ldap/admin
by Nathan Kinder
ldap/admin/src/scripts/50contentsync.ldif | 1 +
1 file changed, 1 insertion(+)
New commits:
commit bf1203a0916cdbee27651644b85aa21e6de1224b
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Oct 22 15:24:36 2013 -0700
Ticket 47565 - Content Sync update file needs extensibleObject
The Content Sync Plug-in update file will cause a schema violation
that causes dse.ldif to fail to load after upgrading an older DS
instance. The problem is that the nsslapd-depends-on-name attribute
is used, but the extensibleObject objectclass is not present for
the config entry. This is required since nsslapd-depends-on-named
is not really defined in the schema like a normal attribute.
diff --git a/ldap/admin/src/scripts/50contentsync.ldif b/ldap/admin/src/scripts/50contentsync.ldif
index 0f15bdb..c48202b 100644
--- a/ldap/admin/src/scripts/50contentsync.ldif
+++ b/ldap/admin/src/scripts/50contentsync.ldif
@@ -1,6 +1,7 @@
dn: cn=Content Synchronization,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
+objectclass: extensibleObject
cn: Content Synchronization
nsslapd-pluginpath: libcontentsync-plugin
nsslapd-plugininitfunc: sync_init
10 years, 6 months
Branch '389-ds-base-1.3.2' - ldap/admin
by thierry bordaz
ldap/admin/src/scripts/fixup-memberof.pl.in | 1 +
1 file changed, 1 insertion(+)
New commits:
commit 9b0e6a3c3add3a4e8f4493f9317d52fa84374c91
Author: Thierry bordaz (tbordaz) <tbordaz(a)redhat.com>
Date: Mon Oct 21 16:55:11 2013 +0200
Ticket 47560: fixup memberof task does not work: task entry not added
Bug Description:
The fixup memberof tasks is triggered by ADD of entry like:
cn=memberOf_fixup_YYYY_MM_DD_HH_MM_SS, cn=memberOf task, cn=tasks, cn=config
the script fixup-memberof.pl does not add this entry
Fix Description:
Initialize the $entry variable
https://fedorahosted.org/389/ticket/47560
Reviewed by: Noriko Hosoi
Platforms tested: F17
Flag Day: no
Doc impact: no
diff --git a/ldap/admin/src/scripts/fixup-memberof.pl.in b/ldap/admin/src/scripts/fixup-memberof.pl.in
index c7038f6..2355455 100644
--- a/ldap/admin/src/scripts/fixup-memberof.pl.in
+++ b/ldap/admin/src/scripts/fixup-memberof.pl.in
@@ -135,6 +135,7 @@ if ( $filter_arg ne "" )
$filter = "filter: $filter_arg\n";
}
+$entry = "${dn}${misc}${cn}${basedn}${filter}";
$rc = DSUtil::ldapmod($entry, %info);
$dn =~ s/^dn: //;
10 years, 6 months
Branch '389-ds-base-1.3.1' - ldap/admin
by thierry bordaz
ldap/admin/src/scripts/fixup-memberof.pl.in | 1 +
1 file changed, 1 insertion(+)
New commits:
commit 05950d062b866fb7f590b19734b2eedccd1a2a2a
Author: Thierry bordaz (tbordaz) <tbordaz(a)redhat.com>
Date: Mon Oct 21 16:55:11 2013 +0200
Ticket 47560: fixup memberof task does not work: task entry not added
Bug Description:
The fixup memberof tasks is triggered by ADD of entry like:
cn=memberOf_fixup_YYYY_MM_DD_HH_MM_SS, cn=memberOf task, cn=tasks, cn=config
the script fixup-memberof.pl does not add this entry
Fix Description:
Initialize the $entry variable
https://fedorahosted.org/389/ticket/47560
Reviewed by: Noriko Hosoi
Platforms tested: F17
Flag Day: no
Doc impact: no
diff --git a/ldap/admin/src/scripts/fixup-memberof.pl.in b/ldap/admin/src/scripts/fixup-memberof.pl.in
