Branch '389-ds-base-1.2.11' - ldap/servers
by thierry bordaz
ldap/servers/slapd/back-ldbm/back-ldbm.h | 16 +++++++++-------
ldap/servers/slapd/back-ldbm/import-threads.c | 2 ++
ldap/servers/slapd/back-ldbm/ldbm_config.c | 21 +++++++++++++++++++++
ldap/servers/slapd/back-ldbm/ldbm_config.h | 1 +
4 files changed, 33 insertions(+), 7 deletions(-)
New commits:
commit 856cdf8ac5e3730335332d6a122262ee10abc59a
Author: Thierry bordaz (tbordaz) <tbordaz(a)redhat.com>
Date: Mon Jun 17 14:42:34 2013 +0200
Ticket 47393 - Attribute are not encrypted on a consumer after a full initialization
Bug Description:
During online initialization of a replica encrypted attributes are not encrypted by the import.
This is because the import job flag job->encrypt is not set.
Fix Description:
The fix consist to add the config backend attribute "nsslapd-online-import-encrypt" that is by default set to "on".
During online 'ldbm_back_wire_import' the config attribute is set into the pblock and set into the job->encrypt
https://bugzilla.redhat.com/show_bug.cgi?id=893178
Reviewed by: Rich Meggison (thanks Rich)
Platforms tested: fedora 17
Flag Day: no
Doc impact: no
diff --git a/ldap/servers/slapd/back-ldbm/back-ldbm.h b/ldap/servers/slapd/back-ldbm/back-ldbm.h
index aed57cf..3330449 100644
--- a/ldap/servers/slapd/back-ldbm/back-ldbm.h
+++ b/ldap/servers/slapd/back-ldbm/back-ldbm.h
@@ -644,13 +644,15 @@ struct ldbminfo {
int li_fat_lock; /* 608146 -- make this configurable, first */
int li_legacy_errcode; /* 615428 -- in case legacy err code is expected */
Slapi_Counter *li_global_usn_counter; /* global USN counter */
- int li_reslimit_allids_handle; /* allids aka idlistscan */
- int li_pagedlookthroughlimit;
- int li_pagedallidsthreshold;
- int li_reslimit_pagedlookthrough_handle;
- int li_reslimit_pagedallids_handle; /* allids aka idlistscan */
- int li_rangelookthroughlimit;
- int li_reslimit_rangelookthrough_handle;
+ int li_reslimit_allids_handle; /* allids aka idlistscan */
+ int li_pagedlookthroughlimit;
+ int li_pagedallidsthreshold;
+ int li_reslimit_pagedlookthrough_handle;
+ int li_reslimit_pagedallids_handle; /* allids aka idlistscan */
+ int li_rangelookthroughlimit;
+ int li_reslimit_rangelookthrough_handle;
+ int li_online_import_encrypt; /* toggle attribute encryption during ldbm_back_wire_import */
+
};
/* li_flags could store these bits defined in ../slapi-plugin.h
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index 78db060..5667acb 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -2715,6 +2715,7 @@ static int bulk_import_start(Slapi_PBlock *pb)
}
slapi_pblock_get(pb, SLAPI_BACKEND, &be);
+ slapi_pblock_get(pb, SLAPI_LDIF2DB_ENCRYPT, &job->encrypt);
PR_ASSERT(be != NULL);
li = (struct ldbminfo *)(be->be_database->plg_private);
job->inst = (ldbm_instance *)be->be_instance_info;
@@ -3046,6 +3047,7 @@ int ldbm_back_wire_import(Slapi_PBlock *pb)
PR_ASSERT(be != NULL);
li = (struct ldbminfo *)(be->be_database->plg_private);
slapi_pblock_get(pb, SLAPI_BULK_IMPORT_STATE, &state);
+ slapi_pblock_set(pb, SLAPI_LDIF2DB_ENCRYPT, &li->li_online_import_encrypt);
if (state == SLAPI_BI_STATE_START) {
/* starting a new import */
int rc = bulk_import_start(pb);
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c
index 232af54..eeae22b 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
