Branch '389-ds-base-1.3.2' - ldap/servers
by Richard Allen Megginson
ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 2
ldap/servers/slapd/proto-slap.h | 1
ldap/servers/slapd/ssl.c | 58 ++++++++++++++++++++++++++
3 files changed, 60 insertions(+), 1 deletion(-)
New commits:
commit cf091de4ae70ad8d683ff33c57e75e58ff900502
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Fri Nov 15 10:24:26 2013 -0700
Ticket #47596 attrcrypt fails to find unlocked key
https://fedorahosted.org/389/ticket/47596
Reviewed by: nkinder (Thanks!)
Branch: master
Fix Description: There should always be a pre-authenticated slot/token that
has the servers cert and key. Just loop through all of the slots that the
server's cert is found on, and use the first one that is authenticated.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit b1fad4e35c0f963bf4678a2ed9a068dbe4fb159c)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
index 09cce9b..f4a5d1a 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
@@ -425,7 +425,7 @@ attrcrypt_fetch_private_key(SECKEYPrivateKey **private_key)
LDAPDebug(LDAP_DEBUG_ANY,"Can't find certificate %s in attrcrypt_fetch_private_key: %d - %s\n", cert_name, errorCode, slapd_pr_strerror(errorCode));
}
if( cert != NULL ) {
- key = slapd_pk11_findKeyByAnyCert(cert, NULL);
+ key = slapd_get_unlocked_key_for_cert(cert, NULL);
}
if (key == NULL) {
errorCode = PR_GetError();
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 6539f95..af7b553 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -1026,6 +1026,7 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS);
int slapd_security_library_is_initialized();
int slapd_ssl_listener_is_initialized();
int slapd_SSL_client_auth (LDAP* ld);
+SECKEYPrivateKey *slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg);
/*
* security_wrappers.c
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index f515b8e..8b80acb 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1577,3 +1577,61 @@ char* slapd_get_tmp_dir()
#endif
return ( tmpdir );
}
+
+SECKEYPrivateKey *
+slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg)
+{
+ SECKEYPrivateKey *key = NULL;
+ PK11SlotListElement *sle;
+ PK11SlotList *slotlist = PK11_GetAllSlotsForCert(cert, NULL);
+ const char *certsubject = cert->subjectName ? cert->subjectName : "unknown cert";
+
+ if (!slotlist) {
+ PRErrorCode errcode = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
+ "Error: cannot get slot list for certificate [%s] (%d: %s)\n",
+ certsubject, errcode, slapd_pr_strerror(errcode));
+ return key;
+ }
+
+ for (sle = slotlist->head; sle; sle = sle->next) {
+ PK11SlotInfo *slot = sle->slot;
+ const char *slotname = (slot && PK11_GetSlotName(slot)) ? PK11_GetSlotName(slot) : "unknown slot";
+ const char *tokenname = (slot && PK11_GetTokenName(slot)) ? PK11_GetTokenName(slot) : "unknown token";
+ if (!slot) {
+ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
+ "Missing slot for slot list element for certificate [%s]\n",
+ certsubject);
+ } else if (PK11_IsLoggedIn(slot, pin_arg)) {
+ key = PK11_FindKeyByDERCert(slot, cert, pin_arg);
+ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
+ "Found unlocked slot [%s] token [%s] for certificate [%s]\n",
+ slotname, tokenname, certsubject);
+ break;
+ } else {
+ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
+ "Skipping locked slot [%s] token [%s] for certificate [%s]\n",
+ slotname, tokenname, certsubject);
+ }
+ }
+
+ if (!key) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
+ "Error: could not find any unlocked slots for certificate [%s]. "
+ "Please review your TLS/SSL configuration. The following slots were found:\n",
+ certsubject);
+ for (sle = slotlist->head; sle; sle = sle->next) {
+ PK11SlotInfo *slot = sle->slot;
+ const char *slotname = (slot && PK11_GetSlotName(slot)) ? PK11_GetSlotName(slot) : "unknown slot";
+ const char *tokenname = (slot && PK11_GetTokenName(slot)) ? PK11_GetTokenName(slot) : "unknown token";
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
+ "Slot [%s] token [%s] was locked.\n",
+ slotname, tokenname);
+ }
+
+ }
+
+ PK11_FreeSlotList(slotlist);
+ return key;
+}
+
10 years, 5 months
Branch '389-ds-base-1.3.0' - ldap/servers
by Richard Allen Megginson
ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 2
ldap/servers/slapd/proto-slap.h | 1
ldap/servers/slapd/ssl.c | 58 ++++++++++++++++++++++++++
3 files changed, 60 insertions(+), 1 deletion(-)
New commits:
commit e2d11075405898c84e50e2a98788ac4614efd2c1
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Fri Nov 15 10:24:26 2013 -0700
Ticket #47596 attrcrypt fails to find unlocked key
https://fedorahosted.org/389/ticket/47596
Reviewed by: nkinder (Thanks!)