index c7038f6..2355455 100644
--- a/ldap/admin/src/scripts/fixup-memberof.pl.in
+++ b/ldap/admin/src/scripts/fixup-memberof.pl.in
@@ -135,6 +135,7 @@ if ( $filter_arg ne "" )
$filter = "filter: $filter_arg\n";
}
+$entry = "${dn}${misc}${cn}${basedn}${filter}";
$rc = DSUtil::ldapmod($entry, %info);
$dn =~ s/^dn: //;
10 years, 6 months
ldap/admin
by thierry bordaz
ldap/admin/src/scripts/fixup-memberof.pl.in | 1 +
1 file changed, 1 insertion(+)
New commits:
commit 3902f691d88823a9f2f8b839120e9365f6643f2d
Author: Thierry bordaz (tbordaz) <tbordaz(a)redhat.com>
Date: Mon Oct 21 16:55:11 2013 +0200
Ticket 47560: fixup memberof task does not work: task entry not added
Bug Description:
The fixup memberof tasks is triggered by ADD of entry like:
cn=memberOf_fixup_YYYY_MM_DD_HH_MM_SS, cn=memberOf task, cn=tasks, cn=config
the script fixup-memberof.pl does not add this entry
Fix Description:
Initialize the $entry variable
https://fedorahosted.org/389/ticket/47560
Reviewed by: Noriko Hosoi
Platforms tested: F17
Flag Day: no
Doc impact: no
diff --git a/ldap/admin/src/scripts/fixup-memberof.pl.in b/ldap/admin/src/scripts/fixup-memberof.pl.in
index c7038f6..2355455 100644
--- a/ldap/admin/src/scripts/fixup-memberof.pl.in
+++ b/ldap/admin/src/scripts/fixup-memberof.pl.in
@@ -135,6 +135,7 @@ if ( $filter_arg ne "" )
$filter = "filter: $filter_arg\n";
}
+$entry = "${dn}${misc}${cn}${basedn}${filter}";
$rc = DSUtil::ldapmod($entry, %info);
$dn =~ s/^dn: //;
10 years, 6 months
src/com
by Ludwig Krispenz
src/com/netscape/management/admserv/admserv.properties | 2 ++
src/com/netscape/management/admserv/task/Restart.java | 11 +++++++----
2 files changed, 9 insertions(+), 4 deletions(-)
New commits:
commit ac0e0b55498cee065b338a2dded995e85af99570
Author: Ludwig <lkrispen(a)elkris2.redhat.com>
Date: Thu Oct 17 14:07:00 2013 +0200
Ticket 47477 - Cannot restart SSL-admin server from console
Bug Description: If SSL is enabled for admin server console rejects to restart admin server
Fix Description: Behaviour like DS, warn about required password file and ask confirmation to restart
https://fedorahosted.org/389/ticket/47477
Reviewed by: RichM
diff --git a/src/com/netscape/management/admserv/admserv.properties b/src/com/netscape/management/admserv/admserv.properties
index 5c69620..82c3c91 100644
--- a/src/com/netscape/management/admserv/admserv.properties
+++ b/src/com/netscape/management/admserv/admserv.properties
@@ -107,6 +107,8 @@ taskDescription-SNMPRestart=Restart SNMP Master Agent
taskDescription-SNMPStop=Stop SNMP Master Agent
restart-canNotRestart=The Administration Server cannot be restarted remotely from the Console.\nThe server can be restarted only locally from the command shell\nby running the "restart-admin" command.
+restart-confirmSSLRestart=Warning: Starting SSL-Enabled Admin Server \n\nYou cannot start an SSL-enabled Admin Server remotely unless\nyou have configured a password file for the server. If a password\nfile does not exist, you must log on to the machine where the\nserver is installed and start the server from the command line.\nThe restart-ds-admin script will prompt you for the certificate database\npassword when it starts the server.\n\nContinue to restart the server?
