389-commits December 2012

389-commits@lists.fedoraproject.org

4 participants
35 discussions

by Mark Reynolds

ldap/servers/slapd/backend.c | 34 ++++++++++++++++++---------------- ldap/servers/slapd/backend_manager.c | 30 +++++++++++++++--------------- ldap/servers/slapd/slap.h | 2 +- 3 files changed, 34 insertions(+), 32 deletions(-) New commits: commit cd6a6dd804d63bb389c1916c8ea090977bf601a0 Merge: 4e9aab8 06a26b6 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Mon Dec 10 12:10:29 2012 -0500 Merge branch 'ticket509' commit 06a26b6cdbd7d7afbca8e0060bcd51f4993e7e0d Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Mon Dec 10 12:09:09 2012 -0500 Ticket 509 - lock-free access to be->be_suffixlock Bug Description: Remove locking around the be_suffixcount Fix Description: Use atomic counter for the suffix count, and remove the lock. The "count" is all we need to safely transverse the array. https://fedorahosted.org/389/ticket/509 Reviewed by: Ludwig & richm(Thanks!) diff --git a/ldap/servers/slapd/backend.c b/ldap/servers/slapd/backend.c index a95c101..e8d71c3 100644 --- a/ldap/servers/slapd/backend.c +++ b/ldap/servers/slapd/backend.c @@ -49,8 +49,8 @@ be_init( Slapi_Backend *be, const char *type, const char *name, int isprivate, i { slapdFrontendConfig_t *fecfg; be->be_suffix = NULL; - be->be_suffixlock= PR_NewLock(); - be->be_suffixcount= 0; + be->be_suffixlock = PR_NewLock(); + be->be_suffixcounter = slapi_counter_new(); /* e.g. dn: cn=config,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config */ be->be_basedn = slapi_create_dn_string("cn=%s,cn=%s,cn=plugins,cn=config", name, type); @@ -116,13 +116,13 @@ void be_done(Slapi_Backend *be) { int i; + int count = slapi_counter_get_value(be->be_suffixcounter); - for(i=0;i<be->be_suffixcount;i++) + for(i=0; i < count; i++) { slapi_sdn_free(&be->be_suffix[i]); } slapi_ch_free((void**)&be->be_suffix); - PR_DestroyLock(be->be_suffixlock); slapi_ch_free((void **)&be->be_basedn); slapi_ch_free((void **)&be->be_configdn); slapi_ch_free((void **)&be->be_monitordn); @@ -133,6 +133,8 @@ be_done(Slapi_Backend *be) if (!config_get_entryusn_global()) { slapi_counter_destroy(&be->be_usn_counter); } + slapi_counter_destroy(&be->be_suffixcounter); + PR_DestroyLock(be->be_suffixlock); PR_DestroyLock(be->be_state_lock); if (be->be_lock != NULL) { @@ -170,9 +172,9 @@ slapi_be_issuffix( const Slapi_Backend *be, const Slapi_DN *suffix ) /* this backend is no longer valid */ if (be->be_state != BE_STATE_DELETED) { - int i; - PR_Lock(be->be_suffixlock); - for ( i = 0; be->be_suffix != NULL && i<be->be_suffixcount; i++ ) + int i, count; + count = slapi_counter_get_value(be->be_suffixcounter); + for ( i = 0; be->be_suffix != NULL && i < count; i++ ) { if ( slapi_sdn_compare( be->be_suffix[i], suffix ) == 0) { @@ -180,7 +182,6 @@ slapi_be_issuffix( const Slapi_Backend *be, const Slapi_DN *suffix ) break; } } - PR_Unlock(be->be_suffixlock); } return r; } @@ -196,18 +197,21 @@ be_addsuffix(Slapi_Backend *be,const Slapi_DN *suffix) { if (be->be_state != BE_STATE_DELETED) { - PR_Lock(be->be_suffixlock); + int count; + + PR_Lock(be->be_suffixlock); + count = slapi_counter_get_value(be->be_suffixcounter); if(be->be_suffix==NULL) { be->be_suffix= (Slapi_DN **)slapi_ch_malloc(sizeof(Slapi_DN *)); } else { - be->be_suffix= (Slapi_DN **)slapi_ch_realloc((char*)be->be_suffix,(be->be_suffixcount+1)*sizeof(Slapi_DN *)); + be->be_suffix= (Slapi_DN **)slapi_ch_realloc((char*)be->be_suffix,(count+1)*sizeof(Slapi_DN *)); } - be->be_suffix[be->be_suffixcount]= slapi_sdn_dup(suffix); - be->be_suffixcount++; - PR_Unlock(be->be_suffixlock); + be->be_suffix[count]= slapi_sdn_dup(suffix); + slapi_counter_increment(be->be_suffixcounter); + PR_Unlock(be->be_suffixlock); } } @@ -231,11 +235,9 @@ slapi_be_getsuffix(Slapi_Backend *be,int n) return NULL; if(be->be_state != BE_STATE_DELETED) { - PR_Lock(be->be_suffixlock); - if (be->be_suffix !=NULL && n<be->be_suffixcount) { + if (be->be_suffix !=NULL && n < slapi_counter_get_value(be->be_suffixcounter)) { sdn = be->be_suffix[n]; } - PR_Unlock(be->be_suffixlock); } return sdn; } diff --git a/ldap/servers/slapd/backend_manager.c b/ldap/servers/slapd/backend_manager.c index 1ce3ae7..f27f713 100644 --- a/ldap/servers/slapd/backend_manager.c +++ b/ldap/servers/slapd/backend_manager.c @@ -461,11 +461,12 @@ int slapi_lookup_instance_name_by_suffix(char *suffix, char ***suffixes, char ***instances, int isexact) { - Slapi_Backend *be = NULL; - char *cookie = NULL; + Slapi_Backend *be = NULL; + char *cookie = NULL; const char *thisdn; int thisdnlen; int suffixlen; + int count; int i; int rval = -1; @@ -476,17 +477,17 @@ slapi_lookup_instance_name_by_suffix(char *suffix, rval = 0; suffixlen = strlen(suffix); - cookie = NULL; - be = slapi_get_first_backend (&cookie); - while (be) { - if (NULL == be->be_suffix) { - be = (backend *)slapi_get_next_backend (cookie); + cookie = NULL; + be = slapi_get_first_backend (&cookie); + while (be) { + if (NULL == be->be_suffix) { + be = (backend *)slapi_get_next_backend (cookie); continue; } - PR_Lock(be->be_suffixlock); - for (i = 0; be->be_suffix && i < be->be_suffixcount; i++) { - thisdn = slapi_sdn_get_ndn(be->be_suffix[i]); - thisdnlen = slapi_sdn_get_ndn_len(be->be_suffix[i]); + count = slapi_counter_get_value(be->be_suffixcounter); + for (i = 0; be->be_suffix && i < count; i++) { + thisdn = slapi_sdn_get_ndn(be->be_suffix[i]); + thisdnlen = slapi_sdn_get_ndn_len(be->be_suffix[i]); if (isexact?suffixlen!=thisdnlen:suffixlen>thisdnlen) continue; if (isexact?(!slapi_UTF8CASECMP(suffix, (char *)thisdn)): @@ -497,10 +498,9 @@ slapi_lookup_instance_name_by_suffix(char *suffix, charray_add(suffixes, slapi_ch_strdup(thisdn)); } } - PR_Unlock(be->be_suffixlock); - be = (backend *)slapi_get_next_backend (cookie); - } - slapi_ch_free((void **)&cookie); + be = (backend *)slapi_get_next_backend (cookie); + } + slapi_ch_free((void **)&cookie); return rval; } diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index a510d8a..dee016a 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -1165,7 +1165,7 @@ struct slapdplugin { typedef struct backend { Slapi_DN **be_suffix; /* the DN suffixes of data in this backend */ PRLock *be_suffixlock; - int be_suffixcount; + Slapi_Counter *be_suffixcounter; char *be_basedn; /* The base dn for the config & monitor dns */ char *be_configdn; /* The config dn for this backend */ char *be_monitordn; /* The monitor dn for this backend */