Branch: 389-ds-base-1.3.0
Fix Description: There should always be a pre-authenticated slot/token that
has the servers cert and key. Just loop through all of the slots that the
server's cert is found on, and use the first one that is authenticated.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit b1fad4e35c0f963bf4678a2ed9a068dbe4fb159c)
(cherry picked from commit cf091de4ae70ad8d683ff33c57e75e58ff900502)
(cherry picked from commit 92b46296c0b4ab9aa436ae09bca95832e2276c6e)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
index f0ef692..e74e951 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
@@ -425,7 +425,7 @@ attrcrypt_fetch_private_key(SECKEYPrivateKey **private_key)
LDAPDebug(LDAP_DEBUG_ANY,"Can't find certificate %s in attrcrypt_fetch_private_key: %d - %s\n", cert_name, errorCode, slapd_pr_strerror(errorCode));
}
if( cert != NULL ) {
- key = slapd_pk11_findKeyByAnyCert(cert, NULL);
+ key = slapd_get_unlocked_key_for_cert(cert, NULL);
}
if (key == NULL) {
errorCode = PR_GetError();
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index fd9724f..550e59c 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -1004,6 +1004,7 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS);
int slapd_security_library_is_initialized();
int slapd_ssl_listener_is_initialized();
int slapd_SSL_client_auth (LDAP* ld);
+SECKEYPrivateKey *slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg);
/*
* security_wrappers.c
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index f515b8e..8b80acb 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1577,3 +1577,61 @@ char* slapd_get_tmp_dir()
#endif
return ( tmpdir );
}
+
+SECKEYPrivateKey *
+slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg)
+{
+ SECKEYPrivateKey *key = NULL;
+ PK11SlotListElement *sle;
+ PK11SlotList *slotlist = PK11_GetAllSlotsForCert(cert, NULL);
+ const char *certsubject = cert->subjectName ? cert->subjectName : "unknown cert";
+
+ if (!slotlist) {
+ PRErrorCode errcode = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
+ "Error: cannot get slot list for certificate [%s] (%d: %s)\n",
+ certsubject, errcode, slapd_pr_strerror(errcode));
+ return key;
+ }
+
+ for (sle = slotlist->head; sle; sle = sle->next) {
+ PK11SlotInfo *slot = sle->slot;
+ const char *slotname = (slot && PK11_GetSlotName(slot)) ? PK11_GetSlotName(slot) : "unknown slot";
+ const char *tokenname = (slot && PK11_GetTokenName(slot)) ? PK11_GetTokenName(slot) : "unknown token";
+ if (!slot) {
+ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
+ "Missing slot for slot list element for certificate [%s]\n",
+ certsubject);
+ } else if (PK11_IsLoggedIn(slot, pin_arg)) {
+ key = PK11_FindKeyByDERCert(slot, cert, pin_arg);
+ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
+ "Found unlocked slot [%s] token [%s] for certificate [%s]\n",
+ slotname, tokenname, certsubject);
+ break;
+ } else {
+ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
+ "Skipping locked slot [%s] token [%s] for certificate [%s]\n",
+ slotname, tokenname, certsubject);
+ }
+ }
+
+ if (!key) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
+ "Error: could not find any unlocked slots for certificate [%s]. "
+ "Please review your TLS/SSL configuration. The following slots were found:\n",
+ certsubject);
+ for (sle = slotlist->head; sle; sle = sle->next) {
+ PK11SlotInfo *slot = sle->slot;
+ const char *slotname = (slot && PK11_GetSlotName(slot)) ? PK11_GetSlotName(slot) : "unknown slot";
+ const char *tokenname = (slot && PK11_GetTokenName(slot)) ? PK11_GetTokenName(slot) : "unknown token";
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
+ "Slot [%s] token [%s] was locked.\n",
+ slotname, tokenname);
+ }
+
+ }
+
+ PK11_FreeSlotList(slotlist);
+ return key;
+}
+
10 years, 5 months
Branch '389-ds-base-1.3.1' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/back-ldbm/seq.c | 61 ++++++++++++++++++++-----------------
1 file changed, 34 insertions(+), 27 deletions(-)
New commits:
commit da9fed74c2a04dc45b4354f436e70020bcbd7cd2
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Tue Nov 19 09:45:03 2013 -0500
Ticket 47598 - Convert ldbm_back_seq code to be transaction aware
Description: Attempt to retrieve the transaction, and pass it to the db
functions, and id2entry. Also did a little code cleanup.
https://fedorahosted.org/389/ticket/47598
Reviewed by: richm(Thanks!)