+
#
# information panel
diff --git a/src/com/netscape/management/admserv/task/Restart.java b/src/com/netscape/management/admserv/task/Restart.java
index c7e502f..c5c1eff 100644
--- a/src/com/netscape/management/admserv/task/Restart.java
+++ b/src/com/netscape/management/admserv/task/Restart.java
@@ -66,10 +66,13 @@ public class Restart extends AdminTaskObject {
if (restartControl != null) {
if (!restartControl.canRestartFromConsole()) {
String msg =
- AdminServer._resource.getString("restart","canNotRestart");
- SuiOptionPane.showMessageDialog(parent, msg, getName(),
- SuiOptionPane.ERROR_MESSAGE);
- return false;
+ AdminServer._resource.getString("restart","confirmSSLRestart");
+ int userSelection = SuiOptionPane.showConfirmDialog(parent, msg,
+ "Restart SSL-Enabled Server", SuiOptionPane.YES_NO_OPTION);
+
+ if (userSelection != SuiOptionPane.YES_OPTION) {
+ return false;
+ }
}
} else {
Debug.println("RestartOperation: restart activator not in ConsoleInfo");
10 years, 6 months
lib/libdsa
by Ludwig Krispenz
lib/libdsa/dsalib_location.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
New commits:
commit 7aaec2d20d9dbed528244a68bfff89dd4c45e241
Author: Ludwig <lkrispen(a)elkris2.redhat.com>
Date: Thu Oct 17 14:17:10 2013 +0200
Ticket 47563 - cannot restart directory server from console
Bug Description: code does not handle syconfig file in systemd format
Fix Description: parsing the run dir string handle lines with/out ";"
https://fedorahosted.org/389/ticket/47563
Reviewed by: RichM
diff --git a/lib/libdsa/dsalib_location.c b/lib/libdsa/dsalib_location.c
index e4104da..83d8682 100644
--- a/lib/libdsa/dsalib_location.c
+++ b/lib/libdsa/dsalib_location.c
@@ -149,11 +149,13 @@ ds_get_run_dir()
start++;
if ((p = strrchr(start, ';'))) {
*p = '\0';
- for (--p; isspace(*p); p--) {
- *p = '\0';
- }
- PR_snprintf(rundir, sizeof(rundir), "%s", start);
+ } else {
+ p = start + strlen(start);
+ }
+ for (--p; isspace(*p); p--) {
+ *p = '\0';
}
+ PR_snprintf(rundir, sizeof(rundir), "%s", start);
}
break;
}
10 years, 6 months
Branch '389-ds-base-1.3.1' - ldap/servers
by Richard Allen Megginson
ldap/servers/slapd/ldaputil.c | 51 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 47 insertions(+), 4 deletions(-)
New commits:
commit 8a7ee90d6a770f1732bcd03b20471de3a6162b2b
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Mon Oct 14 12:43:51 2013 -0600
Ticket #47559 hung server - related to sasl and initialize
https://fedorahosted.org/389/ticket/47559
Reviewed by: nhosoi (Thanks!)
