7 @@
# Define the identity of the package.
PACKAGE='dirsrv-admin'
- VERSION='1.1.6'
+ VERSION='1.1.7'
cat >>confdefs.h <<_ACEOF
@@ -25613,7 +25613,7 @@
} >&5
cat >&5 <<_CSEOF
-This file was extended by dirsrv-admin $as_me 1.1.6, which was
+This file was extended by dirsrv-admin $as_me 1.1.7, which was
generated by GNU Autoconf 2.59. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -25676,7 +25676,7 @@
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-dirsrv-admin config.status 1.1.6
+dirsrv-admin config.status 1.1.7
configured by $0, generated by GNU Autoconf 2.59,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication windows_protocol_util.c, 1.44, 1.45
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23969/ldapserver/ldap/servers/plugins/replication
Modified Files:
windows_protocol_util.c
Log Message:
Resolves: bug 478656
Bug Description: rhds accounts are disabled in ad after full sync
Reviewed by: nkinder (Thanks!)
Fix Description: The incremental sync code calls send_accountcontrol_modify after adding an entry, but the total update code does not. I modified the code to do that. I also changed the send_accountcontrol_modify to force the account to be enabled if adding it. I tried just adding userAccountContro:512 to the default user add template, but AD does not like this - gives operations error. So you have to modify userAccountControl after adding the entry. I also cleaned up a couple of minor memory leaks.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes - we need to document the fact that new accounts will now be created in AD enabled
Index: windows_protocol_util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_protocol_util.c,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- windows_protocol_util.c 15 Dec 2008 15:59:41 -0000 1.44
+++ windows_protocol_util.c 7 Jan 2009 21:45:55 -0000 1.45
@@ -806,7 +806,7 @@
}
static int
-send_accountcontrol_modify(Slapi_DN *sdn, Private_Repl_Protocol *prp)
+send_accountcontrol_modify(Slapi_DN *sdn, Private_Repl_Protocol *prp, int missing_entry)
{
ConnResult mod_return = 0;
Slapi_Mods smods = {0};
@@ -823,9 +823,18 @@
acctval = slapi_entry_attr_get_ulong(remote_entry, "userAccountControl");
}
slapi_entry_free(remote_entry);
+ /* if we are adding a new entry, we need to set the entry to be
+ enabled to allow AD login */
+ if (missing_entry) {
+ slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name,
+ "%s: New Windows entry %s will be enabled.\n",
+ agmt_get_long_name(prp->agmt), slapi_sdn_get_dn(sdn));
+ acctval &= ~0x2; /* unset the disabled bit, if set */
+ }
+ /* set the account to be a normal account */
acctval |= 0x0200; /* normal account == 512 */
- slapi_mods_init (&smods, 0);
+ slapi_mods_init (&smods, 0);
PR_snprintf(acctvalstr, sizeof(acctvalstr), "%lu", acctval);
slapi_mods_add_string(&smods, LDAP_MOD_REPLACE, "userAccountControl", acctvalstr);
@@ -1320,7 +1329,7 @@
* userAccountControl: 512 */
if (op->operation_type == SLAPI_OPERATION_ADD && missing_entry)
{
- return_value = send_accountcontrol_modify(remote_dn, prp);
+ return_value = send_accountcontrol_modify(remote_dn, prp, missing_entry);
}
}
}
@@ -1340,6 +1349,7 @@
{
slapi_sdn_free(&remote_dn);
}
+ slapi_ch_free_string(&password);
return return_value;
}
@@ -3631,6 +3641,10 @@
}
ldap_mods_free(entryattrs, 1);
entryattrs = NULL;
+
+ if (retval == 0) { /* set the account control bits */
+ retval = send_accountcontrol_modify(remote_dn, prp, missing_entry);
+ }
}
} else
{
@@ -3659,6 +3673,7 @@
slapi_entry_free(remote_entry);
}
}
+ slapi_ch_free_string(&password);
return retval;
}
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd util.c, 1.24, 1.25
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29276/ldapserver/ldap/servers/slapd
Modified Files:
util.c
Log Message:
Resolves: bug 479077
Bug Description: Server to Server SASL/DIGEST-MD5 not Supported over SSL/TLS
Reviewed by: nkinder (Thanks!)