(cherry picked from commit 50272119bbff52c5d9b6ce5d7302aef763aa96ec)
diff --git a/ldap/servers/slapd/back-ldbm/seq.c b/ldap/servers/slapd/back-ldbm/seq.c
index ab473bd..27da2a4 100644
--- a/ldap/servers/slapd/back-ldbm/seq.c
+++ b/ldap/servers/slapd/back-ldbm/seq.c
@@ -68,20 +68,21 @@
int
ldbm_back_seq( Slapi_PBlock *pb )
{
- backend *be;
- ldbm_instance *inst;
- struct ldbminfo *li;
- IDList *idl = NULL;
- int err = LDAP_SUCCESS;
- DB *db;
- DBC *dbc = NULL;
- int type;
- char *attrname, *val;
- int isroot;
+ backend *be;
+ ldbm_instance *inst;
+ struct ldbminfo *li;
+ IDList *idl = NULL;
+ back_txn txn = {NULL};
struct attrinfo *ai = NULL;
+ DB *db;
+ DBC *dbc = NULL;
+ char *attrname, *val;
+ int err = LDAP_SUCCESS;
int return_value = -1;
- int nentries = 0;
- int retry_count=0;
+ int nentries = 0;
+ int retry_count = 0;
+ int isroot;
+ int type;
/* Decode arguments */
slapi_pblock_get( pb, SLAPI_BACKEND, &be);
@@ -90,9 +91,15 @@ ldbm_back_seq( Slapi_PBlock *pb )
slapi_pblock_get( pb, SLAPI_SEQ_ATTRNAME, &attrname );
slapi_pblock_get( pb, SLAPI_SEQ_VAL, &val );
slapi_pblock_get( pb, SLAPI_REQUESTOR_ISROOT, &isroot );
+ slapi_pblock_get( pb, SLAPI_TXN, &txn.back_txn_txn );
inst = (ldbm_instance *) be->be_instance_info;
+ if ( !txn.back_txn_txn ) {
+ dblayer_txn_init( li, &txn );
+ slapi_pblock_set( pb, SLAPI_TXN, txn.back_txn_txn );
+ }
+
/* Validate arguments */
if ( type != SLAPI_SEQ_FIRST &&
type != SLAPI_SEQ_LAST &&
@@ -114,7 +121,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
LDAPDebug( LDAP_DEBUG_TRACE,
"seq: caller specified un-indexed attribute %s\n",
attrname ? attrname : "", 0, 0 );
- slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+ slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"Unindexed seq access type", 0, NULL );
return -1;
}
@@ -123,13 +130,13 @@ ldbm_back_seq( Slapi_PBlock *pb )
LDAPDebug( LDAP_DEBUG_ANY,
"<= ldbm_back_seq NULL (could not open index file for attribute %s)\n",
attrname, 0, 0 );
- slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
+ slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
return -1;
}
/* First, get a database cursor */
- return_value = db->cursor(db,NULL,&dbc,0);
+ return_value = db->cursor(db, txn.back_txn_txn, &dbc, 0);
if (0 == return_value)
{
@@ -160,7 +167,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
big_buffer = slapi_ch_malloc(key_length);
if (NULL == big_buffer) {
/* memory allocation failure */
- dblayer_release_index_file( be, ai, db );
+ dblayer_release_index_file( be, ai, db );
return -1;
}
key.data = big_buffer;
@@ -234,24 +241,24 @@ ldbm_back_seq( Slapi_PBlock *pb )
/* Retrieve the idlist for this key */
key.flags = 0;
for (retry_count = 0; retry_count < IDL_FETCH_RETRY_COUNT; retry_count++) {
- err = NEW_IDL_DEFAULT;
- idl = idl_fetch( be, db, &key, NULL, ai, &err );
- if(err == DB_LOCK_DEADLOCK) {
- ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
+ err = NEW_IDL_DEFAULT;
+ idl = idl_fetch( be, db, &key, txn.back_txn_txn, ai, &err );
+ if(err == DB_LOCK_DEADLOCK) {
+ ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
#ifdef FIX_TXN_DEADLOCKS
#error if txn != NULL, have to retry the entire transaction
#endif
- continue;
- } else {
- break;
- }
+ continue;
+ } else {
+ break;
+ }
}
}
}
if(retry_count == IDL_FETCH_RETRY_COUNT) {
- ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err);
+ ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err);
} else if ( err != 0 && err != DB_NOTFOUND ) {
- ldbm_nasty("ldbm_back_seq database error", 1650, err);
+ ldbm_nasty("ldbm_back_seq database error", 1650, err);
}
slapi_ch_free( &(data.data) );
if ( key.data != little_buffer && key.data != &keystring ) {
@@ -272,7 +279,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
for ( id = idl_firstid( idl ); id != NOID;
id = idl_nextid( idl, id ))
{
- if (( e = id2entry( be, id, NULL, &err )) == NULL )
+ if (( e = id2entry( be, id, &txn, &err )) == NULL )
{
if ( err != LDAP_SUCCESS )
{
10 years, 5 months
Branch '389-ds-base-1.3.2' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/back-ldbm/seq.c | 61 ++++++++++++++++++++-----------------
1 file changed, 34 insertions(+), 27 deletions(-)
New commits:
commit 17e5d8af35ea14ff0f026f129b9a1d6a017cb780
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Tue Nov 19 09:45:03 2013 -0500
Ticket 47598 - Convert ldbm_back_seq code to be transaction aware
Description: Attempt to retrieve the transaction, and pass it to the db
functions, and id2entry. Also did a little code cleanup.
https://fedorahosted.org/389/ticket/47598
Reviewed by: richm(Thanks!)