Branch: 389-ds-base-1.3.1
Fix Description: Use a mutex to protect calls to openldap functions that do
anything with crypto - bind, unbind, start_tls, other calls.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit da3e4aa40b04094d0e77052b894b0f0c335ea1ef)
(cherry picked from commit 7b3b2fe9d4a7f73a12b4f2d499b2e6a2f80e454b)
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index edc8267..aa78d3d 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -99,10 +99,16 @@
#if !defined(USE_OPENLDAP)
#include <ldap_ssl.h>
#include <ldappr.h>
+#define BIND_LOCK (void)0
+#define BIND_UNLOCK (void)0
#else
/* need mutex around ldap_initialize - see https://fedorahosted.org/389/ticket/348 */
static PRCallOnceType ol_init_callOnce = {0,0};
static PRLock *ol_init_lock = NULL;
+/* need mutex around ldap_sasl_bind - see https://fedorahosted.org/389/ticket/47599 */
+static PRLock *ol_bind_lock = NULL;
+#define BIND_LOCK PR_Lock(ol_bind_lock)
+#define BIND_UNLOCK PR_Unlock(ol_bind_lock)
static PRStatus
internal_ol_init_init(void)
@@ -110,12 +116,20 @@ internal_ol_init_init(void)
PR_ASSERT(NULL == ol_init_lock);
if ((ol_init_lock = PR_NewLock()) == NULL) {
PRErrorCode errorCode = PR_GetError();
- slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock failed %d:%s\n",
+ slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock init_lock failed %d:%s\n",
errorCode, slapd_pr_strerror(errorCode));
return PR_FAILURE;
}
- return PR_SUCCESS;
+ PR_ASSERT(NULL == ol_bind_lock);
+ if ((ol_bind_lock = PR_NewLock()) == NULL) {
+ PRErrorCode errorCode = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock bind_lock failed %d:%s\n",
+ errorCode, slapd_pr_strerror(errorCode));
+ return PR_FAILURE;
+ }
+
+ return PR_SUCCESS;
}
#endif
@@ -145,7 +159,16 @@ void
slapi_ldap_unbind( LDAP *ld )
{
if ( ld != NULL ) {
+#if defined(USE_OPENLDAP)
+ if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_unbind",
+ "Could not perform internal ol_init init\n");
+ return;
+ }
+#endif
+ BIND_LOCK;
ldap_unbind_ext( ld, NULL, NULL );
+ BIND_UNLOCK;
}
}
@@ -1031,11 +1054,22 @@ slapi_ldap_bind(
ldap_controls_free(clientctrls);
ldap_set_option(ld, LDAP_OPT_CLIENT_CONTROLS, NULL);
+#if defined(USE_OPENLDAP)
+ if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
+ "Could not perform internal ol_init init\n");
+ rc = -1;
+ goto done;
+ }
+#endif
+
if ((secure > 0) && mech && !strcmp(mech, LDAP_SASL_EXTERNAL)) {
#if defined(USE_OPENLDAP)
/* we already set up a tls context in slapi_ldap_init_ext() - this will
free those old settings and context and create a new one */
+ PR_Lock(ol_bind_lock);
rc = setup_ol_tls_conn(ld, 1);
+ PR_Unlock(ol_bind_lock);
#else
/* SSL connections will use the server's security context
and cert for client auth */
@@ -1060,7 +1094,9 @@ slapi_ldap_bind(
}
if (secure == 2) { /* send start tls */
+ BIND_LOCK;
rc = ldap_start_tls_s(ld, NULL /* serverctrls?? */, NULL);
+ BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not send startTLS request: "
@@ -1082,8 +1118,11 @@ slapi_ldap_bind(
"attempting %s bind with id [%s] creds [%s]\n",
mech ? mech : "SIMPLE",
bindid, creds);
- if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
- NULL /* clientctrls */, &mymsgid))) {
+ BIND_LOCK;
+ rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
+ NULL /* clientctrls */, &mymsgid);
+ BIND_UNLOCK;
+ if (rc) {
char *myhostname = NULL;
char *copy = NULL;
char *ptr = NULL;
@@ -1139,7 +1178,9 @@ slapi_ldap_bind(
/* take the one provided by the caller. It should be the one defined in the protocol */
bind_timeout = timeout;
}
+ BIND_LOCK;
rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, bind_timeout, &result);
+ BIND_UNLOCK;
if (-1 == rc) { /* error */
rc = slapi_ldap_get_lderrno(ld, NULL, NULL);
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
@@ -1203,9 +1244,11 @@ slapi_ldap_bind(
ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);
}
#endif
+ BIND_LOCK;
rc = slapd_ldap_sasl_interactive_bind(ld, bindid, creds, mech,
serverctrls, returnedctrls,
msgidp);
+ BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not perform interactive bind for id "
10 years, 6 months
Branch '389-ds-base-1.3.2' - ldap/servers
by Richard Allen Megginson
ldap/servers/slapd/ldaputil.c | 51 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 47 insertions(+), 4 deletions(-)
New commits:
commit 7b3b2fe9d4a7f73a12b4f2d499b2e6a2f80e454b
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Mon Oct 14 12:43:51 2013 -0600
Ticket #47559 hung server - related to sasl and initialize
https://fedorahosted.org/389/ticket/47559
Reviewed by: nhosoi (Thanks!)