Fix Description: If using TLS/SSL, we don't need to use a sasl security layer, so just set the maxssf to 0.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/util.c,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- util.c 6 Jan 2009 22:50:30 -0000 1.24
+++ util.c 7 Jan 2009 02:33:37 -0000 1.25
@@ -1257,6 +1257,10 @@
}
}
} else {
+ /* a SASL mech - set the sasl ssf to 0 if using TLS/SSL */
+ if (secure) {
+ ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, "maxssf=0");
+ }
rc = slapd_ldap_sasl_interactive_bind(ld, bindid, creds, mech,
serverctrls, returnedctrls,
msgidp);
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd main.c, 1.29, 1.30
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26341/ldap/servers/slapd
Modified Files:
main.c
Log Message:
Resolves:479065
Summary: Only check permissions on nsslapd-rundir in normal execution mode.
Index: main.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/main.c,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- main.c 15 Dec 2008 17:42:25 -0000 1.29
+++ main.c 7 Jan 2009 00:15:44 -0000 1.30
@@ -976,17 +976,18 @@
case SLAPD_EXEMODE_PRINTVERSION:
slapd_print_version(1);
exit(1);
- }
-
- /* Ensure that we can read from and write to our rundir */
- if (access(config_get_rundir(), R_OK | W_OK)) {
- LDAPDebug(LDAP_DEBUG_ANY, "Unable to access nsslapd-rundir: %s\n",
- slapd_system_strerror(errno), 0, 0);
- LDAPDebug(LDAP_DEBUG_ANY, "Ensure that user \"%s\" has read and write "
- "permissions on %s\n",
- slapdFrontendConfig->localuser, config_get_rundir(), 0);
- LDAPDebug(LDAP_DEBUG_ANY, "Shutting down.\n", 0, 0, 0);
- exit(1);
+ default:
+ /* Ensure that we can read from and write to our rundir */
+ if (access(config_get_rundir(), R_OK | W_OK)) {
+ LDAPDebug(LDAP_DEBUG_ANY, "Unable to access nsslapd-rundir: %s\n",
+ slapd_system_strerror(errno), 0, 0);
+ LDAPDebug(LDAP_DEBUG_ANY, "Ensure that user \"%s\" has read and write "
+ "permissions on %s\n",
+ slapdFrontendConfig->localuser, config_get_rundir(), 0);
+ LDAPDebug(LDAP_DEBUG_ANY, "Shutting down.\n", 0, 0, 0);
+ exit(1);
+ }
+ break;
}
/*
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd slapi-private.h, 1.31, 1.32 ava.c, 1.8, 1.9 dn.c, 1.10, 1.11 util.c, 1.23, 1.24
by Noriko Hosoi
Author: nhosoi
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2079
Modified Files:
slapi-private.h ava.c dn.c util.c
Log Message:
Resolves: #438139
Summary: DN with antislash('\') rename (modrdn) problem
Problem description:
Unescape codes in the DS (strcpy_special_undo in ava.c and
strcpy_unescape_dnvalue in dn.c) were "unescaping" more than the escape code
(e.g., escape_dn_value in NET LDAP) does escaping. The test string
'BeforeSlash\AfterSlash' fortunately/unfortunately contains '\Af', which is
considered '\##' (where # is hex number) by the DS unescape functions even
though it was not meant to be escaped. As long as using UTF-8, there is no
chance for the server to receive "\af".
Change description:
1) There were identical static functions: strcpy_special_undo (ava.c) and
strcpy_special_undo (dn.c). Merged them to strcpy_unescape_value and put it in
util.c.
2) In the unescape/normalize functions for dn (strcpy_unescape_value in util.c
and substr_dn_normalize in dn.c), added a check for the first hex number in
'\##'. If the 8th bit is on, we don't do unescaping but store it as is since
the unescaped character is not UTF-8.
3) If 2 consecutive '\'s are passed to the unescape/normalize functions, keep
one of them.
