2 commits - ldap/servers
by Mark Reynolds
ldap/servers/slapd/backend.c | 34 ++++++++++++++++++----------------
ldap/servers/slapd/backend_manager.c | 30 +++++++++++++++---------------
ldap/servers/slapd/slap.h | 2 +-
3 files changed, 34 insertions(+), 32 deletions(-)
New commits:
commit cd6a6dd804d63bb389c1916c8ea090977bf601a0
Merge: 4e9aab8 06a26b6
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Mon Dec 10 12:10:29 2012 -0500
Merge branch 'ticket509'
commit 06a26b6cdbd7d7afbca8e0060bcd51f4993e7e0d
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Mon Dec 10 12:09:09 2012 -0500
Ticket 509 - lock-free access to be->be_suffixlock
Bug Description: Remove locking around the be_suffixcount
Fix Description: Use atomic counter for the suffix count, and remove
the lock. The "count" is all we need to safely transverse
the array.
https://fedorahosted.org/389/ticket/509
Reviewed by: Ludwig & richm(Thanks!)
diff --git a/ldap/servers/slapd/backend.c b/ldap/servers/slapd/backend.c
index a95c101..e8d71c3 100644
--- a/ldap/servers/slapd/backend.c
+++ b/ldap/servers/slapd/backend.c
@@ -49,8 +49,8 @@ be_init( Slapi_Backend *be, const char *type, const char *name, int isprivate, i
{
slapdFrontendConfig_t *fecfg;
be->be_suffix = NULL;
- be->be_suffixlock= PR_NewLock();
- be->be_suffixcount= 0;
+ be->be_suffixlock = PR_NewLock();
+ be->be_suffixcounter = slapi_counter_new();
/* e.g. dn: cn=config,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config */
be->be_basedn = slapi_create_dn_string("cn=%s,cn=%s,cn=plugins,cn=config",
name, type);
@@ -116,13 +116,13 @@ void
be_done(Slapi_Backend *be)
{
int i;
+ int count = slapi_counter_get_value(be->be_suffixcounter);
- for(i=0;i<be->be_suffixcount;i++)
+ for(i=0; i < count; i++)
{
slapi_sdn_free(&be->be_suffix[i]);
}
slapi_ch_free((void**)&be->be_suffix);
- PR_DestroyLock(be->be_suffixlock);
slapi_ch_free((void **)&be->be_basedn);
slapi_ch_free((void **)&be->be_configdn);
slapi_ch_free((void **)&be->be_monitordn);
@@ -133,6 +133,8 @@ be_done(Slapi_Backend *be)
if (!config_get_entryusn_global()) {
slapi_counter_destroy(&be->be_usn_counter);
}
+ slapi_counter_destroy(&be->be_suffixcounter);
+ PR_DestroyLock(be->be_suffixlock);
PR_DestroyLock(be->be_state_lock);
if (be->be_lock != NULL)
{
@@ -170,9 +172,9 @@ slapi_be_issuffix( const Slapi_Backend *be, const Slapi_DN *suffix )
/* this backend is no longer valid */
if (be->be_state != BE_STATE_DELETED)
{
- int i;
- PR_Lock(be->be_suffixlock);
- for ( i = 0; be->be_suffix != NULL && i<be->be_suffixcount; i++ )
+ int i, count;
+ count = slapi_counter_get_value(be->be_suffixcounter);
+ for ( i = 0; be->be_suffix != NULL && i < count; i++ )
{
if ( slapi_sdn_compare( be->be_suffix[i], suffix ) == 0)
{
@@ -180,7 +182,6 @@ slapi_be_issuffix( const Slapi_Backend *be, const Slapi_DN *suffix )
break;
}
}
- PR_Unlock(be->be_suffixlock);
}
return r;
}
@@ -196,18 +197,21 @@ be_addsuffix(Slapi_Backend *be,const Slapi_DN *suffix)
{
if (be->be_state != BE_STATE_DELETED)
{
- PR_Lock(be->be_suffixlock);
+ int count;
+
+ PR_Lock(be->be_suffixlock);