Branch: 389-ds-base-1.3.2
Fix Description: Use a mutex to protect calls to openldap functions that do
anything with crypto - bind, unbind, start_tls, other calls.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit da3e4aa40b04094d0e77052b894b0f0c335ea1ef)
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index ed3491e..32c05ec 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -99,10 +99,16 @@
#if !defined(USE_OPENLDAP)
#include <ldap_ssl.h>
#include <ldappr.h>
+#define BIND_LOCK (void)0
+#define BIND_UNLOCK (void)0
#else
/* need mutex around ldap_initialize - see https://fedorahosted.org/389/ticket/348 */
static PRCallOnceType ol_init_callOnce = {0,0};
static PRLock *ol_init_lock = NULL;
+/* need mutex around ldap_sasl_bind - see https://fedorahosted.org/389/ticket/47599 */
+static PRLock *ol_bind_lock = NULL;
+#define BIND_LOCK PR_Lock(ol_bind_lock)
+#define BIND_UNLOCK PR_Unlock(ol_bind_lock)
static PRStatus
internal_ol_init_init(void)
@@ -110,12 +116,20 @@ internal_ol_init_init(void)
PR_ASSERT(NULL == ol_init_lock);
if ((ol_init_lock = PR_NewLock()) == NULL) {
PRErrorCode errorCode = PR_GetError();
- slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock failed %d:%s\n",
+ slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock init_lock failed %d:%s\n",
errorCode, slapd_pr_strerror(errorCode));
return PR_FAILURE;
}
- return PR_SUCCESS;
+ PR_ASSERT(NULL == ol_bind_lock);
+ if ((ol_bind_lock = PR_NewLock()) == NULL) {
+ PRErrorCode errorCode = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock bind_lock failed %d:%s\n",
+ errorCode, slapd_pr_strerror(errorCode));
+ return PR_FAILURE;
+ }
+
+ return PR_SUCCESS;
}
#endif
@@ -145,7 +159,16 @@ void
slapi_ldap_unbind( LDAP *ld )
{
if ( ld != NULL ) {
+#if defined(USE_OPENLDAP)
+ if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_unbind",
+ "Could not perform internal ol_init init\n");
+ return;
+ }
+#endif
+ BIND_LOCK;
ldap_unbind_ext( ld, NULL, NULL );
+ BIND_UNLOCK;
}
}
@@ -1034,11 +1057,22 @@ slapi_ldap_bind(
ldap_controls_free(clientctrls);
ldap_set_option(ld, LDAP_OPT_CLIENT_CONTROLS, NULL);
+#if defined(USE_OPENLDAP)
+ if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
+ "Could not perform internal ol_init init\n");
+ rc = -1;
+ goto done;
+ }
+#endif
+
if ((secure > 0) && mech && !strcmp(mech, LDAP_SASL_EXTERNAL)) {
#if defined(USE_OPENLDAP)
/* we already set up a tls context in slapi_ldap_init_ext() - this will
free those old settings and context and create a new one */
+ PR_Lock(ol_bind_lock);
rc = setup_ol_tls_conn(ld, 1);
+ PR_Unlock(ol_bind_lock);
#else
/* SSL connections will use the server's security context
and cert for client auth */
@@ -1063,7 +1097,9 @@ slapi_ldap_bind(
}
if (secure == 2) { /* send start tls */
+ BIND_LOCK;
rc = ldap_start_tls_s(ld, NULL /* serverctrls?? */, NULL);
+ BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not send startTLS request: "
@@ -1085,8 +1121,11 @@ slapi_ldap_bind(
"attempting %s bind with id [%s] creds [%s]\n",
mech ? mech : "SIMPLE",
bindid, creds);
- if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
- NULL /* clientctrls */, &mymsgid))) {
+ BIND_LOCK;
+ rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
+ NULL /* clientctrls */, &mymsgid);
+ BIND_UNLOCK;