Index: slapi-private.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-private.h,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- slapi-private.h 2 Dec 2008 15:29:30 -0000 1.31
+++ slapi-private.h 6 Jan 2009 22:50:29 -0000 1.32
@@ -1111,11 +1111,12 @@
int slapd_security_library_is_initialized( void );
char* slapd_get_tmp_dir( void );
-/* Misc crrrrrrap */
+/* util.c */
#include <stdio.h> /* GGOODREPL - For BUFSIZ, below, gak */
const char* escape_string (const char* str, char buf[BUFSIZ]);
const char* escape_string_with_punctuation(const char* str, char buf[BUFSIZ]);
const char* escape_filter_value(const char* str, int len, char buf[BUFSIZ]);
+void strcpy_unescape_value( char *d, const char *s );
char *slapi_berval_get_string_copy(const struct berval *bval);
Index: ava.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/ava.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- ava.c 15 Oct 2008 06:30:03 -0000 1.8
+++ ava.c 6 Jan 2009 22:50:30 -0000 1.9
@@ -96,73 +96,9 @@
*s++ = '\0';
ava->ava_type = rdn;
- strcpy_special_undo( s, s );
+ strcpy_unescape_value( s, s );
ava->ava_value.bv_val = s;
ava->ava_value.bv_len = strlen( s );
return( 0 );
}
-
-/*
-** This function takes a quoted attribute value of the form "abc",
-** and strips off the enclosing quotes. It also deals with quoted
-** characters by removing the preceeding '\' character.
-**
-*/
-static void
-strcpy_special_undo( char *d, const char *s )
-{
- const char *end = s + strlen(s);
- for ( ; s < end && *s; s++ )
- {
- switch ( *s )
- {
- case '"':
- break;
- case '\\':
- {
- /*
- * The '\' could be escaping a single character, ie \"
- * or could be escaping a hex byte, ie \01
- */
- int singlecharacter= 1;
- if ( s+2 < end )
- {
- int n = hexchar2int( s[1] );
- if ( n >= 0 )
- {
- int n2 = hexchar2int( s[2] );
- if ( n2 >= 0 )
- {
- singlecharacter= 0;
- n = (n << 4) + n2;
- if (n == 0)
- {
- /* don't change \00 */
- *d++ = *++s;
- *d++ = *++s;
- }
- else
- {
- /* change \xx to a single char */
- ++s;
- *(unsigned char*)(s+1) = n;
- }
- }
- }
- }
- if(singlecharacter)
- {
- s++;
- *d++ = *s;
- }
- break;
- }
- default:
- *d++ = *s;
- break;
- }
- }
- *d = '\0';
-}
-
Index: dn.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/dn.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- dn.c 4 Oct 2007 16:27:47 -0000 1.10
+++ dn.c 6 Jan 2009 22:50:30 -0000 1.11
@@ -138,11 +138,11 @@
char *
substr_dn_normalize( char *dn, char *end )
{
- /* \xx is changed to \c.
- * \c is changed to c, unless this would change its meaning.
- * All values that contain 2 or more separators are "enquoted";
- * all other values are not enquoted.
- */
+ /* \xx is changed to \c.
+ * \c is changed to c, unless this would change its meaning.
+ * All values that contain 2 or more separators are "enquoted";
+ * all other values are not enquoted.
+ */
char *value = NULL;
char *value_separator = NULL;
char *d = NULL;
@@ -192,22 +192,22 @@
break;
case INVALUE:
if ( gotesc ) {
- if ( SEPARATOR( *s ) ) {
- value_separator = d;
- } else if ( ! NEEDSESCAPE( *s ) ) {
- --d; /* eliminate the \ */
- }
+ if ( SEPARATOR( *s ) ) {
+ value_separator = d;
+ } else if ( ! NEEDSESCAPE( *s ) ) {
+ --d; /* eliminate the \ */
+ }
} else if ( SEPARATOR( *s ) ) {
- while ( SPACE( *(d - 1) ) )
- d--;
- if ( value_separator == dn ) { /* 2 or more separators */
+ while ( SPACE( *(d - 1) ) )
+ d--;
+ if ( value_separator == dn ) { /* 2 or more separators */
/* convert to quoted value: */
char *L = NULL; /* char after last seperator */
char *R; /* value character iterator */
int escape_skips = 0; /* number of escapes we have seen after the first */
for ( R = value; (R = strchr( R, '\\' )) && (R < d); L = ++R ) {
- if ( SEPARATOR( R[1] )) {
+ if ( SEPARATOR( R[1] )) {
if ( L == NULL ) {
/* executes once, at first escape, adds opening quote */
const size_t len = R - value;
@@ -229,113 +229,120 @@
--d;
++escape_skips;
}
- }
+ }
}
memmove( value, L, d - L + escape_skips );
*d++ = '"'; /* closing quote */
- }
- state = B4TYPE;
+ }
+ state = B4TYPE;
- /*
- * Track and sort attribute values within
- * multivalued RDNs.