+ count = slapi_counter_get_value(be->be_suffixcounter);
if(be->be_suffix==NULL)
{
be->be_suffix= (Slapi_DN **)slapi_ch_malloc(sizeof(Slapi_DN *));
}
else
{
- be->be_suffix= (Slapi_DN **)slapi_ch_realloc((char*)be->be_suffix,(be->be_suffixcount+1)*sizeof(Slapi_DN *));
+ be->be_suffix= (Slapi_DN **)slapi_ch_realloc((char*)be->be_suffix,(count+1)*sizeof(Slapi_DN *));
}
- be->be_suffix[be->be_suffixcount]= slapi_sdn_dup(suffix);
- be->be_suffixcount++;
- PR_Unlock(be->be_suffixlock);
+ be->be_suffix[count]= slapi_sdn_dup(suffix);
+ slapi_counter_increment(be->be_suffixcounter);
+ PR_Unlock(be->be_suffixlock);
}
}
@@ -231,11 +235,9 @@ slapi_be_getsuffix(Slapi_Backend *be,int n)
return NULL;
if(be->be_state != BE_STATE_DELETED) {
- PR_Lock(be->be_suffixlock);
- if (be->be_suffix !=NULL && n<be->be_suffixcount) {
+ if (be->be_suffix !=NULL && n < slapi_counter_get_value(be->be_suffixcounter)) {
sdn = be->be_suffix[n];
}
- PR_Unlock(be->be_suffixlock);
}
return sdn;
}
diff --git a/ldap/servers/slapd/backend_manager.c b/ldap/servers/slapd/backend_manager.c
index 1ce3ae7..f27f713 100644
--- a/ldap/servers/slapd/backend_manager.c
+++ b/ldap/servers/slapd/backend_manager.c
@@ -461,11 +461,12 @@ int
slapi_lookup_instance_name_by_suffix(char *suffix,
char ***suffixes, char ***instances, int isexact)
{
- Slapi_Backend *be = NULL;
- char *cookie = NULL;
+ Slapi_Backend *be = NULL;
+ char *cookie = NULL;
const char *thisdn;
int thisdnlen;
int suffixlen;
+ int count;
int i;
int rval = -1;
@@ -476,17 +477,17 @@ slapi_lookup_instance_name_by_suffix(char *suffix,
rval = 0;
suffixlen = strlen(suffix);
- cookie = NULL;
- be = slapi_get_first_backend (&cookie);
- while (be) {
- if (NULL == be->be_suffix) {
- be = (backend *)slapi_get_next_backend (cookie);
+ cookie = NULL;
+ be = slapi_get_first_backend (&cookie);
+ while (be) {
+ if (NULL == be->be_suffix) {
+ be = (backend *)slapi_get_next_backend (cookie);
continue;
}
- PR_Lock(be->be_suffixlock);
- for (i = 0; be->be_suffix && i < be->be_suffixcount; i++) {
- thisdn = slapi_sdn_get_ndn(be->be_suffix[i]);
- thisdnlen = slapi_sdn_get_ndn_len(be->be_suffix[i]);
+ count = slapi_counter_get_value(be->be_suffixcounter);
+ for (i = 0; be->be_suffix && i < count; i++) {
+ thisdn = slapi_sdn_get_ndn(be->be_suffix[i]);
+ thisdnlen = slapi_sdn_get_ndn_len(be->be_suffix[i]);
if (isexact?suffixlen!=thisdnlen:suffixlen>thisdnlen)
continue;
if (isexact?(!slapi_UTF8CASECMP(suffix, (char *)thisdn)):
@@ -497,10 +498,9 @@ slapi_lookup_instance_name_by_suffix(char *suffix,
charray_add(suffixes, slapi_ch_strdup(thisdn));
}
}
- PR_Unlock(be->be_suffixlock);
- be = (backend *)slapi_get_next_backend (cookie);
- }
- slapi_ch_free((void **)&cookie);
+ be = (backend *)slapi_get_next_backend (cookie);
+ }
+ slapi_ch_free((void **)&cookie);
return rval;
}
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index a510d8a..dee016a 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1165,7 +1165,7 @@ struct slapdplugin {
typedef struct backend {
Slapi_DN **be_suffix; /* the DN suffixes of data in this backend */
PRLock *be_suffixlock;
- int be_suffixcount;