+ if (rc) {
char *myhostname = NULL;
char *copy = NULL;
char *ptr = NULL;
@@ -1142,7 +1181,9 @@ slapi_ldap_bind(
/* take the one provided by the caller. It should be the one defined in the protocol */
bind_timeout = timeout;
}
+ BIND_LOCK;
rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, bind_timeout, &result);
+ BIND_UNLOCK;
if (-1 == rc) { /* error */
rc = slapi_ldap_get_lderrno(ld, NULL, NULL);
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
@@ -1206,9 +1247,11 @@ slapi_ldap_bind(
ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);
}
#endif
+ BIND_LOCK;
rc = slapd_ldap_sasl_interactive_bind(ld, bindid, creds, mech,
serverctrls, returnedctrls,
msgidp);
+ BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not perform interactive bind for id "
10 years, 6 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Richard Allen Megginson
ldap/servers/slapd/ldaputil.c | 51 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 47 insertions(+), 4 deletions(-)
New commits:
commit a572cb299d8b31f270c9d7d53ad799e91c4dc212
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Mon Oct 14 12:43:51 2013 -0600
Ticket #47559 hung server - related to sasl and initialize
https://fedorahosted.org/389/ticket/47559
Reviewed by: nhosoi (Thanks!)
Branch: 389-ds-base-1.2.11
Fix Description: Use a mutex to protect calls to openldap functions that do
anything with crypto - bind, unbind, start_tls, other calls.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit da3e4aa40b04094d0e77052b894b0f0c335ea1ef)
(cherry picked from commit 7b3b2fe9d4a7f73a12b4f2d499b2e6a2f80e454b)
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index 331dd71..307a3a5 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -99,10 +99,16 @@
#if !defined(USE_OPENLDAP)
#include <ldap_ssl.h>
#include <ldappr.h>
+#define BIND_LOCK (void)0
+#define BIND_UNLOCK (void)0
#else
/* need mutex around ldap_initialize - see https://fedorahosted.org/389/ticket/348 */
static PRCallOnceType ol_init_callOnce = {0,0};
static PRLock *ol_init_lock = NULL;
+/* need mutex around ldap_sasl_bind - see https://fedorahosted.org/389/ticket/47599 */
+static PRLock *ol_bind_lock = NULL;
+#define BIND_LOCK PR_Lock(ol_bind_lock)
+#define BIND_UNLOCK PR_Unlock(ol_bind_lock)
static PRStatus
internal_ol_init_init(void)
@@ -110,12 +116,20 @@ internal_ol_init_init(void)
PR_ASSERT(NULL == ol_init_lock);
if ((ol_init_lock = PR_NewLock()) == NULL) {
PRErrorCode errorCode = PR_GetError();
- slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock failed %d:%s\n",
+ slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock init_lock failed %d:%s\n",
errorCode, slapd_pr_strerror(errorCode));
return PR_FAILURE;
}
- return PR_SUCCESS;
+ PR_ASSERT(NULL == ol_bind_lock);
+ if ((ol_bind_lock = PR_NewLock()) == NULL) {
+ PRErrorCode errorCode = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock bind_lock failed %d:%s\n",
+ errorCode, slapd_pr_strerror(errorCode));
+ return PR_FAILURE;
+ }
+
+ return PR_SUCCESS;
}
#endif
@@ -145,7 +159,16 @@ void
slapi_ldap_unbind( LDAP *ld )
{
if ( ld != NULL ) {
+#if defined(USE_OPENLDAP)
+ if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_unbind",
+ "Could not perform internal ol_init init\n");
+ return;
+ }
+#endif
+ BIND_LOCK;