@@ -865,6 +865,26 @@ static int ldbm_config_db_private_mem_set(void *arg, void *value, char *errorbuf
return retval;
}
+static void *ldbm_config_db_online_import_encrypt_get(void *arg)
+{
+ struct ldbminfo *li = (struct ldbminfo *) arg;
+
+ return (void *) ((uintptr_t)li->li_online_import_encrypt);
+}
+
+static int ldbm_config_db_online_import_encrypt_set(void *arg, void *value, char *errorbuf, int phase, int apply)
+{
+ struct ldbminfo *li = (struct ldbminfo *) arg;
+ int retval = LDAP_SUCCESS;
+ int val = (int) ((uintptr_t)value);
+
+ if (apply) {
+ li->li_online_import_encrypt = val;
+ }
+
+ return retval;
+}
+
static void *ldbm_config_db_private_import_mem_get(void *arg)
{
struct ldbminfo *li = (struct ldbminfo *) arg;
@@ -1339,6 +1359,7 @@ static config_info ldbm_config[] = {
{CONFIG_DB_LOCK, CONFIG_TYPE_INT, "10000", &ldbm_config_db_lock_get, &ldbm_config_db_lock_set, 0},
{CONFIG_DB_PRIVATE_MEM, CONFIG_TYPE_ONOFF, "off", &ldbm_config_db_private_mem_get, &ldbm_config_db_private_mem_set, 0},
{CONFIG_DB_PRIVATE_IMPORT_MEM, CONFIG_TYPE_ONOFF, "on", &ldbm_config_db_private_import_mem_get, &ldbm_config_db_private_import_mem_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE},
+ {CONDIF_DB_ONLINE_IMPORT_ENCRYPT, CONFIG_TYPE_ONOFF, "on", &ldbm_config_db_online_import_encrypt_get, &ldbm_config_db_online_import_encrypt_set, 0},
{CONFIG_DB_SHM_KEY, CONFIG_TYPE_LONG, "389389", &ldbm_config_db_shm_key_get, &ldbm_config_db_shm_key_set, 0},
{CONFIG_DB_CACHE, CONFIG_TYPE_INT, "0", &ldbm_config_db_cache_get, &ldbm_config_db_cache_set, 0},
{CONFIG_DB_DEBUG_CHECKPOINTING, CONFIG_TYPE_ONOFF, "off", &ldbm_config_db_debug_checkpointing_get, &ldbm_config_db_debug_checkpointing_set, 0},
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.h b/ldap/servers/slapd/back-ldbm/ldbm_config.h
index a5830e3..33eb078 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.h
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.h
@@ -136,6 +136,7 @@ struct config_info {
#define CONFIG_DB_HOME_DIRECTORY "nsslapd-db-home-directory"
#define CONFIG_DB_LOCKDOWN "nsslapd-db-lockdown"
#define CONFIG_DB_TX_MAX "nsslapd-db-tx-max"
+#define CONDIF_DB_ONLINE_IMPORT_ENCRYPT "nsslapd-online-import-encrypt"
#define CONFIG_IDL_SWITCH "nsslapd-idl-switch"
#define CONFIG_BYPASS_FILTER_TEST "nsslapd-search-bypass-filter-test"
10 years, 9 months
Branch '389-ds-base-1.2.11' - 2 commits - ldap/servers
by Ludwig Krispenz
ldap/servers/plugins/acctpolicy/acct_config.c | 13 ++++++++++++-
ldap/servers/plugins/acctpolicy/acct_init.c | 2 +-
ldap/servers/plugins/acctpolicy/acct_plugin.c | 18 +++++++++++++-----
ldap/servers/plugins/acctpolicy/acct_util.c | 13 +++++++++++++
ldap/servers/plugins/acctpolicy/acctpolicy.h | 5 +++++
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 7 +++++++
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 7 +++++++
7 files changed, 58 insertions(+), 7 deletions(-)
New commits:
commit d1d6245d6ab894cf56e2529cb5c5dc941f4843cd
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Mon Jun 24 10:19:53 2013 +0200
Ticket 47396 - crash on modrdn of tombstone
Bug Description: a client modrdn operation on a tombstone entry can crash the server
Fix Description: client modrdns and modifies on tombstone entries should not be
accepted. Tombstones aer internally kept for eventual conflict resolution, normal
clients should not touch them.