(cherry picked from commit 50272119bbff52c5d9b6ce5d7302aef763aa96ec)
diff --git a/ldap/servers/slapd/back-ldbm/seq.c b/ldap/servers/slapd/back-ldbm/seq.c
index ab473bd..27da2a4 100644
--- a/ldap/servers/slapd/back-ldbm/seq.c
+++ b/ldap/servers/slapd/back-ldbm/seq.c
@@ -68,20 +68,21 @@
int
ldbm_back_seq( Slapi_PBlock *pb )
{
- backend *be;
- ldbm_instance *inst;
- struct ldbminfo *li;
- IDList *idl = NULL;
- int err = LDAP_SUCCESS;
- DB *db;
- DBC *dbc = NULL;
- int type;
- char *attrname, *val;
- int isroot;
+ backend *be;
+ ldbm_instance *inst;
+ struct ldbminfo *li;
+ IDList *idl = NULL;
+ back_txn txn = {NULL};
struct attrinfo *ai = NULL;
+ DB *db;
+ DBC *dbc = NULL;
+ char *attrname, *val;
+ int err = LDAP_SUCCESS;
int return_value = -1;
- int nentries = 0;
- int retry_count=0;
+ int nentries = 0;
+ int retry_count = 0;
+ int isroot;
+ int type;
/* Decode arguments */
slapi_pblock_get( pb, SLAPI_BACKEND, &be);
@@ -90,9 +91,15 @@ ldbm_back_seq( Slapi_PBlock *pb )
slapi_pblock_get( pb, SLAPI_SEQ_ATTRNAME, &attrname );
slapi_pblock_get( pb, SLAPI_SEQ_VAL, &val );
slapi_pblock_get( pb, SLAPI_REQUESTOR_ISROOT, &isroot );
+ slapi_pblock_get( pb, SLAPI_TXN, &txn.back_txn_txn );
inst = (ldbm_instance *) be->be_instance_info;
+ if ( !txn.back_txn_txn ) {
+ dblayer_txn_init( li, &txn );
+ slapi_pblock_set( pb, SLAPI_TXN, txn.back_txn_txn );
+ }
+
/* Validate arguments */
if ( type != SLAPI_SEQ_FIRST &&
type != SLAPI_SEQ_LAST &&
@@ -114,7 +121,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
LDAPDebug( LDAP_DEBUG_TRACE,
"seq: caller specified un-indexed attribute %s\n",
attrname ? attrname : "", 0, 0 );
- slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+ slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"Unindexed seq access type", 0, NULL );
return -1;
}
@@ -123,13 +130,13 @@ ldbm_back_seq( Slapi_PBlock *pb )
LDAPDebug( LDAP_DEBUG_ANY,
"<= ldbm_back_seq NULL (could not open index file for attribute %s)\n",
attrname, 0, 0 );
- slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
+ slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
return -1;
}
/* First, get a database cursor */
- return_value = db->cursor(db,NULL,&dbc,0);
+ return_value = db->cursor(db, txn.back_txn_txn, &dbc, 0);
if (0 == return_value)
{
@@ -160,7 +167,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
big_buffer = slapi_ch_malloc(key_length);
if (NULL == big_buffer) {
/* memory allocation failure */
- dblayer_release_index_file( be, ai, db );
+ dblayer_release_index_file( be, ai, db );
return -1;
}
key.data = big_buffer;
@@ -234,24 +241,24 @@ ldbm_back_seq( Slapi_PBlock *pb )
/* Retrieve the idlist for this key */
key.flags = 0;
for (retry_count = 0; retry_count < IDL_FETCH_RETRY_COUNT; retry_count++) {
- err = NEW_IDL_DEFAULT;
- idl = idl_fetch( be, db, &key, NULL, ai, &err );
- if(err == DB_LOCK_DEADLOCK) {
- ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
+ err = NEW_IDL_DEFAULT;
+ idl = idl_fetch( be, db, &key, txn.back_txn_txn, ai, &err );
+ if(err == DB_LOCK_DEADLOCK) {
+ ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
#ifdef FIX_TXN_DEADLOCKS
#error if txn != NULL, have to retry the entire transaction
#endif
- continue;
- } else {
- break;
- }
+ continue;
+ } else {
+ break;
+ }
}
}
}
if(retry_count == IDL_FETCH_RETRY_COUNT) {
- ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err);
+ ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err);
} else if ( err != 0 && err != DB_NOTFOUND ) {
- ldbm_nasty("ldbm_back_seq database error", 1650, err);
+ ldbm_nasty("ldbm_back_seq database error", 1650, err);
}
slapi_ch_free( &(data.data) );
if ( key.data != little_buffer && key.data != &keystring ) {
@@ -272,7 +279,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
for ( id = idl_firstid( idl ); id != NOID;
id = idl_nextid( idl, id ))
{
- if (( e = id2entry( be, id, NULL, &err )) == NULL )
+ if (( e = id2entry( be, id, &txn, &err )) == NULL )
{
if ( err != LDAP_SUCCESS )
{
10 years, 5 months
ldap/servers
by Mark Reynolds
ldap/servers/slapd/back-ldbm/seq.c | 61 ++++++++++++++++++++-----------------
1 file changed, 34 insertions(+), 27 deletions(-)
New commits:
commit 50272119bbff52c5d9b6ce5d7302aef763aa96ec
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Tue Nov 19 09:45:03 2013 -0500
Ticket 47598 - Convert ldbm_back_seq code to be transaction aware
Description: Attempt to retrieve the transaction, and pass it to the db
functions, and id2entry. Also did a little code cleanup.
https://fedorahosted.org/389/ticket/47598
Reviewed by: richm(Thanks!)