- */
- if ( *s == '+' || rdn_av_count > 0 ) {
+ /*
+ * Track and sort attribute values within
+ * multivalued RDNs.
+ */
+ if ( *s == '+' || rdn_av_count > 0 ) {
add_rdn_av( typestart, d, &rdn_av_count,
&rdn_avs, initial_rdn_av_stack );
- }
- if ( *s != '+' ) { /* at end of this RDN */
+ }
+ if ( *s != '+' ) { /* at end of this RDN */
if ( rdn_av_count > 1 ) {
- sort_rdn_avs( rdn_avs, rdn_av_count );
+ sort_rdn_avs( rdn_avs, rdn_av_count );
}
if ( rdn_av_count > 0 ) {
- reset_rdn_avs( &rdn_avs, &rdn_av_count );
+ reset_rdn_avs( &rdn_avs, &rdn_av_count );
}
- }
+ }
- *d++ = (*s == '+') ? '+' : ',';
- break;
+ *d++ = (*s == '+') ? '+' : ',';
+ break;
}
*d++ = *s;
break;
case INQUOTEDVALUE:
if ( gotesc ) {
- if ( ! NEEDSESCAPE( *s ) ) {
- --d; /* eliminate the \ */
- }
+ if ( ! NEEDSESCAPE( *s ) ) {
+ --d; /* eliminate the \ */
+ }
} else if ( *s == '"' ) {
- state = B4SEPARATOR;
- if ( value_separator == dn /* 2 or more separators */
- || SPACE( value[1] ) || SPACE( d[-1] ) ) {
- *d++ = *s;
- } else {
- /* convert to non-quoted value: */
- if ( value_separator == NULL ) { /* no separators */
- memmove ( value, value+1, (d-value)-1 );
- --d;
- } else { /* 1 separator */
- memmove ( value, value+1, (value_separator-value)-1 );
- *(value_separator - 1) = '\\';
+ state = B4SEPARATOR;
+ if ( value_separator == dn /* 2 or more separators */
+ || SPACE( value[1] ) || SPACE( d[-1] ) ) {
+ *d++ = *s;
+ } else {
+ /* convert to non-quoted value: */
+ if ( value_separator == NULL ) { /* no separators */
+ memmove ( value, value+1, (d-value)-1 );
+ --d;
+ } else { /* 1 separator */
+ memmove ( value, value+1, (value_separator-value)-1 );
+ *(value_separator - 1) = '\\';
+ }
}
- }
- break;
+ break;
}
if ( SEPARATOR( *s )) {
- if ( value_separator ) value_separator = dn;
- else value_separator = d;
+ if ( value_separator ) value_separator = dn;
+ else value_separator = d;
}
*d++ = *s;
break;
case B4SEPARATOR:
if ( SEPARATOR( *s ) ) {
- state = B4TYPE;
+ state = B4TYPE;
- /*
- * Track and sort attribute values within
- * multivalued RDNs.
- */
- if ( *s == '+' || rdn_av_count > 0 ) {
- add_rdn_av( typestart, d, &rdn_av_count,
- &rdn_avs, initial_rdn_av_stack );
- }
- if ( *s != '+' ) { /* at end of this RDN */
- if ( rdn_av_count > 1 ) {
- sort_rdn_avs( rdn_avs, rdn_av_count );
+ /*
+ * Track and sort attribute values within
+ * multivalued RDNs.
+ */
+ if ( *s == '+' || rdn_av_count > 0 ) {
+ add_rdn_av( typestart, d, &rdn_av_count,
+ &rdn_avs, initial_rdn_av_stack );
}
- if ( rdn_av_count > 0 ) {
- reset_rdn_avs( &rdn_avs, &rdn_av_count );
+ if ( *s != '+' ) { /* at end of this RDN */
+ if ( rdn_av_count > 1 ) {
+ sort_rdn_avs( rdn_avs, rdn_av_count );
+ }
+ if ( rdn_av_count > 0 ) {
+ reset_rdn_avs( &rdn_avs, &rdn_av_count );
+ }
}
- }
- *d++ = (*s == '+') ? '+' : ',';
+ *d++ = (*s == '+') ? '+' : ',';
}
break;
default:
LDAPDebug( LDAP_DEBUG_ANY,
- "slapi_dn_normalize - unknown state %d\n", state, 0, 0 );
+ "slapi_dn_normalize - unknown state %d\n", state, 0, 0 );
break;
}
- if ( *s != '\\' ) {
- gotesc = 0;
- } else {
- gotesc = 1;
- if ( s+2 < end ) {
- int n = hexchar2int( s[1] );
- if ( n >= 0 ) {
- int n2 = hexchar2int( s[2] );
- if ( n2 >= 0 ) {
- n = (n << 4) + n2;
- if (n == 0) { /* don't change \00 */
- *d++ = *++s;
- *d++ = *++s;
- gotesc = 0;
- } else { /* change \xx to a single char */
- ++s;
- *(unsigned char*)(s+1) = n;
- }
+ if ( *s == '\\' ) {
+ if ( gotesc ) { /* '\\', again */
+ /* <type>=XXX\\\\7AYYY; we should keep \\\\. */
+ gotesc = 0;
+ } else {
+ gotesc = 1;
+ if ( s+2 < end ) {
+ int n = hexchar2int( s[1] );
+ /* If 8th bit is on, the char is not ASCII (not UTF-8).