+ Slapi_Counter *be_suffixcounter;
char *be_basedn; /* The base dn for the config & monitor dns */
char *be_configdn; /* The config dn for this backend */
char *be_monitordn; /* The monitor dn for this backend */
11 years, 6 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/log.c | 63 +++++++++++++++++++++++++++++++++++++++--------
1 file changed, 53 insertions(+), 10 deletions(-)
New commits:
commit 85261ef0161df156ea3991a77046aabda6c34cf4
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Dec 6 14:52:40 2012 -0500
Ticket 527 - ns-slapd segfaults if it cannot rename the logs
Bug Description: If we can not rename a log file, triggered by log rotation,
we try and log a message stating this error, but trying to
log this new message triggers log rotation again. This leads
to an infinite loop and a stack overflow.
Fix Description: Created a new logging function that does not do a rotation check.
We use this new function for all emergency error logging.
https://fedorahosted.org/389/ticket/527
Reviewed by: richm(Thanks!)
(cherry picked from commit 4e9aab8a172c8636ea78a9d1230c78c76268efd7)
diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
index e622485..e65b247 100644
--- a/ldap/servers/slapd/log.c
+++ b/ldap/servers/slapd/log.c
@@ -138,6 +138,7 @@ static void log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_
static void log_flush_buffer(LogBufferInfo *lbi, int type, int sync_now);
static void log_write_title(LOGFD fp);
static void log__error_emergency(const char *errstr, int reopen, int locked);
+static void vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked);
static int
slapd_log_error_proc_internal(
@@ -1834,6 +1835,57 @@ slapd_log_error_proc_internal(
return( rc );
}
+/*
+ * Directly write the already formatted message to the error log
+ */
+static void
+vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked)
+{
+ time_t tnl;
+ long tz;
+ struct tm *tmsp, tms;
+ char tbuf[ TBUFSIZE ];
+ char buffer[SLAPI_LOG_BUFSIZ];
+ char sign;
+ int size;
+
+ tnl = current_time();
+#ifdef _WIN32
+ {
+ struct tm *pt = localtime( &tnl );
+ tmsp = &tms;
+ memcpy(&tms, pt, sizeof(struct tm) );
+ }
+#else
+ (void)localtime_r( &tnl, &tms );
+ tmsp = &tms;
+#endif
+#ifdef BSD_TIME
+ tz = tmsp->tm_gmtoff;
+#else /* BSD_TIME */
+ tz = - timezone;
+ if ( tmsp->tm_isdst ) {
+ tz += 3600;
+ }
+#endif /* BSD_TIME */
+ sign = ( tz >= 0 ? '+' : '-' );
+ if ( tz < 0 ) {
+ tz = -tz;
+ }
+ (void)strftime( tbuf, (size_t)TBUFSIZE, "%d/%b/%Y:%H:%M:%S", tmsp);
+ sprintf( buffer, "[%s %c%02d%02d] - %s", tbuf, sign, (int)( tz / 3600 ), (int)( tz % 3600 ), msg);
+ size = strlen(buffer);
+
+ if(!locked)
+ LOG_ERROR_LOCK_WRITE();
+
+ slapi_write_buffer((fp), (buffer), (size));
+ PR_Sync(fp);
+
+ if(!locked)
+ LOG_ERROR_UNLOCK_WRITE();
+}
+
static int
vslapd_log_error(
LOGFD fp,
@@ -3102,9 +3154,6 @@ char rootpath[4];
PR_snprintf(buffer, sizeof(buffer),
"log__enough_freespace: Unable to get the free space (errno:%d)\n",
errno);
- /* This function could be called in the ERROR WRITE LOCK,
- * which causes the self deadlock if you call LDAPDebug for logging.