11 years, 6 months

1
0
0 / 0

Branch '389-ds-base-1.2.11' - ldap/servers

by Mark Reynolds

ldap/servers/slapd/log.c | 63 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 53 insertions(+), 10 deletions(-) New commits: commit 85261ef0161df156ea3991a77046aabda6c34cf4 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu Dec 6 14:52:40 2012 -0500 Ticket 527 - ns-slapd segfaults if it cannot rename the logs Bug Description: If we can not rename a log file, triggered by log rotation, we try and log a message stating this error, but trying to log this new message triggers log rotation again. This leads to an infinite loop and a stack overflow. Fix Description: Created a new logging function that does not do a rotation check. We use this new function for all emergency error logging. https://fedorahosted.org/389/ticket/527 Reviewed by: richm(Thanks!) (cherry picked from commit 4e9aab8a172c8636ea78a9d1230c78c76268efd7) diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c index e622485..e65b247 100644 --- a/ldap/servers/slapd/log.c +++ b/ldap/servers/slapd/log.c @@ -138,6 +138,7 @@ static void log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_ static void log_flush_buffer(LogBufferInfo *lbi, int type, int sync_now); static void log_write_title(LOGFD fp); static void log__error_emergency(const char *errstr, int reopen, int locked); +static void vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked); static int slapd_log_error_proc_internal( @@ -1834,6 +1835,57 @@ slapd_log_error_proc_internal( return( rc ); } +/* + * Directly write the already formatted message to the error log + */ +static void +vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked) +{ + time_t tnl; + long tz; + struct tm *tmsp, tms; + char tbuf[ TBUFSIZE ]; + char buffer[SLAPI_LOG_BUFSIZ]; + char sign; + int size; + + tnl = current_time(); +#ifdef _WIN32 + { + struct tm *pt = localtime( &tnl ); + tmsp = &tms; + memcpy(&tms, pt, sizeof(struct tm) ); + } +#else + (void)localtime_r( &tnl, &tms ); + tmsp = &tms; +#endif +#ifdef BSD_TIME + tz = tmsp->tm_gmtoff; +#else /* BSD_TIME */ + tz = - timezone; + if ( tmsp->tm_isdst ) { + tz += 3600; + } +#endif /* BSD_TIME */ + sign = ( tz >= 0 ? '+' : '-' ); + if ( tz < 0 ) { + tz = -tz; + } + (void)strftime( tbuf, (size_t)TBUFSIZE, "%d/%b/%Y:%H:%M:%S", tmsp); + sprintf( buffer, "[%s %c%02d%02d] - %s", tbuf, sign, (int)( tz / 3600 ), (int)( tz % 3600 ), msg); + size = strlen(buffer); + + if(!locked) + LOG_ERROR_LOCK_WRITE(); + + slapi_write_buffer((fp), (buffer), (size)); + PR_Sync(fp); + + if(!locked) + LOG_ERROR_UNLOCK_WRITE(); +} + static int vslapd_log_error( LOGFD fp, @@ -3102,9 +3154,6 @@ char rootpath[4]; PR_snprintf(buffer, sizeof(buffer), "log__enough_freespace: Unable to get the free space (errno:%d)\n", errno); - /* This function could be called in the ERROR WRITE LOCK, - * which causes the self deadlock if you call LDAPDebug for logging. - * Thus, instead of LDAPDebug, call log__error_emergency with locked == 1. */ log__error_emergency(buffer, 0, 1); return 1; } else { @@ -3351,9 +3400,6 @@ delete_logfile: PR_snprintf (buffer, sizeof(buffer), "%s.%s", loginfo.log_error_file, tbuf); if (PR_Delete(buffer) != PR_SUCCESS) { PRErrorCode prerr = PR_GetError(); - /* This function could be called in the ERROR WRITE LOCK, - * which causes the self deadlock if you call LDAPDebug for logging. - * Thus, instead of LDAPDebug, call log__error_emergency with locked == 1. */ PR_snprintf(buffer, sizeof(buffer), "LOGINFO:Unable to remove file:%s.%s error %d (%s)\n", loginfo.log_error_file, tbuf, prerr, slapd_pr_strerror(prerr)); @@ -3713,10 +3759,7 @@ log__error_emergency(const char *errstr, int reopen, int locked) PRErrorCode prerr = PR_GetError(); syslog(LOG_ERR, "Failed to reopen errors log file, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror(prerr)); } else { - /* LDAPDebug locks ERROR_LOCK_WRITE internally */ - if (locked) LOG_ERROR_UNLOCK_WRITE(); - LDAPDebug(LDAP_DEBUG_ANY, "%s\n", errstr, 0, 0); - if (locked) LOG_ERROR_LOCK_WRITE( ); + vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, locked); } return; }