+ * Thus, not UTF-8 */
+ if ( n >= 0 && n < 8 ) {
+ int n2 = hexchar2int( s[2] );
+ if ( n2 >= 0 ) {
+ n = (n << 4) + n2;
+ if (n == 0) { /* don't change \00 */
+ *d++ = *++s;
+ *d++ = *++s;
+ gotesc = 0;
+ } else { /* change \xx to a single char */
+ ++s;
+ *(unsigned char*)(s+1) = n;
+ }
+ }
+ }
}
- }
}
+ } else {
+ gotesc = 0;
}
}
@@ -349,14 +356,14 @@
* or B4SEPARATOR state if we have a valid rdn component to
* be added. */
if ((rdn_av_count > 0) && ((state == INVALUE) || (state == B4SEPARATOR))) {
- add_rdn_av( typestart, d, &rdn_av_count,
- &rdn_avs, initial_rdn_av_stack );
+ add_rdn_av( typestart, d, &rdn_av_count,
+ &rdn_avs, initial_rdn_av_stack );
}
if ( rdn_av_count > 1 ) {
- sort_rdn_avs( rdn_avs, rdn_av_count );
+ sort_rdn_avs( rdn_avs, rdn_av_count );
}
if ( rdn_av_count > 0 ) {
- reset_rdn_avs( &rdn_avs, &rdn_av_count );
+ reset_rdn_avs( &rdn_avs, &rdn_av_count );
}
/* Trim trailing spaces */
while ( d != dn && *(d - 1) == ' ' ) d--; /* XXX 518524 */
@@ -793,73 +800,6 @@
return 0;
}
-
-
-/*
-** This function takes a quoted attribute value of the form "abc",
-** and strips off the enclosing quotes. It also deals with quoted
-** characters by removing the preceeding '\' character.
-**
-*/
-static void
-strcpy_unescape_dnvalue( char *d, const char *s )
-{
- const char *end = s + strlen(s);
- for ( ; *s; s++ )
- {
- switch ( *s )
- {
- case '"':
- break;
- case '\\':
- {
- /*
- * The '\' could be escaping a single character, ie \"
- * or could be escaping a hex byte, ie \01
- */
- int singlecharacter= 1;
- if ( s+2 < end )
- {
- int n = hexchar2int( s[1] );
- if ( n >= 0 )
- {
- int n2 = hexchar2int( s[2] );
- if ( n2 >= 0 )
- {
- singlecharacter= 0;
- n = (n << 4) + n2;
- if (n == 0)
- {
- /* don't change \00 */
- *d++ = *++s;
- *d++ = *++s;
- }
- else
- {
- /* change \xx to a single char */
- ++s;
- *(unsigned char*)(s+1) = n;
- }
- }
- }
- }
- if(singlecharacter)
- {
- s++;
- *d++ = *s;
- }
- break;
- }
- default:
- *d++ = *s;
- break;
- }
- }
- *d = '\0';
-}
-
-
-
int
slapi_rdn2typeval(
char *rdn,
@@ -881,7 +821,7 @@
When adding the rdn attribute in the entry, we need to remove
all special escaped characters included in the value itself,
i.e., strings like "\;" must be converted to ";" and so on... */
- strcpy_unescape_dnvalue(s,s);
+ strcpy_unescape_value(s,s);
bv->bv_val = s;
bv->bv_len = strlen( s );
Index: util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/util.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- util.c 19 Dec 2008 19:26:01 -0000 1.23
+++ util.c 6 Jan 2009 22:50:30 -0000 1.24
@@ -198,6 +198,64 @@
return do_escape_string(str,len,buf,special_filter);
}
+/*
+** This function takes a quoted attribute value of the form "abc",
+** and strips off the enclosing quotes. It also deals with quoted
+** characters by removing the preceeding '\' character.