an exception would be to force purging of tombstones or a kind of "undo" for
a delete, which could resurrect a tombstone, but this is not in the scope of this ticket
https://fedorahosted.org/389/ticket/47396
Reviewed by: Rich, thanks
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index 5c9585f..ca66b71 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -407,6 +407,13 @@ ldbm_back_modify( Slapi_PBlock *pb )
if ( !is_fixup_operation )
{
+ if (slapi_entry_flag_is_set(e->ep_entry, SLAPI_ENTRY_FLAG_TOMBSTONE) ) {
+ ldap_result_code = LDAP_UNWILLING_TO_PERFORM;
+ ldap_result_message = "Operation not allowed on tombstone entry.";
+ slapi_log_error(SLAPI_LOG_FATAL, "ldbm_back_modify",
+ "Attempt to modify a tombstone entry %s\n", slapi_sdn_get_dn(slapi_entry_get_sdn_const( e->ep_entry )));
+ goto error_return;
+ }
opcsn = operation_get_csn (operation);
if (NULL == opcsn && operation->o_csngen_handler)
{
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
index 69fc053..13514fb 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
@@ -352,6 +352,13 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
goto error_return; /* error result sent by find_entry2modify() */
}
e_in_cache = 1; /* e is in the cache and locked */
+ if (slapi_entry_flag_is_set(e->ep_entry, SLAPI_ENTRY_FLAG_TOMBSTONE) ) {
+ ldap_result_code = LDAP_UNWILLING_TO_PERFORM;
+ ldap_result_message = "Operation not allowed on tombstone entry.";
+ slapi_log_error(SLAPI_LOG_FATAL, "ldbm_back_modrdn",
+ "Attempt to rename a tombstone entry %s\n", slapi_sdn_get_dn(slapi_entry_get_sdn_const( e->ep_entry )));
+ goto error_return;
+ }
/* Check that an entry with the same DN doesn't already exist. */
{
Slapi_Entry *entry;
commit b4cc0f6b31d8221677950a703a78b02e0cbc7e30
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Thu Jun 20 17:59:09 2013 +0200
Ticket 47395 47397 v2 correct behaviour of account policy if only stateattr
is configured or no alternate attr is configured
Bug Description: The tickets relate to two specific configurations of
the account policy plugin
1] if createtimestamp is configured as stateattr it is treated like a
normal timstamp attribute and is updated, which should not happen.
As a side effect the account is not locked out based on the original
createtimestamp
2] if no altstateattr is configured, always createtimestamp is used, but
the intention was to base account inactivation only on lastlogintime
Fix Description: 1] prevent update of createtimestamp, even if used as stateattr
2] if no altstateattr is configured still use the default, but
accept "1.1" as null value and check only stateattr
https://fedorahosted.org/389/ticket/47395
https://fedorahosted.org/389/ticket/47397
Reviewed by: ?