- * Thus, instead of LDAPDebug, call log__error_emergency with locked == 1. */
log__error_emergency(buffer, 0, 1);
return 1;
} else {
@@ -3351,9 +3400,6 @@ delete_logfile:
PR_snprintf (buffer, sizeof(buffer), "%s.%s", loginfo.log_error_file, tbuf);
if (PR_Delete(buffer) != PR_SUCCESS) {
PRErrorCode prerr = PR_GetError();
- /* This function could be called in the ERROR WRITE LOCK,
- * which causes the self deadlock if you call LDAPDebug for logging.
- * Thus, instead of LDAPDebug, call log__error_emergency with locked == 1. */
PR_snprintf(buffer, sizeof(buffer),
"LOGINFO:Unable to remove file:%s.%s error %d (%s)\n",
loginfo.log_error_file, tbuf, prerr, slapd_pr_strerror(prerr));
@@ -3713,10 +3759,7 @@ log__error_emergency(const char *errstr, int reopen, int locked)
PRErrorCode prerr = PR_GetError();
syslog(LOG_ERR, "Failed to reopen errors log file, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror(prerr));
} else {
- /* LDAPDebug locks ERROR_LOCK_WRITE internally */
- if (locked) LOG_ERROR_UNLOCK_WRITE();
- LDAPDebug(LDAP_DEBUG_ANY, "%s\n", errstr, 0, 0);
- if (locked) LOG_ERROR_LOCK_WRITE( );
+ vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, locked);
}
return;
}
11 years, 6 months
ldap/servers
by Mark Reynolds
ldap/servers/slapd/log.c | 63 +++++++++++++++++++++++++++++++++++++++--------
1 file changed, 53 insertions(+), 10 deletions(-)
New commits:
commit 4e9aab8a172c8636ea78a9d1230c78c76268efd7
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Dec 6 14:52:40 2012 -0500
Ticket 527 - ns-slapd segfaults if it cannot rename the logs
Bug Description: If we can not rename a log file, triggered by log rotation,
we try and log a message stating this error, but trying to
log this new message triggers log rotation again. This leads
to an infinite loop and a stack overflow.
Fix Description: Created a new logging function that does not do a rotation check.
We use this new function for all emergency error logging.
https://fedorahosted.org/389/ticket/527
Reviewed by: richm(Thanks!)
diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
index ecfdb19..d1c63bc 100644
--- a/ldap/servers/slapd/log.c
+++ b/ldap/servers/slapd/log.c
@@ -138,6 +138,7 @@ static void log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_
static void log_flush_buffer(LogBufferInfo *lbi, int type, int sync_now);
static void log_write_title(LOGFD fp);
static void log__error_emergency(const char *errstr, int reopen, int locked);
+static void vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked);
static int
slapd_log_error_proc_internal(
@@ -1834,6 +1835,57 @@ slapd_log_error_proc_internal(
return( rc );
}
+/*
+ * Directly write the already formatted message to the error log
+ */
+static void
+vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked)
+{
+ time_t tnl;
+ long tz;
+ struct tm *tmsp, tms;
+ char tbuf[ TBUFSIZE ];
+ char buffer[SLAPI_LOG_BUFSIZ];
+ char sign;
+ int size;
+
+ tnl = current_time();
+#ifdef _WIN32
+ {
+ struct tm *pt = localtime( &tnl );
+ tmsp = &tms;
+ memcpy(&tms, pt, sizeof(struct tm) );
+ }
+#else
+ (void)localtime_r( &tnl, &tms );
+ tmsp = &tms;
+#endif
+#ifdef BSD_TIME
+ tz = tmsp->tm_gmtoff;
+#else /* BSD_TIME */
+ tz = - timezone;
+ if ( tmsp->tm_isdst ) {
+ tz += 3600;
+ }
+#endif /* BSD_TIME */
+ sign = ( tz >= 0 ? '+' : '-' );
+ if ( tz < 0 ) {
+ tz = -tz;
+ }
+ (void)strftime( tbuf, (size_t)TBUFSIZE, "%d/%b/%Y:%H:%M:%S", tmsp);
+ sprintf( buffer, "[%s %c%02d%02d] - %s", tbuf, sign, (int)( tz / 3600 ), (int)( tz % 3600 ), msg);
+ size = strlen(buffer);
+
+ if(!locked)
+ LOG_ERROR_LOCK_WRITE();
+
+ slapi_write_buffer((fp), (buffer), (size));
+ PR_Sync(fp);
+
+ if(!locked)
+ LOG_ERROR_UNLOCK_WRITE();
+}
+
static int
vslapd_log_error(
LOGFD fp,
@@ -3102,9 +3154,6 @@ char rootpath[4];
PR_snprintf(buffer, sizeof(buffer),
"log__enough_freespace: Unable to get the free space (errno:%d)\n",
errno);
- /* This function could be called in the ERROR WRITE LOCK,
- * which causes the self deadlock if you call LDAPDebug for logging.
- * Thus, instead of LDAPDebug, call log__error_emergency with locked == 1. */
log__error_emergency(buffer, 0, 1);
return 1;
} else {
@@ -3351,9 +3400,6 @@ delete_logfile:
PR_snprintf (buffer, sizeof(buffer), "%s.%s", loginfo.log_error_file, tbuf);
if (PR_Delete(buffer) != PR_SUCCESS) {
PRErrorCode prerr = PR_GetError();
- /* This function could be called in the ERROR WRITE LOCK,
- * which causes the self deadlock if you call LDAPDebug for logging.
- * Thus, instead of LDAPDebug, call log__error_emergency with locked == 1. */
PR_snprintf(buffer, sizeof(buffer),
"LOGINFO:Unable to remove file:%s.%s error %d (%s)\n",
loginfo.log_error_file, tbuf, prerr, slapd_pr_strerror(prerr));
@@ -3713,10 +3759,7 @@ log__error_emergency(const char *errstr, int reopen, int locked)
PRErrorCode prerr = PR_GetError();
syslog(LOG_ERR, "Failed to reopen errors log file, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror(prerr));
} else {
- /* LDAPDebug locks ERROR_LOCK_WRITE internally */
- if (locked) LOG_ERROR_UNLOCK_WRITE();
- LDAPDebug(LDAP_DEBUG_ANY, "%s\n", errstr, 0, 0);
- if (locked) LOG_ERROR_LOCK_WRITE( );
+ vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, locked);
}
return;
}
11 years, 6 months
Branch '389-ds-base-1.2.11' - ldap/servers lib/libaccess
by Mark Reynolds
ldap/servers/plugins/memberof/memberof.c | 7 +++++++
ldap/servers/slapd/back-ldbm/dblayer.c | 2 ++
lib/libaccess/acltools.cpp | 1 +
3 files changed, 10 insertions(+)
New commits:
commit 39b0938b43a5dbfdc566b343e504585bad7de859
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Dec 6 11:41:29 2012 -0500
Coverity Issues for 1.2.11
Reviewed by: richm(Thanks!)