11 years, 6 months

1
0
0 / 0

ldap/servers

by Mark Reynolds

ldap/servers/slapd/log.c | 63 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 53 insertions(+), 10 deletions(-) New commits: commit 4e9aab8a172c8636ea78a9d1230c78c76268efd7 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu Dec 6 14:52:40 2012 -0500 Ticket 527 - ns-slapd segfaults if it cannot rename the logs Bug Description: If we can not rename a log file, triggered by log rotation, we try and log a message stating this error, but trying to log this new message triggers log rotation again. This leads to an infinite loop and a stack overflow. Fix Description: Created a new logging function that does not do a rotation check. We use this new function for all emergency error logging. https://fedorahosted.org/389/ticket/527 Reviewed by: richm(Thanks!) diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c index ecfdb19..d1c63bc 100644 --- a/ldap/servers/slapd/log.c +++ b/ldap/servers/slapd/log.c @@ -138,6 +138,7 @@ static void log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_ static void log_flush_buffer(LogBufferInfo *lbi, int type, int sync_now); static void log_write_title(LOGFD fp); static void log__error_emergency(const char *errstr, int reopen, int locked); +static void vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked); static int slapd_log_error_proc_internal( @@ -1834,6 +1835,57 @@ slapd_log_error_proc_internal( return( rc ); } +/* + * Directly write the already formatted message to the error log + */ +static void +vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked) +{ + time_t tnl; + long tz; + struct tm *tmsp, tms; + char tbuf[ TBUFSIZE ]; + char buffer[SLAPI_LOG_BUFSIZ]; + char sign; + int size; + + tnl = current_time(); +#ifdef _WIN32 + { + struct tm *pt = localtime( &tnl ); + tmsp = &tms; + memcpy(&tms, pt, sizeof(struct tm) ); + } +#else + (void)localtime_r( &tnl, &tms ); + tmsp = &tms; +#endif +#ifdef BSD_TIME + tz = tmsp->tm_gmtoff; +#else /* BSD_TIME */ + tz = - timezone; + if ( tmsp->tm_isdst ) { + tz += 3600; + } +#endif /* BSD_TIME */ + sign = ( tz >= 0 ? '+' : '-' ); + if ( tz < 0 ) { + tz = -tz; + } + (void)strftime( tbuf, (size_t)TBUFSIZE, "%d/%b/%Y:%H:%M:%S", tmsp); + sprintf( buffer, "[%s %c%02d%02d] - %s", tbuf, sign, (int)( tz / 3600 ), (int)( tz % 3600 ), msg); + size = strlen(buffer); + + if(!locked) + LOG_ERROR_LOCK_WRITE(); + + slapi_write_buffer((fp), (buffer), (size)); + PR_Sync(fp); + + if(!locked) + LOG_ERROR_UNLOCK_WRITE(); +} + static int vslapd_log_error( LOGFD fp, @@ -3102,9 +3154,6 @@ char rootpath[4]; PR_snprintf(buffer, sizeof(buffer), "log__enough_freespace: Unable to get the free space (errno:%d)\n", errno); - /* This function could be called in the ERROR WRITE LOCK, - * which causes the self deadlock if you call LDAPDebug for logging. - * Thus, instead of LDAPDebug, call log__error_emergency with locked == 1. */ log__error_emergency(buffer, 0, 1); return 1; } else { @@ -3351,9 +3400,6 @@ delete_logfile: PR_snprintf (buffer, sizeof(buffer), "%s.%s", loginfo.log_error_file, tbuf); if (PR_Delete(buffer) != PR_SUCCESS) { PRErrorCode prerr = PR_GetError(); - /* This function could be called in the ERROR WRITE LOCK, - * which causes the self deadlock if you call LDAPDebug for logging. - * Thus, instead of LDAPDebug, call log__error_emergency with locked == 1. */ PR_snprintf(buffer, sizeof(buffer), "LOGINFO:Unable to remove file:%s.%s error %d (%s)\n", loginfo.log_error_file, tbuf, prerr, slapd_pr_strerror(prerr)); @@ -3713,10 +3759,7 @@ log__error_emergency(const char *errstr, int reopen, int locked) PRErrorCode prerr = PR_GetError(); syslog(LOG_ERR, "Failed to reopen errors log file, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror(prerr)); } else { - /* LDAPDebug locks ERROR_LOCK_WRITE internally */ - if (locked) LOG_ERROR_UNLOCK_WRITE(); - LDAPDebug(LDAP_DEBUG_ANY, "%s\n", errstr, 0, 0); - if (locked) LOG_ERROR_LOCK_WRITE( ); + vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, locked); } return; }