diff --git a/ldap/servers/plugins/acctpolicy/acct_config.c b/ldap/servers/plugins/acctpolicy/acct_config.c
index 3da338a..8dfde0b 100644
--- a/ldap/servers/plugins/acctpolicy/acct_config.c
+++ b/ldap/servers/plugins/acctpolicy/acct_config.c
@@ -82,12 +82,23 @@ acct_policy_entry2config( Slapi_Entry *e, acctPluginCfg *newcfg ) {
newcfg->state_attr_name = get_attr_string_val( e, CFG_LASTLOGIN_STATE_ATTR );
if( newcfg->state_attr_name == NULL ) {
newcfg->state_attr_name = slapi_ch_strdup( DEFAULT_LASTLOGIN_STATE_ATTR );
+ } else if (!update_is_allowed_attr(newcfg->state_attr_name)) {
+ /* log a warning that this attribute cannot be updated */
+ slapi_log_error( SLAPI_LOG_FATAL, PLUGIN_NAME,
+ "The configured state attribute [%s] cannot be updated, accounts will always become inactive.\n",
+ newcfg->state_attr_name );
}
newcfg->alt_state_attr_name = get_attr_string_val( e, CFG_ALT_LASTLOGIN_STATE_ATTR );
+ /* alt_state_attr_name should be optional, but for backward compatibility,
+ * if not specified use a default. If the attribute is "1.1", no fallback
+ * will be used
+ */
if( newcfg->alt_state_attr_name == NULL ) {
newcfg->alt_state_attr_name = slapi_ch_strdup( DEFAULT_ALT_LASTLOGIN_STATE_ATTR );
- }
+ } else if ( !strcmp( newcfg->alt_state_attr_name, "1.1" ) ) {
+ slapi_ch_free_string( &newcfg->alt_state_attr_name ); /*none - NULL */
+ } /* else use configured value */
newcfg->spec_attr_name = get_attr_string_val( e, CFG_SPEC_ATTR );
if( newcfg->spec_attr_name == NULL ) {
diff --git a/ldap/servers/plugins/acctpolicy/acct_init.c b/ldap/servers/plugins/acctpolicy/acct_init.c
index af29140..52e0cfa 100644
--- a/ldap/servers/plugins/acctpolicy/acct_init.c
+++ b/ldap/servers/plugins/acctpolicy/acct_init.c
@@ -132,7 +132,7 @@ acct_policy_start( Slapi_PBlock *pb ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PLUGIN_NAME, "acct_policy_start config: "
"stateAttrName=%s altStateAttrName=%s specAttrName=%s limitAttrName=%s "
"alwaysRecordLogin=%d\n",
- cfg->state_attr_name, cfg->alt_state_attr_name, cfg->spec_attr_name,
+ cfg->state_attr_name, cfg->alt_state_attr_name?cfg->alt_state_attr_name:"not configured", cfg->spec_attr_name,
cfg->limit_attr_name, cfg->always_record_login);
return( CALLBACK_OK );
}
diff --git a/ldap/servers/plugins/acctpolicy/acct_plugin.c b/ldap/servers/plugins/acctpolicy/acct_plugin.c
index 508fb23..b4db811 100644
--- a/ldap/servers/plugins/acctpolicy/acct_plugin.c
+++ b/ldap/servers/plugins/acctpolicy/acct_plugin.c
@@ -44,14 +44,16 @@ acct_inact_limit( Slapi_PBlock *pb, const char *dn, Slapi_Entry *target_entry, a
cfg->state_attr_name ) ) != NULL ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
"\"%s\" login timestamp is %s\n", dn, lasttimestr );
- } else if( ( lasttimestr = get_attr_string_val( target_entry,
- cfg->alt_state_attr_name ) ) != NULL ) {
+ } else if( cfg->alt_state_attr_name && (( lasttimestr = get_attr_string_val( target_entry,
+ cfg->alt_state_attr_name ) ) != NULL) ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
"\"%s\" alternate timestamp is %s\n", dn, lasttimestr );
} else {
+ /* the primary or alternate attribute might not yet exist eg.