ldap_unbind_ext( ld, NULL, NULL );
+ BIND_UNLOCK;
}
}
@@ -1024,11 +1047,22 @@ slapi_ldap_bind(
ldap_controls_free(clientctrls);
ldap_set_option(ld, LDAP_OPT_CLIENT_CONTROLS, NULL);
+#if defined(USE_OPENLDAP)
+ if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
+ "Could not perform internal ol_init init\n");
+ rc = -1;
+ goto done;
+ }
+#endif
+
if ((secure > 0) && mech && !strcmp(mech, LDAP_SASL_EXTERNAL)) {
#if defined(USE_OPENLDAP)
/* we already set up a tls context in slapi_ldap_init_ext() - this will
free those old settings and context and create a new one */
+ PR_Lock(ol_bind_lock);
rc = setup_ol_tls_conn(ld, 1);
+ PR_Unlock(ol_bind_lock);
#else
/* SSL connections will use the server's security context
and cert for client auth */
@@ -1053,7 +1087,9 @@ slapi_ldap_bind(
}
if (secure == 2) { /* send start tls */
+ BIND_LOCK;
rc = ldap_start_tls_s(ld, NULL /* serverctrls?? */, NULL);
+ BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not send startTLS request: "
@@ -1075,8 +1111,11 @@ slapi_ldap_bind(
"attempting %s bind with id [%s] creds [%s]\n",
mech ? mech : "SIMPLE",
bindid, creds);
- if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
- NULL /* clientctrls */, &mymsgid))) {
+ BIND_LOCK;
+ rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
+ NULL /* clientctrls */, &mymsgid);
+ BIND_UNLOCK;
+ if (rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not send bind request for id "
"[%s] mech [%s]: error %d (%s) %d (%s) %d (%s)\n",
@@ -1091,7 +1130,9 @@ slapi_ldap_bind(
if (msgidp) { /* let caller process result */
*msgidp = mymsgid;
} else { /* process results */
+ BIND_LOCK;
rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, timeout, &result);
+ BIND_UNLOCK;
if (-1 == rc) { /* error */
rc = slapi_ldap_get_lderrno(ld, NULL, NULL);
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
@@ -1156,9 +1197,11 @@ slapi_ldap_bind(
ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);
}
#endif
+ BIND_LOCK;
rc = slapd_ldap_sasl_interactive_bind(ld, bindid, creds, mech,
serverctrls, returnedctrls,
msgidp);
+ BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not perform interactive bind for id "
10 years, 6 months
ldap/servers
by Richard Allen Megginson
ldap/servers/slapd/ldaputil.c | 51 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 47 insertions(+), 4 deletions(-)
New commits:
commit da3e4aa40b04094d0e77052b894b0f0c335ea1ef
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Mon Oct 14 12:43:51 2013 -0600
Ticket #47559 hung server - related to sasl and initialize
https://fedorahosted.org/389/ticket/47559
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: Use a mutex to protect calls to openldap functions that do
anything with crypto - bind, unbind, start_tls, other calls.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index ed3491e..32c05ec 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -99,10 +99,16 @@
#if !defined(USE_OPENLDAP)
#include <ldap_ssl.h>
#include <ldappr.h>
+#define BIND_LOCK (void)0
+#define BIND_UNLOCK (void)0
#else
/* need mutex around ldap_initialize - see https://fedorahosted.org/389/ticket/348 */
static PRCallOnceType ol_init_callOnce = {0,0};
static PRLock *ol_init_lock = NULL;
+/* need mutex around ldap_sasl_bind - see https://fedorahosted.org/389/ticket/47599 */