diff --git a/ldap/servers/slapd/back-ldbm/seq.c b/ldap/servers/slapd/back-ldbm/seq.c
index ab473bd..27da2a4 100644
--- a/ldap/servers/slapd/back-ldbm/seq.c
+++ b/ldap/servers/slapd/back-ldbm/seq.c
@@ -68,20 +68,21 @@
int
ldbm_back_seq( Slapi_PBlock *pb )
{
- backend *be;
- ldbm_instance *inst;
- struct ldbminfo *li;
- IDList *idl = NULL;
- int err = LDAP_SUCCESS;
- DB *db;
- DBC *dbc = NULL;
- int type;
- char *attrname, *val;
- int isroot;
+ backend *be;
+ ldbm_instance *inst;
+ struct ldbminfo *li;
+ IDList *idl = NULL;
+ back_txn txn = {NULL};
struct attrinfo *ai = NULL;
+ DB *db;
+ DBC *dbc = NULL;
+ char *attrname, *val;
+ int err = LDAP_SUCCESS;
int return_value = -1;
- int nentries = 0;
- int retry_count=0;
+ int nentries = 0;
+ int retry_count = 0;
+ int isroot;
+ int type;
/* Decode arguments */
slapi_pblock_get( pb, SLAPI_BACKEND, &be);
@@ -90,9 +91,15 @@ ldbm_back_seq( Slapi_PBlock *pb )
slapi_pblock_get( pb, SLAPI_SEQ_ATTRNAME, &attrname );
slapi_pblock_get( pb, SLAPI_SEQ_VAL, &val );
slapi_pblock_get( pb, SLAPI_REQUESTOR_ISROOT, &isroot );
+ slapi_pblock_get( pb, SLAPI_TXN, &txn.back_txn_txn );
inst = (ldbm_instance *) be->be_instance_info;
+ if ( !txn.back_txn_txn ) {
+ dblayer_txn_init( li, &txn );
+ slapi_pblock_set( pb, SLAPI_TXN, txn.back_txn_txn );
+ }
+
/* Validate arguments */
if ( type != SLAPI_SEQ_FIRST &&
type != SLAPI_SEQ_LAST &&
@@ -114,7 +121,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
LDAPDebug( LDAP_DEBUG_TRACE,
"seq: caller specified un-indexed attribute %s\n",
attrname ? attrname : "", 0, 0 );
- slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+ slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"Unindexed seq access type", 0, NULL );
return -1;
}
@@ -123,13 +130,13 @@ ldbm_back_seq( Slapi_PBlock *pb )
LDAPDebug( LDAP_DEBUG_ANY,
"<= ldbm_back_seq NULL (could not open index file for attribute %s)\n",
attrname, 0, 0 );
- slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
+ slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
return -1;
}
/* First, get a database cursor */
- return_value = db->cursor(db,NULL,&dbc,0);
+ return_value = db->cursor(db, txn.back_txn_txn, &dbc, 0);
if (0 == return_value)
{
@@ -160,7 +167,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
big_buffer = slapi_ch_malloc(key_length);
if (NULL == big_buffer) {
/* memory allocation failure */
- dblayer_release_index_file( be, ai, db );
+ dblayer_release_index_file( be, ai, db );
return -1;
}
key.data = big_buffer;
@@ -234,24 +241,24 @@ ldbm_back_seq( Slapi_PBlock *pb )
/* Retrieve the idlist for this key */
key.flags = 0;
for (retry_count = 0; retry_count < IDL_FETCH_RETRY_COUNT; retry_count++) {
- err = NEW_IDL_DEFAULT;
- idl = idl_fetch( be, db, &key, NULL, ai, &err );
- if(err == DB_LOCK_DEADLOCK) {
- ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
+ err = NEW_IDL_DEFAULT;
+ idl = idl_fetch( be, db, &key, txn.back_txn_txn, ai, &err );
+ if(err == DB_LOCK_DEADLOCK) {
+ ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
#ifdef FIX_TXN_DEADLOCKS
#error if txn != NULL, have to retry the entire transaction
#endif
- continue;
- } else {
- break;
- }
+ continue;
+ } else {
+ break;
+ }
}
}
}
if(retry_count == IDL_FETCH_RETRY_COUNT) {
- ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err);
+ ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err);
} else if ( err != 0 && err != DB_NOTFOUND ) {
- ldbm_nasty("ldbm_back_seq database error", 1650, err);
+ ldbm_nasty("ldbm_back_seq database error", 1650, err);
}
slapi_ch_free( &(data.data) );
if ( key.data != little_buffer && key.data != &keystring ) {
@@ -272,7 +279,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
for ( id = idl_firstid( idl ); id != NOID;
id = idl_nextid( idl, id ))
{
- if (( e = id2entry( be, id, NULL, &err )) == NULL )
+ if (( e = id2entry( be, id, &txn, &err )) == NULL )
{
if ( err != LDAP_SUCCESS )
{
10 years, 5 months
Branch '389-ds-base-1.3.1' - ldap/admin ldap/ldif
by Mark Reynolds
ldap/admin/src/scripts/20betxn.pl | 4 +++-
ldap/ldif/template-dse.ldif.in | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
New commits:
commit 229d270428dc4cfabd7d367444f1c0b10a60ef87
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Mon Nov 18 12:49:48 2013 -0500
Ticket 47597 - Convert retro changelog plug-in to betxn
Retro cl plugin is already betxn aware. The template and 20betxn.pl script
needed to be updated to reflect the new default.
https://fedorahosted.org/389/ticket/47597
Reviewed by: richm(Thanks!)