+ * if only lastlogintime is specified and it id the first login
+ */
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
- "\"%s\" has no login or creation timestamp\n", dn );
- rc = -1;
+ "\"%s\" has no value for stateattr or altstateattr \n", dn );
goto done;
}
@@ -105,6 +107,13 @@ acct_record_login( const char *dn )
int skip_mod_attrs = 1; /* value doesn't matter as long as not NULL */
cfg = get_config();
+
+ /* if we are not allowed to modify the state attr we're done
+ * this could be intentional, so just return
+ */
+ if (! update_is_allowed_attr(cfg->state_attr_name) )
+ return rc;
+
plugin_id = get_identity();
timestr = epochtimeToGentime( time( (time_t*)0 ) );
@@ -283,7 +292,6 @@ acct_bind_postop( Slapi_PBlock *pb )
} else {
if( target_entry && has_attr( target_entry,
cfg->spec_attr_name, NULL ) ) {
- /* This account has a policy specifier */
tracklogin = 1;
}
}
diff --git a/ldap/servers/plugins/acctpolicy/acct_util.c b/ldap/servers/plugins/acctpolicy/acct_util.c
index 8e220c3..a02382f 100644
--- a/ldap/servers/plugins/acctpolicy/acct_util.c
+++ b/ldap/servers/plugins/acctpolicy/acct_util.c
@@ -255,3 +255,16 @@ epochtimeToGentime( time_t epochtime ) {
return( gentimestr );
}
+int update_is_allowed_attr (const char *attr)
+{
+ int i;
+
+ /* check list of attributes that cannot be used for login recording */
+ for (i = 0; protected_attrs_login_recording[i]; i ++) {
+ if (strcasecmp (attr, protected_attrs_login_recording[i]) == 0) {
+ /* this attribute is not allowed */
+ return 0;
+ }
+ }
+ return 1;
+}
diff --git a/ldap/servers/plugins/acctpolicy/acctpolicy.h b/ldap/servers/plugins/acctpolicy/acctpolicy.h
index e6f1497..78412cd 100644
--- a/ldap/servers/plugins/acctpolicy/acctpolicy.h
+++ b/ldap/servers/plugins/acctpolicy/acctpolicy.h
@@ -35,6 +35,10 @@ Hewlett-Packard Development Company, L.P.
#define DEFAULT_INACT_LIMIT_ATTR "accountInactivityLimit"
#define DEFAULT_RECORD_LOGIN 1
+/* attributes that no clients are allowed to add or modify */
+static char *protected_attrs_login_recording [] = { "createTimestamp",
+ NULL };
+
#define PLUGIN_VENDOR "Hewlett-Packard Company"
#define PLUGIN_VERSION "1.0"
#define PLUGIN_CONFIG_DN "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config"
@@ -74,6 +78,7 @@ void* get_identity();
void set_identity(void*);
time_t gentimeToEpochtime( char *gentimestr );
char* epochtimeToGentime( time_t epochtime );
+int update_is_allowed_attr (const char *attr);
/* acct_config.c */
int acct_policy_load_config_startup( Slapi_PBlock* pb, void* plugin_id );
10 years, 9 months
Branch '389-ds-base-1.3.0' - 2 commits - ldap/servers
by Ludwig Krispenz
ldap/servers/plugins/acctpolicy/acct_config.c | 13 ++++++++++++-
ldap/servers/plugins/acctpolicy/acct_init.c | 2 +-
ldap/servers/plugins/acctpolicy/acct_plugin.c | 18 +++++++++++++-----
ldap/servers/plugins/acctpolicy/acct_util.c | 13 +++++++++++++
ldap/servers/plugins/acctpolicy/acctpolicy.h | 5 +++++
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 7 +++++++
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 7 +++++++
7 files changed, 58 insertions(+), 7 deletions(-)
New commits:
commit dfc38d5247df69c6dbd7d8eb5b5eeb4f378f8b0d
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Thu Jun 20 17:59:09 2013 +0200
Ticket 47395 47397 v2 correct behaviour of account policy if only stateattr
is configured or no alternate attr is configured
Bug Description: The tickets relate to two specific configurations of
the account policy plugin
1] if createtimestamp is configured as stateattr it is treated like a
normal timstamp attribute and is updated, which should not happen.
As a side effect the account is not locked out based on the original
createtimestamp
2] if no altstateattr is configured, always createtimestamp is used, but
the intention was to base account inactivation only on lastlogintime
Fix Description: 1] prevent update of createtimestamp, even if used as stateattr
2] if no altstateattr is configured still use the default, but
accept "1.1" as null value and check only stateattr
https://fedorahosted.org/389/ticket/47395
https://fedorahosted.org/389/ticket/47397
Reviewed by: ?