11 years, 6 months

1
0
0 / 0

Branch '389-ds-base-1.2.11' - ldap/servers lib/libaccess

by Mark Reynolds

ldap/servers/plugins/memberof/memberof.c | 7 +++++++ ldap/servers/slapd/back-ldbm/dblayer.c | 2 ++ lib/libaccess/acltools.cpp | 1 + 3 files changed, 10 insertions(+) New commits: commit 39b0938b43a5dbfdc566b343e504585bad7de859 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu Dec 6 11:41:29 2012 -0500 Coverity Issues for 1.2.11 Reviewed by: richm(Thanks!) diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c index 598f4d9..a3f875d 100644 --- a/ldap/servers/plugins/memberof/memberof.c +++ b/ldap/servers/plugins/memberof/memberof.c @@ -1105,6 +1105,13 @@ memberof_modop_one_replace_r(Slapi_PBlock *pb, MemberOfConfig *config, const char *op_this = slapi_sdn_get_ndn(op_this_sdn); Slapi_Value *to_dn_val = slapi_value_new_string(op_to); Slapi_Value *this_dn_val = slapi_value_new_string(op_this); + + if(this_dn_val == NULL || to_dn_val == NULL){ + slapi_log_error( SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, + "memberof_modop_one_replace_r: failed to get DN values (NULL)\n"); + goto bail; + } + /* op_this and op_to are both case-normalized */ slapi_value_set_flags(this_dn_val, SLAPI_ATTR_FLAG_NORMALIZED_CIS); slapi_value_set_flags(to_dn_val, SLAPI_ATTR_FLAG_NORMALIZED_CIS); diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c index 02cb3fd..804543b 100644 --- a/ldap/servers/slapd/back-ldbm/dblayer.c +++ b/ldap/servers/slapd/back-ldbm/dblayer.c @@ -1910,6 +1910,8 @@ dblayer_get_id2entry_size(ldbm_instance *inst) ID2ENTRY LDBM_FILENAME_SUFFIX); rc = PR_GetFileInfo(id2entry_file, &info); slapi_ch_free_string(&id2entry_file); + if (inst_dirp != inst_dir) + slapi_ch_free_string(&inst_dirp); if (rc) { return 0; } diff --git a/lib/libaccess/acltools.cpp b/lib/libaccess/acltools.cpp index 69d0c2e..df08658 100644 --- a/lib/libaccess/acltools.cpp +++ b/lib/libaccess/acltools.cpp @@ -1415,6 +1415,7 @@ char *errmsg; eid = ACLERR1500; errmsg = system_errmsg(); nserrGenerate(errp, rv, eid, ACL_Program, 2, "buffer", errmsg); + PERM_FREE(errmsg); } }