(cherry picked from commit 3dca85ec629be641f07ae2ecfef59609d4dc88e2)
diff --git a/ldap/admin/src/scripts/20betxn.pl b/ldap/admin/src/scripts/20betxn.pl
index 2c56707..6f9b5e1 100644
--- a/ldap/admin/src/scripts/20betxn.pl
+++ b/ldap/admin/src/scripts/20betxn.pl
@@ -12,10 +12,12 @@ sub runinst {
# cn=Multimaster Replication Plugin
# cn=Roles Plugin,cn=plugins,cn=config
# cn=USN,cn=plugins,cn=config
+ # cn=Retro Changelog Plugin,cn=plugins,cn=config
my @objplugins = (
"cn=Multimaster Replication Plugin,cn=plugins,cn=config",
"cn=Roles Plugin,cn=plugins,cn=config",
- "cn=USN,cn=plugins,cn=config"
+ "cn=USN,cn=plugins,cn=config",
+ "cn=Retro Changelog Plugin,cn=plugins,cn=config"
);
foreach my $plugin (@objplugins) {
my $ent = $conn->search($plugin, "base", "(cn=*)");
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 95ed60c..12df7b6 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -557,6 +557,7 @@ cn: Retro Changelog Plugin
nsslapd-pluginpath: libretrocl-plugin
nsslapd-plugininitfunc: retrocl_plugin_init
nsslapd-plugintype: object
+nsslapd-pluginbetxn: on
nsslapd-pluginenabled: off
nsslapd-pluginprecedence: 25
nsslapd-plugin-depends-on-type: database
10 years, 5 months
Branch '389-ds-base-1.3.2' - ldap/admin ldap/ldif
by Mark Reynolds
ldap/admin/src/scripts/20betxn.pl | 4 +++-
ldap/ldif/template-dse.ldif.in | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
New commits:
commit 1d869d8f942e28e4e615226b5e6377c221cedb83
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Mon Nov 18 12:49:48 2013 -0500
Ticket 47597 - Convert retro changelog plug-in to betxn
Retro cl plugin is already betxn aware. The template and 20betxn.pl script
needed to be updated to reflect the new default.
https://fedorahosted.org/389/ticket/47597
Reviewed by: richm(Thanks!)
(cherry picked from commit 3dca85ec629be641f07ae2ecfef59609d4dc88e2)
diff --git a/ldap/admin/src/scripts/20betxn.pl b/ldap/admin/src/scripts/20betxn.pl
index 2c56707..6f9b5e1 100644
--- a/ldap/admin/src/scripts/20betxn.pl
+++ b/ldap/admin/src/scripts/20betxn.pl
@@ -12,10 +12,12 @@ sub runinst {
# cn=Multimaster Replication Plugin
# cn=Roles Plugin,cn=plugins,cn=config
# cn=USN,cn=plugins,cn=config
+ # cn=Retro Changelog Plugin,cn=plugins,cn=config
my @objplugins = (
"cn=Multimaster Replication Plugin,cn=plugins,cn=config",
"cn=Roles Plugin,cn=plugins,cn=config",
- "cn=USN,cn=plugins,cn=config"
+ "cn=USN,cn=plugins,cn=config",
+ "cn=Retro Changelog Plugin,cn=plugins,cn=config"
);
foreach my $plugin (@objplugins) {
my $ent = $conn->search($plugin, "base", "(cn=*)");
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 084aacb..9a52bc5 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -565,6 +565,7 @@ cn: Retro Changelog Plugin
nsslapd-pluginpath: libretrocl-plugin
nsslapd-plugininitfunc: retrocl_plugin_init
nsslapd-plugintype: object
+nsslapd-pluginbetxn: on
nsslapd-pluginenabled: off
nsslapd-pluginprecedence: 25
nsslapd-plugin-depends-on-type: database
10 years, 5 months
ldap/admin ldap/ldif
by Mark Reynolds
ldap/admin/src/scripts/20betxn.pl | 4 +++-
ldap/ldif/template-dse.ldif.in | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
New commits:
commit 3dca85ec629be641f07ae2ecfef59609d4dc88e2
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Mon Nov 18 12:49:48 2013 -0500
Ticket 47597 - Convert retro changelog plug-in to betxn
Retro cl plugin is already betxn aware. The template and 20betxn.pl script
needed to be updated to reflect the new default.
https://fedorahosted.org/389/ticket/47597
Reviewed by: richm(Thanks!)