+static PRLock *ol_bind_lock = NULL;
+#define BIND_LOCK PR_Lock(ol_bind_lock)
+#define BIND_UNLOCK PR_Unlock(ol_bind_lock)
static PRStatus
internal_ol_init_init(void)
@@ -110,12 +116,20 @@ internal_ol_init_init(void)
PR_ASSERT(NULL == ol_init_lock);
if ((ol_init_lock = PR_NewLock()) == NULL) {
PRErrorCode errorCode = PR_GetError();
- slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock failed %d:%s\n",
+ slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock init_lock failed %d:%s\n",
errorCode, slapd_pr_strerror(errorCode));
return PR_FAILURE;
}
- return PR_SUCCESS;
+ PR_ASSERT(NULL == ol_bind_lock);
+ if ((ol_bind_lock = PR_NewLock()) == NULL) {
+ PRErrorCode errorCode = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock bind_lock failed %d:%s\n",
+ errorCode, slapd_pr_strerror(errorCode));
+ return PR_FAILURE;
+ }
+
+ return PR_SUCCESS;
}
#endif
@@ -145,7 +159,16 @@ void
slapi_ldap_unbind( LDAP *ld )
{
if ( ld != NULL ) {
+#if defined(USE_OPENLDAP)
+ if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_unbind",
+ "Could not perform internal ol_init init\n");
+ return;
+ }
+#endif
+ BIND_LOCK;
ldap_unbind_ext( ld, NULL, NULL );
+ BIND_UNLOCK;
}
}
@@ -1034,11 +1057,22 @@ slapi_ldap_bind(
ldap_controls_free(clientctrls);
ldap_set_option(ld, LDAP_OPT_CLIENT_CONTROLS, NULL);
+#if defined(USE_OPENLDAP)
+ if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
+ "Could not perform internal ol_init init\n");
+ rc = -1;
+ goto done;
+ }
+#endif
+
if ((secure > 0) && mech && !strcmp(mech, LDAP_SASL_EXTERNAL)) {
#if defined(USE_OPENLDAP)
/* we already set up a tls context in slapi_ldap_init_ext() - this will
free those old settings and context and create a new one */
+ PR_Lock(ol_bind_lock);
rc = setup_ol_tls_conn(ld, 1);
+ PR_Unlock(ol_bind_lock);
#else
/* SSL connections will use the server's security context
and cert for client auth */
@@ -1063,7 +1097,9 @@ slapi_ldap_bind(
}
if (secure == 2) { /* send start tls */
+ BIND_LOCK;
rc = ldap_start_tls_s(ld, NULL /* serverctrls?? */, NULL);
+ BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not send startTLS request: "
@@ -1085,8 +1121,11 @@ slapi_ldap_bind(
"attempting %s bind with id [%s] creds [%s]\n",
mech ? mech : "SIMPLE",
bindid, creds);
- if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
- NULL /* clientctrls */, &mymsgid))) {
+ BIND_LOCK;
+ rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
+ NULL /* clientctrls */, &mymsgid);
+ BIND_UNLOCK;
+ if (rc) {
char *myhostname = NULL;
char *copy = NULL;
char *ptr = NULL;
@@ -1142,7 +1181,9 @@ slapi_ldap_bind(
/* take the one provided by the caller. It should be the one defined in the protocol */
bind_timeout = timeout;
}
+ BIND_LOCK;
rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, bind_timeout, &result);
+ BIND_UNLOCK;
if (-1 == rc) { /* error */
rc = slapi_ldap_get_lderrno(ld, NULL, NULL);
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
@@ -1206,9 +1247,11 @@ slapi_ldap_bind(
ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);
}
#endif
+ BIND_LOCK;
rc = slapd_ldap_sasl_interactive_bind(ld, bindid, creds, mech,
serverctrls, returnedctrls,
msgidp);
+ BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not perform interactive bind for id "
10 years, 6 months