11 years, 6 months

1
0
0 / 0

ldap/servers

by Mark Reynolds

ldap/servers/slapd/configdse.c | 1 + ldap/servers/slapd/libglobs.c | 36 ++++++++++++++++++++++++++++++++++++ ldap/servers/slapd/proto-slap.h | 2 ++ ldap/servers/slapd/saslbind.c | 2 ++ ldap/servers/slapd/slap.h | 2 ++ 5 files changed, 43 insertions(+) New commits: commit e3aac6618a00236b73e44b99d15abed647708187 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Wed Dec 5 17:43:30 2012 -0500 Ticket 395 - RFE: 389-ds shouldn't advertise in the rootDSE that we can handle a sasl mech if we really can't Bug Description: The root DSE lists all the mechanisms the SASL library can handle (sasl_listmech), but that's not necessarily what the server/co-products can support (e.g. communicating with IPA). Fix Description: Added new config setting to specifiy the SASL mechanisms that are allowed. If none are specified, than all are allowed. This setting now impacts the SASL callback SASL_CB_GETOPT(ids_sasl_getopt), so it applies to all SASL operations. So, the root DSE information is correct, and you can now control what mechanisms the server actually allows. https://fedorahosted.org/389/ticket/395 Reviewed by: richm(Thanks!) diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c index b54062d..bd1566e 100644 --- a/ldap/servers/slapd/configdse.c +++ b/ldap/servers/slapd/configdse.c @@ -81,6 +81,7 @@ static const char *requires_restart[] = { #endif "cn=config:" CONFIG_RETURN_EXACT_CASE_ATTRIBUTE, "cn=config:" CONFIG_SCHEMA_IGNORE_TRAILING_SPACES, + "cn=config:nsslapd-allowed-sasl-mechanisms", "cn=config,cn=ldbm:nsslapd-idlistscanlimit", "cn=config,cn=ldbm:nsslapd-parentcheck", "cn=config,cn=ldbm:nsslapd-dbcachesize", diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index dee7812..ab366fc 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -1006,6 +1006,10 @@ static struct config_get_and_set { NULL, 0, (void**)&global_slapdFrontendConfig.ndn_cache_max_size, CONFIG_INT, (ConfigGetFunc)config_get_ndn_cache_size, DEFAULT_NDN_SIZE}, + {CONFIG_ALLOWED_SASL_MECHS, config_set_allowed_sasl_mechs, + NULL, 0, + (void**)&global_slapdFrontendConfig.allowed_sasl_mechs, + CONFIG_STRING, (ConfigGetFunc)config_get_allowed_sasl_mechs, DEFAULT_ALLOWED_TO_DELETE_ATTRS}, #ifdef MEMPOOL_EXPERIMENTAL ,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch, NULL, 0, @@ -1423,6 +1427,7 @@ FrontendConfig_init () { cfg->entryusn_import_init = slapi_ch_strdup(ENTRYUSN_IMPORT_INIT); cfg->allowed_to_delete_attrs = slapi_ch_strdup("nsslapd-listenhost nsslapd-securelistenhost nsslapd-defaultnamingcontext"); cfg->default_naming_context = NULL; /* store normalized dn */ + cfg->allowed_sasl_mechs = NULL; init_disk_monitoring = cfg->disk_monitoring = LDAP_OFF; cfg->disk_threshold = 2097152; /* 2 mb */ @@ -6556,6 +6561,37 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value, } char * +config_get_allowed_sasl_mechs() +{ + char *retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->allowed_sasl_mechs; + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +/* separated list of sasl mechs to allow */ +int +config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, int apply ) +{ + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + if(!apply || slapdFrontendConfig->allowed_sasl_mechs){ + /* we only set this at startup, if we try again just return SUCCESS */ + return LDAP_SUCCESS; + } + + CFG_LOCK_WRITE(slapdFrontendConfig); + slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value); + CFG_UNLOCK_WRITE(slapdFrontendConfig); + + return LDAP_SUCCESS; +} + +char * config_get_default_naming_context(void) { char *retVal; diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index a17f40d..37b4647 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -549,6 +549,8 @@ int config_get_disk_logging_critical(); int config_get_ndn_cache_count(); size_t config_get_ndn_cache_size(); int config_get_ndn_cache_enabled(); +char *config_get_allowed_sasl_mechs(); +int config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, int apply); PLHashNumber hashNocaseString(const void *key); PRIntn hashNocaseCompare(const void *v1, const void *v2); diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c index f75e977..f9ddbfc 100644 --- a/ldap/servers/slapd/saslbind.c +++ b/ldap/servers/slapd/saslbind.c @@ -184,6 +184,8 @@ static int ids_sasl_getopt( } } else if (strcasecmp(option, "auxprop_plugin") == 0) { *result = "iDS"; + } else if (strcasecmp(option, "mech_list") == 0){ + *result = config_get_allowed_sasl_mechs(); } if (*result) *len = strlen(*result); diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 8b43f5a..a510d8a 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -2048,6 +2048,7 @@ typedef struct _slapdEntryPoints { #define CONFIG_DISK_LOGGING_CRITICAL "nsslapd-disk-monitoring-logging-critical" #define CONFIG_NDN_CACHE "nsslapd-ndn-cache-enabled" #define CONFIG_NDN_CACHE_SIZE "nsslapd-ndn-cache-max-size" +#define CONFIG_ALLOWED_SASL_MECHS "nsslapd-allowed-sasl-mechanisms" #ifdef MEMPOOL_EXPERIMENTAL #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool" @@ -2258,6 +2259,7 @@ typedef struct _slapdFrontendConfig { char *entryusn_import_init; /* Entry USN: determine the initital value of import */ int pagedsizelimit; char *default_naming_context; /* Default naming context (normalized) */ + char *allowed_sasl_mechs; /* comma/space separated list of allowed sasl mechs */ /* disk monitoring */ int disk_monitoring;

11 years, 6 months

1
0
0 / 0

← Newer
1
2
3
4
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits December 2012