diff --git a/ldap/servers/plugins/acctpolicy/acct_config.c b/ldap/servers/plugins/acctpolicy/acct_config.c
index 3da338a..8dfde0b 100644
--- a/ldap/servers/plugins/acctpolicy/acct_config.c
+++ b/ldap/servers/plugins/acctpolicy/acct_config.c
@@ -82,12 +82,23 @@ acct_policy_entry2config( Slapi_Entry *e, acctPluginCfg *newcfg ) {
newcfg->state_attr_name = get_attr_string_val( e, CFG_LASTLOGIN_STATE_ATTR );
if( newcfg->state_attr_name == NULL ) {
newcfg->state_attr_name = slapi_ch_strdup( DEFAULT_LASTLOGIN_STATE_ATTR );
+ } else if (!update_is_allowed_attr(newcfg->state_attr_name)) {
+ /* log a warning that this attribute cannot be updated */
+ slapi_log_error( SLAPI_LOG_FATAL, PLUGIN_NAME,
+ "The configured state attribute [%s] cannot be updated, accounts will always become inactive.\n",
+ newcfg->state_attr_name );
}
newcfg->alt_state_attr_name = get_attr_string_val( e, CFG_ALT_LASTLOGIN_STATE_ATTR );
+ /* alt_state_attr_name should be optional, but for backward compatibility,
+ * if not specified use a default. If the attribute is "1.1", no fallback
+ * will be used
+ */
if( newcfg->alt_state_attr_name == NULL ) {
newcfg->alt_state_attr_name = slapi_ch_strdup( DEFAULT_ALT_LASTLOGIN_STATE_ATTR );
- }
+ } else if ( !strcmp( newcfg->alt_state_attr_name, "1.1" ) ) {
+ slapi_ch_free_string( &newcfg->alt_state_attr_name ); /*none - NULL */
+ } /* else use configured value */
newcfg->spec_attr_name = get_attr_string_val( e, CFG_SPEC_ATTR );
if( newcfg->spec_attr_name == NULL ) {
diff --git a/ldap/servers/plugins/acctpolicy/acct_init.c b/ldap/servers/plugins/acctpolicy/acct_init.c
index af29140..52e0cfa 100644
--- a/ldap/servers/plugins/acctpolicy/acct_init.c
+++ b/ldap/servers/plugins/acctpolicy/acct_init.c
@@ -132,7 +132,7 @@ acct_policy_start( Slapi_PBlock *pb ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PLUGIN_NAME, "acct_policy_start config: "
"stateAttrName=%s altStateAttrName=%s specAttrName=%s limitAttrName=%s "
"alwaysRecordLogin=%d\n",
- cfg->state_attr_name, cfg->alt_state_attr_name, cfg->spec_attr_name,
+ cfg->state_attr_name, cfg->alt_state_attr_name?cfg->alt_state_attr_name:"not configured", cfg->spec_attr_name,
cfg->limit_attr_name, cfg->always_record_login);
return( CALLBACK_OK );
}
diff --git a/ldap/servers/plugins/acctpolicy/acct_plugin.c b/ldap/servers/plugins/acctpolicy/acct_plugin.c
index 508fb23..b4db811 100644
--- a/ldap/servers/plugins/acctpolicy/acct_plugin.c
+++ b/ldap/servers/plugins/acctpolicy/acct_plugin.c
@@ -44,14 +44,16 @@ acct_inact_limit( Slapi_PBlock *pb, const char *dn, Slapi_Entry *target_entry, a
cfg->state_attr_name ) ) != NULL ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
"\"%s\" login timestamp is %s\n", dn, lasttimestr );
- } else if( ( lasttimestr = get_attr_string_val( target_entry,
- cfg->alt_state_attr_name ) ) != NULL ) {
+ } else if( cfg->alt_state_attr_name && (( lasttimestr = get_attr_string_val( target_entry,
+ cfg->alt_state_attr_name ) ) != NULL) ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
"\"%s\" alternate timestamp is %s\n", dn, lasttimestr );
} else {
+ /* the primary or alternate attribute might not yet exist eg.