+**
+*/
+void
+strcpy_unescape_value( char *d, const char *s )
+{
+ char *head = d;
+ int gotesc = 0;
+ const char *end = s + strlen(s);
+ for ( ; *s; s++ )
+ {
+ switch ( *s )
+ {
+ case '\\':
+ if ( gotesc ) {
+ gotesc = 0;
+ } else {
+ gotesc = 1;
+ if ( s+2 < end ) {
+ int n = hexchar2int( s[1] );
+ /* If 8th bit is on, the char is not ASCII (not UTF-8).
+ * Thus, not UTF-8 */
+ if ( n >= 0 && n < 8 ) {
+ int n2 = hexchar2int( s[2] );
+ if ( n2 >= 0 ) {
+ n = (n << 4) + n2;
+ if (n == 0) { /* don't change \00 */
+ *d++ = *s++;
+ *d++ = *s++;
+ *d++ = *s;
+ } else { /* change \xx to a single char */
+ *d++ = (char)n;
+ s += 2;
+ }
+ gotesc = 0;
+ }
+ }
+ }
+ if (gotesc) {
+ *d++ = *s;
+ }
+ }
+ break;
+ default:
+ if (gotesc) {
+ d--;
+ }
+ *d++ = *s;
+ gotesc = 0;
+ break;
+ }
+ }
+ *d = '\0';
+}
+
/* functions to convert between an entry and a set of mods */
int slapi_mods2entry (Slapi_Entry **e, const char *idn, LDAPMod **iattrs)
{
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd add.c, 1.17, 1.18 modrdn.c, 1.12, 1.13
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20204/ldap/servers/slapd
Modified Files:
add.c modrdn.c
Log Message:
Resolves: 474621
Summary: Don't allow auto-generated attributes to be used in RDN.
Index: add.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/add.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- add.c 19 Dec 2008 17:07:26 -0000 1.17
+++ add.c 5 Jan 2009 16:57:03 -0000 1.18
@@ -68,6 +68,7 @@
static int add_internal_pb (Slapi_PBlock *pb);
static void op_shared_add (Slapi_PBlock *pb);
static void add_created_attrs(Operation *op, Slapi_Entry *e);
+static int check_rdn_for_created_attrs(Slapi_Entry *e);
static void handle_fast_add(Slapi_PBlock *pb, Slapi_Entry *entry);
static void add_uniqueid (Slapi_Entry *e);
static PRBool check_oc_subentry(Slapi_Entry *e, struct berval **vals, char *normtype);
@@ -176,17 +177,25 @@
goto free_and_return;
}
- /* if this is uniqueid attribute, set uniqueid field of the entry */
- if (strcasecmp (normtype, SLAPI_ATTR_UNIQUEID) == 0)
- {
- e->e_uniqueid = slapi_ch_strdup (vals[0]->bv_val);
- }
- if(searchsubentry) searchsubentry=check_oc_subentry(e,vals,normtype);
+ /* if this is uniqueid attribute, set uniqueid field of the entry */
+ if (strcasecmp (normtype, SLAPI_ATTR_UNIQUEID) == 0)
+ {
+ e->e_uniqueid = slapi_ch_strdup (vals[0]->bv_val);
+ }
+ if(searchsubentry) searchsubentry=check_oc_subentry(e,vals,normtype);
}
+
slapi_ch_free( (void**)&normtype );
ber_bvecfree( vals );
}
+ /* Ensure that created attributes are not used in the RDN. */
+ if (check_rdn_for_created_attrs(e)) {
+ op_shared_log_error_access (pb, "ADD", slapi_sdn_get_dn(slapi_entry_get_sdn_const(e)), "invalid DN");
+ send_ldap_result( pb, LDAP_INVALID_DN_SYNTAX, NULL, "illegal attribute in RDN", 0, NULL );
+ goto free_and_return;
+ }
+
if ( tag == LBER_DEFAULT ) {
op_shared_log_error_access (pb, "ADD", slapi_sdn_get_dn (slapi_entry_get_sdn_const(e)), "decoding error");
send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL,
@@ -723,6 +732,40 @@
}
+/* Checks if created attributes are used in the RDN.