diff --git a/ldap/admin/src/scripts/20betxn.pl b/ldap/admin/src/scripts/20betxn.pl
index 2c56707..6f9b5e1 100644
--- a/ldap/admin/src/scripts/20betxn.pl
+++ b/ldap/admin/src/scripts/20betxn.pl
@@ -12,10 +12,12 @@ sub runinst {
# cn=Multimaster Replication Plugin
# cn=Roles Plugin,cn=plugins,cn=config
# cn=USN,cn=plugins,cn=config
+ # cn=Retro Changelog Plugin,cn=plugins,cn=config
my @objplugins = (
"cn=Multimaster Replication Plugin,cn=plugins,cn=config",
"cn=Roles Plugin,cn=plugins,cn=config",
- "cn=USN,cn=plugins,cn=config"
+ "cn=USN,cn=plugins,cn=config",
+ "cn=Retro Changelog Plugin,cn=plugins,cn=config"
);
foreach my $plugin (@objplugins) {
my $ent = $conn->search($plugin, "base", "(cn=*)");
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 084aacb..9a52bc5 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -565,6 +565,7 @@ cn: Retro Changelog Plugin
nsslapd-pluginpath: libretrocl-plugin
nsslapd-plugininitfunc: retrocl_plugin_init
nsslapd-plugintype: object
+nsslapd-pluginbetxn: on
nsslapd-pluginenabled: off
nsslapd-pluginprecedence: 25
nsslapd-plugin-depends-on-type: database
10 years, 5 months
Branch '389-ds-base-1.3.1' - ldap/servers
by Richard Allen Megginson
ldap/servers/slapd/ldaputil.c | 51 +++---------------------------------------
1 file changed, 4 insertions(+), 47 deletions(-)
New commits:
commit 084698e0af1c7562a4e1d8c787b967ea7fbbcd31
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Tue Nov 12 12:55:35 2013 -0700
Revert "Ticket #47559 hung server - related to sasl and initialize"
This reverts commit 8a7ee90d6a770f1732bcd03b20471de3a6162b2b.
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index aa78d3d..edc8267 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -99,16 +99,10 @@
#if !defined(USE_OPENLDAP)
#include <ldap_ssl.h>
#include <ldappr.h>
-#define BIND_LOCK (void)0
-#define BIND_UNLOCK (void)0
#else
/* need mutex around ldap_initialize - see https://fedorahosted.org/389/ticket/348 */
static PRCallOnceType ol_init_callOnce = {0,0};
static PRLock *ol_init_lock = NULL;
-/* need mutex around ldap_sasl_bind - see https://fedorahosted.org/389/ticket/47599 */
-static PRLock *ol_bind_lock = NULL;
-#define BIND_LOCK PR_Lock(ol_bind_lock)
-#define BIND_UNLOCK PR_Unlock(ol_bind_lock)
static PRStatus
internal_ol_init_init(void)
@@ -116,20 +110,12 @@ internal_ol_init_init(void)
PR_ASSERT(NULL == ol_init_lock);
if ((ol_init_lock = PR_NewLock()) == NULL) {
PRErrorCode errorCode = PR_GetError();
- slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock init_lock failed %d:%s\n",
+ slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock failed %d:%s\n",
errorCode, slapd_pr_strerror(errorCode));
return PR_FAILURE;
}
- PR_ASSERT(NULL == ol_bind_lock);
- if ((ol_bind_lock = PR_NewLock()) == NULL) {
- PRErrorCode errorCode = PR_GetError();
- slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock bind_lock failed %d:%s\n",
- errorCode, slapd_pr_strerror(errorCode));
- return PR_FAILURE;
- }
-
- return PR_SUCCESS;
+ return PR_SUCCESS;
}
#endif
@@ -159,16 +145,7 @@ void
slapi_ldap_unbind( LDAP *ld )
{
if ( ld != NULL ) {
-#if defined(USE_OPENLDAP)
- if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
- slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_unbind",
- "Could not perform internal ol_init init\n");
- return;
- }
-#endif
- BIND_LOCK;
ldap_unbind_ext( ld, NULL, NULL );
- BIND_UNLOCK;
}
}
@@ -1054,22 +1031,11 @@ slapi_ldap_bind(
ldap_controls_free(clientctrls);
ldap_set_option(ld, LDAP_OPT_CLIENT_CONTROLS, NULL);
-#if defined(USE_OPENLDAP)
- if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
- slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
- "Could not perform internal ol_init init\n");
- rc = -1;
- goto done;
- }
-#endif
-
if ((secure > 0) && mech && !strcmp(mech, LDAP_SASL_EXTERNAL)) {
#if defined(USE_OPENLDAP)
/* we already set up a tls context in slapi_ldap_init_ext() - this will
free those old settings and context and create a new one */
- PR_Lock(ol_bind_lock);
rc = setup_ol_tls_conn(ld, 1);
- PR_Unlock(ol_bind_lock);
#else
/* SSL connections will use the server's security context
and cert for client auth */
@@ -1094,9 +1060,7 @@ slapi_ldap_bind(
}
if (secure == 2) { /* send start tls */
- BIND_LOCK;
rc = ldap_start_tls_s(ld, NULL /* serverctrls?? */, NULL);
- BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not send startTLS request: "
@@ -1118,11 +1082,8 @@ slapi_ldap_bind(
"attempting %s bind with id [%s] creds [%s]\n",
mech ? mech : "SIMPLE",
bindid, creds);
- BIND_LOCK;
- rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
- NULL /* clientctrls */, &mymsgid);
- BIND_UNLOCK;
- if (rc) {
+ if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
+ NULL /* clientctrls */, &mymsgid))) {
char *myhostname = NULL;
char *copy = NULL;
char *ptr = NULL;
@@ -1178,9 +1139,7 @@ slapi_ldap_bind(
/* take the one provided by the caller. It should be the one defined in the protocol */
bind_timeout = timeout;
}
- BIND_LOCK;
rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, bind_timeout, &result);
- BIND_UNLOCK;
if (-1 == rc) { /* error */
rc = slapi_ldap_get_lderrno(ld, NULL, NULL);
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
@@ -1244,11 +1203,9 @@ slapi_ldap_bind(
ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);
}
#endif
- BIND_LOCK;
rc = slapd_ldap_sasl_interactive_bind(ld, bindid, creds, mech,
serverctrls, returnedctrls,
msgidp);
- BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not perform interactive bind for id "
10 years, 5 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Richard Allen Megginson
ldap/servers/slapd/ldaputil.c | 51 +++---------------------------------------
1 file changed, 4 insertions(+), 47 deletions(-)
New commits:
commit bd0efbd0dc2e201c9e88e57fe9cce3456e35432c
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Tue Nov 12 12:56:26 2013 -0700
Revert "Ticket #47559 hung server - related to sasl and initialize"
This reverts commit a572cb299d8b31f270c9d7d53ad799e91c4dc212.