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index 598f4d9..a3f875d 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -1105,6 +1105,13 @@ memberof_modop_one_replace_r(Slapi_PBlock *pb, MemberOfConfig *config,
const char *op_this = slapi_sdn_get_ndn(op_this_sdn);
Slapi_Value *to_dn_val = slapi_value_new_string(op_to);
Slapi_Value *this_dn_val = slapi_value_new_string(op_this);
+
+ if(this_dn_val == NULL || to_dn_val == NULL){
+ slapi_log_error( SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM,
+ "memberof_modop_one_replace_r: failed to get DN values (NULL)\n");
+ goto bail;
+ }
+
/* op_this and op_to are both case-normalized */
slapi_value_set_flags(this_dn_val, SLAPI_ATTR_FLAG_NORMALIZED_CIS);
slapi_value_set_flags(to_dn_val, SLAPI_ATTR_FLAG_NORMALIZED_CIS);
diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c
index 02cb3fd..804543b 100644
--- a/ldap/servers/slapd/back-ldbm/dblayer.c
+++ b/ldap/servers/slapd/back-ldbm/dblayer.c
@@ -1910,6 +1910,8 @@ dblayer_get_id2entry_size(ldbm_instance *inst)
ID2ENTRY LDBM_FILENAME_SUFFIX);
rc = PR_GetFileInfo(id2entry_file, &info);
slapi_ch_free_string(&id2entry_file);
+ if (inst_dirp != inst_dir)
+ slapi_ch_free_string(&inst_dirp);
if (rc) {
return 0;
}
diff --git a/lib/libaccess/acltools.cpp b/lib/libaccess/acltools.cpp
index 69d0c2e..df08658 100644
--- a/lib/libaccess/acltools.cpp
+++ b/lib/libaccess/acltools.cpp
@@ -1415,6 +1415,7 @@ char *errmsg;
eid = ACLERR1500;
errmsg = system_errmsg();
nserrGenerate(errp, rv, eid, ACL_Program, 2, "buffer", errmsg);
+ PERM_FREE(errmsg);
}
}
11 years, 6 months
ldap/servers
by Mark Reynolds
ldap/servers/slapd/configdse.c | 1 +
ldap/servers/slapd/libglobs.c | 36 ++++++++++++++++++++++++++++++++++++
ldap/servers/slapd/proto-slap.h | 2 ++
ldap/servers/slapd/saslbind.c | 2 ++
ldap/servers/slapd/slap.h | 2 ++
5 files changed, 43 insertions(+)
New commits:
commit e3aac6618a00236b73e44b99d15abed647708187
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Dec 5 17:43:30 2012 -0500
Ticket 395 - RFE: 389-ds shouldn't advertise in the rootDSE that we can handle a sasl mech if we really can't
Bug Description: The root DSE lists all the mechanisms the SASL library can handle (sasl_listmech), but that's
not necessarily what the server/co-products can support (e.g. communicating with IPA).
Fix Description: Added new config setting to specifiy the SASL mechanisms that are allowed. If none are specified,
than all are allowed. This setting now impacts the SASL callback SASL_CB_GETOPT(ids_sasl_getopt), so
it applies to all SASL operations. So, the root DSE information is correct, and you can now control
what mechanisms the server actually allows.
https://fedorahosted.org/389/ticket/395
Reviewed by: richm(Thanks!)
diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c
index b54062d..bd1566e 100644
--- a/ldap/servers/slapd/configdse.c
+++ b/ldap/servers/slapd/configdse.c
@@ -81,6 +81,7 @@ static const char *requires_restart[] = {
#endif
"cn=config:" CONFIG_RETURN_EXACT_CASE_ATTRIBUTE,
"cn=config:" CONFIG_SCHEMA_IGNORE_TRAILING_SPACES,
+ "cn=config:nsslapd-allowed-sasl-mechanisms",
"cn=config,cn=ldbm:nsslapd-idlistscanlimit",
"cn=config,cn=ldbm:nsslapd-parentcheck",
"cn=config,cn=ldbm:nsslapd-dbcachesize",
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index dee7812..ab366fc 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1006,6 +1006,10 @@ static struct config_get_and_set {
NULL, 0,
(void**)&global_slapdFrontendConfig.ndn_cache_max_size,
CONFIG_INT, (ConfigGetFunc)config_get_ndn_cache_size, DEFAULT_NDN_SIZE},
+ {CONFIG_ALLOWED_SASL_MECHS, config_set_allowed_sasl_mechs,
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.allowed_sasl_mechs,
+ CONFIG_STRING, (ConfigGetFunc)config_get_allowed_sasl_mechs, DEFAULT_ALLOWED_TO_DELETE_ATTRS},
#ifdef MEMPOOL_EXPERIMENTAL
,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
NULL, 0,
@@ -1423,6 +1427,7 @@ FrontendConfig_init () {
cfg->entryusn_import_init = slapi_ch_strdup(ENTRYUSN_IMPORT_INIT);
cfg->allowed_to_delete_attrs = slapi_ch_strdup("nsslapd-listenhost nsslapd-securelistenhost nsslapd-defaultnamingcontext");
cfg->default_naming_context = NULL; /* store normalized dn */
+ cfg->allowed_sasl_mechs = NULL;
init_disk_monitoring = cfg->disk_monitoring = LDAP_OFF;
cfg->disk_threshold = 2097152; /* 2 mb */
@@ -6556,6 +6561,37 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value,
}
char *
+config_get_allowed_sasl_mechs()
+{
+ char *retVal;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapdFrontendConfig->allowed_sasl_mechs;
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+ return retVal;
+}
+
+/* separated list of sasl mechs to allow */
+int
+config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, int apply )
+{
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ if(!apply || slapdFrontendConfig->allowed_sasl_mechs){
+ /* we only set this at startup, if we try again just return SUCCESS */
+ return LDAP_SUCCESS;
+ }
+
+ CFG_LOCK_WRITE(slapdFrontendConfig);
+ slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
+ CFG_UNLOCK_WRITE(slapdFrontendConfig);
+
+ return LDAP_SUCCESS;
+}
+
+char *
config_get_default_naming_context(void)
{
char *retVal;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index a17f40d..37b4647 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -549,6 +549,8 @@ int config_get_disk_logging_critical();
int config_get_ndn_cache_count();
size_t config_get_ndn_cache_size();
int config_get_ndn_cache_enabled();
+char *config_get_allowed_sasl_mechs();
+int config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, int apply);
PLHashNumber hashNocaseString(const void *key);
PRIntn hashNocaseCompare(const void *v1, const void *v2);
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index f75e977..f9ddbfc 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -184,6 +184,8 @@ static int ids_sasl_getopt(
}
} else if (strcasecmp(option, "auxprop_plugin") == 0) {
*result = "iDS";
+ } else if (strcasecmp(option, "mech_list") == 0){
+ *result = config_get_allowed_sasl_mechs();
}
if (*result) *len = strlen(*result);
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 8b43f5a..a510d8a 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -2048,6 +2048,7 @@ typedef struct _slapdEntryPoints {
#define CONFIG_DISK_LOGGING_CRITICAL "nsslapd-disk-monitoring-logging-critical"
#define CONFIG_NDN_CACHE "nsslapd-ndn-cache-enabled"
#define CONFIG_NDN_CACHE_SIZE "nsslapd-ndn-cache-max-size"
+#define CONFIG_ALLOWED_SASL_MECHS "nsslapd-allowed-sasl-mechanisms"
#ifdef MEMPOOL_EXPERIMENTAL
#define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
@@ -2258,6 +2259,7 @@ typedef struct _slapdFrontendConfig {
char *entryusn_import_init; /* Entry USN: determine the initital value of import */
int pagedsizelimit;
char *default_naming_context; /* Default naming context (normalized) */
+ char *allowed_sasl_mechs; /* comma/space separated list of allowed sasl mechs */
/* disk monitoring */
int disk_monitoring;
11 years, 6 months