+ * Returns 1 if created attrs are in the RDN, and
+ * 0 if created attrs are not in the RDN. Returns
+ * -1 if an error occurred.
+ */
+static int check_rdn_for_created_attrs(Slapi_Entry *e)
+{
+ int i, rc = 0;
+ Slapi_RDN *rdn = NULL;
+ char *value = NULL;
+ char *type[] = {SLAPI_ATTR_UNIQUEID, "modifytimestamp", "createtimestamp",
+ "creatorsname", "modifiersname", 0};
+
+ if (rdn = slapi_rdn_new()) {
+ slapi_rdn_init_dn(rdn, slapi_entry_get_dn_const(e));
+
+ for (i = 0; type[i] != NULL; i++) {
+ if (slapi_rdn_contains_attr(rdn, type[i], &value)) {
+ LDAPDebug(LDAP_DEBUG_TRACE, "Invalid DN. RDN contains %s attribute\n", type[i], 0, 0);
+ rc = 1;
+ break;
+ }
+ }
+
+ slapi_rdn_free(&rdn);
+ } else {
+ LDAPDebug(LDAP_DEBUG_TRACE, "check_rdn_for_created_attrs: Error allocating RDN\n", 0, 0, 0);
+ rc = -1;
+ }
+
+ return rc;
+}
+
+
static void handle_fast_add(Slapi_PBlock *pb, Slapi_Entry *entry)
{
Slapi_Backend *be;
Index: modrdn.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/modrdn.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- modrdn.c 5 Dec 2008 22:41:52 -0000 1.12
+++ modrdn.c 5 Jan 2009 16:57:03 -0000 1.13
@@ -64,6 +64,7 @@
/* Forward declarations */
static int rename_internal_pb (Slapi_PBlock *pb);
static void op_shared_rename (Slapi_PBlock *pb, int passin_args );
+static int check_rdn_for_created_attrs(const char *newrdn);
/* This function is called to process operation that come over external connections */
void
@@ -151,10 +152,11 @@
op_shared_rename(pb, 1 /* pass in ownership of string arguments */ );
return;
-free_and_return:;
+free_and_return:
slapi_ch_free((void **) &dn );
slapi_ch_free((void **) &newrdn );
slapi_ch_free((void **) &newsuperior );
+ return;
}
/* This function is used to issue internal modrdn operation
@@ -386,6 +388,12 @@
ldap_value_free(rdns);
}
+ /* check if created attributes are used in the new RDN */
+ if (check_rdn_for_created_attrs((const char *)newrdn)) {
+ send_ldap_result(pb, LDAP_INVALID_DN_SYNTAX, NULL, "invalid attribute in RDN", 0, NULL);
+ goto free_and_return_nolock;
+ }
+
/* check that the dn is formatted correctly */
if ((rdns = ldap_explode_dn(newsuperior, 0)) == NULL)
{
@@ -536,3 +544,35 @@
slapi_ch_free((void **)&s);
}
}
+
+
+/* Checks if created attributes are used in the RDN.
+ * Returns 1 if created attrs are in the RDN, and
+ * 0 if created attrs are not in the RDN. Returns
+ * -1 if an error occurs.
+ */
+static int check_rdn_for_created_attrs(const char *newrdn)
+{
+ int i, rc = 0;
+ Slapi_RDN *rdn = NULL;
+ char *value = NULL;
+ char *type[] = {"modifytimestamp", "createtimestamp",
+ "creatorsname", "modifiersname", 0};
+
+ if (newrdn && *newrdn && (rdn = slapi_rdn_new())) {
+ slapi_rdn_init_dn(rdn, newrdn);
+ for (i = 0; type[i] != NULL; i++) {
+ if (slapi_rdn_contains_attr(rdn, type[i], &value)) {
+ LDAPDebug(LDAP_DEBUG_TRACE, "Invalid DN. RDN contains %s attribute\n", type[i], 0, 0);
+ rc = 1;
+ break;
+ }
+ }
+ slapi_rdn_free(&rdn);
+ } else {
+ LDAPDebug(LDAP_DEBUG_TRACE, "check_rdn_for_created_attrs: Error allocating RDN\n", 0, 0, 0);
+ rc = -1;
+ }
+
+ return rc;
+}
15 years, 2 months