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index 307a3a5..331dd71 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -99,16 +99,10 @@
#if !defined(USE_OPENLDAP)
#include <ldap_ssl.h>
#include <ldappr.h>
-#define BIND_LOCK (void)0
-#define BIND_UNLOCK (void)0
#else
/* need mutex around ldap_initialize - see https://fedorahosted.org/389/ticket/348 */
static PRCallOnceType ol_init_callOnce = {0,0};
static PRLock *ol_init_lock = NULL;
-/* need mutex around ldap_sasl_bind - see https://fedorahosted.org/389/ticket/47599 */
-static PRLock *ol_bind_lock = NULL;
-#define BIND_LOCK PR_Lock(ol_bind_lock)
-#define BIND_UNLOCK PR_Unlock(ol_bind_lock)
static PRStatus
internal_ol_init_init(void)
@@ -116,20 +110,12 @@ internal_ol_init_init(void)
PR_ASSERT(NULL == ol_init_lock);
if ((ol_init_lock = PR_NewLock()) == NULL) {
PRErrorCode errorCode = PR_GetError();
- slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock init_lock failed %d:%s\n",
+ slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock failed %d:%s\n",
errorCode, slapd_pr_strerror(errorCode));
return PR_FAILURE;
}
- PR_ASSERT(NULL == ol_bind_lock);
- if ((ol_bind_lock = PR_NewLock()) == NULL) {
- PRErrorCode errorCode = PR_GetError();
- slapi_log_error(SLAPI_LOG_FATAL, "internal_ol_init_init", "PR_NewLock bind_lock failed %d:%s\n",
- errorCode, slapd_pr_strerror(errorCode));
- return PR_FAILURE;
- }
-
- return PR_SUCCESS;
+ return PR_SUCCESS;
}
#endif
@@ -159,16 +145,7 @@ void
slapi_ldap_unbind( LDAP *ld )
{
if ( ld != NULL ) {
-#if defined(USE_OPENLDAP)
- if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
- slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_unbind",
- "Could not perform internal ol_init init\n");
- return;
- }
-#endif
- BIND_LOCK;
ldap_unbind_ext( ld, NULL, NULL );
- BIND_UNLOCK;
}
}
@@ -1047,22 +1024,11 @@ slapi_ldap_bind(
ldap_controls_free(clientctrls);
ldap_set_option(ld, LDAP_OPT_CLIENT_CONTROLS, NULL);
-#if defined(USE_OPENLDAP)
- if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
- slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
- "Could not perform internal ol_init init\n");
- rc = -1;
- goto done;
- }
-#endif
-
if ((secure > 0) && mech && !strcmp(mech, LDAP_SASL_EXTERNAL)) {
#if defined(USE_OPENLDAP)
/* we already set up a tls context in slapi_ldap_init_ext() - this will
free those old settings and context and create a new one */
- PR_Lock(ol_bind_lock);
rc = setup_ol_tls_conn(ld, 1);
- PR_Unlock(ol_bind_lock);
#else
/* SSL connections will use the server's security context
and cert for client auth */
@@ -1087,9 +1053,7 @@ slapi_ldap_bind(
}
if (secure == 2) { /* send start tls */
- BIND_LOCK;
rc = ldap_start_tls_s(ld, NULL /* serverctrls?? */, NULL);
- BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not send startTLS request: "
@@ -1111,11 +1075,8 @@ slapi_ldap_bind(
"attempting %s bind with id [%s] creds [%s]\n",
mech ? mech : "SIMPLE",
bindid, creds);
- BIND_LOCK;
- rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
- NULL /* clientctrls */, &mymsgid);
- BIND_UNLOCK;
- if (rc) {
+ if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
+ NULL /* clientctrls */, &mymsgid))) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not send bind request for id "
"[%s] mech [%s]: error %d (%s) %d (%s) %d (%s)\n",
@@ -1130,9 +1091,7 @@ slapi_ldap_bind(
if (msgidp) { /* let caller process result */
*msgidp = mymsgid;
} else { /* process results */
- BIND_LOCK;
rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, timeout, &result);
- BIND_UNLOCK;
if (-1 == rc) { /* error */
rc = slapi_ldap_get_lderrno(ld, NULL, NULL);
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
@@ -1197,11 +1156,9 @@ slapi_ldap_bind(
ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);
}
#endif
- BIND_LOCK;
rc = slapd_ldap_sasl_interactive_bind(ld, bindid, creds, mech,
serverctrls, returnedctrls,
msgidp);
- BIND_UNLOCK;
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not perform interactive bind for id "
10 years, 5 months