+ * if only lastlogintime is specified and it id the first login
+ */
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
- "\"%s\" has no login or creation timestamp\n", dn );
- rc = -1;
+ "\"%s\" has no value for stateattr or altstateattr \n", dn );
goto done;
}
@@ -105,6 +107,13 @@ acct_record_login( const char *dn )
int skip_mod_attrs = 1; /* value doesn't matter as long as not NULL */
cfg = get_config();
+
+ /* if we are not allowed to modify the state attr we're done
+ * this could be intentional, so just return
+ */
+ if (! update_is_allowed_attr(cfg->state_attr_name) )
+ return rc;
+
plugin_id = get_identity();
timestr = epochtimeToGentime( time( (time_t*)0 ) );
@@ -283,7 +292,6 @@ acct_bind_postop( Slapi_PBlock *pb )
} else {
if( target_entry && has_attr( target_entry,
cfg->spec_attr_name, NULL ) ) {
- /* This account has a policy specifier */
tracklogin = 1;
}
}
diff --git a/ldap/servers/plugins/acctpolicy/acct_util.c b/ldap/servers/plugins/acctpolicy/acct_util.c
index 8e220c3..a02382f 100644
--- a/ldap/servers/plugins/acctpolicy/acct_util.c
+++ b/ldap/servers/plugins/acctpolicy/acct_util.c
@@ -255,3 +255,16 @@ epochtimeToGentime( time_t epochtime ) {
return( gentimestr );
}
+int update_is_allowed_attr (const char *attr)
+{
+ int i;
+
+ /* check list of attributes that cannot be used for login recording */
+ for (i = 0; protected_attrs_login_recording[i]; i ++) {
+ if (strcasecmp (attr, protected_attrs_login_recording[i]) == 0) {
+ /* this attribute is not allowed */
+ return 0;
+ }
+ }
+ return 1;
+}
diff --git a/ldap/servers/plugins/acctpolicy/acctpolicy.h b/ldap/servers/plugins/acctpolicy/acctpolicy.h
index e6f1497..78412cd 100644
--- a/ldap/servers/plugins/acctpolicy/acctpolicy.h
+++ b/ldap/servers/plugins/acctpolicy/acctpolicy.h
@@ -35,6 +35,10 @@ Hewlett-Packard Development Company, L.P.
#define DEFAULT_INACT_LIMIT_ATTR "accountInactivityLimit"
#define DEFAULT_RECORD_LOGIN 1
+/* attributes that no clients are allowed to add or modify */
+static char *protected_attrs_login_recording [] = { "createTimestamp",
+ NULL };
+
#define PLUGIN_VENDOR "Hewlett-Packard Company"
#define PLUGIN_VERSION "1.0"
#define PLUGIN_CONFIG_DN "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config"
@@ -74,6 +78,7 @@ void* get_identity();
void set_identity(void*);
time_t gentimeToEpochtime( char *gentimestr );
char* epochtimeToGentime( time_t epochtime );
+int update_is_allowed_attr (const char *attr);
/* acct_config.c */
int acct_policy_load_config_startup( Slapi_PBlock* pb, void* plugin_id );
commit 70c10949981dc3e71a944cbf269491811bdd3ec1
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Tue Jun 18 15:00:20 2013 +0200
Ticket 47396 - crash on modrdn of tombstone
Bug Description: a client modrdn operation on a tombstone entry can crash the server
Fix Description: client modrdns and modifies on tombstone entries should not be
accepted. Tombstones aer internally kept for eventual conflict resolution, normal
clients should not touch them.
an exception would be to force purging of tombstones or a kind of "undo" for
a delete, which could resurrect a tombstone, but this is not in the scope of this ticket
https://fedorahosted.org/389/ticket/47396
Reviewed by: Rich, thanks
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index 1e728da..b6a2298 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -475,6 +475,13 @@ ldbm_back_modify( Slapi_PBlock *pb )
if ( !is_fixup_operation )
{
+ if (slapi_entry_flag_is_set(e->ep_entry, SLAPI_ENTRY_FLAG_TOMBSTONE) ) {
+ ldap_result_code = LDAP_UNWILLING_TO_PERFORM;
+ ldap_result_message = "Operation not allowed on tombstone entry.";
+ slapi_log_error(SLAPI_LOG_FATAL, "ldbm_back_modify",
+ "Attempt to modify a tombstone entry %s\n", slapi_sdn_get_dn(slapi_entry_get_sdn_const( e->ep_entry )));
+ goto error_return;
+ }
opcsn = operation_get_csn (operation);
if (NULL == opcsn && operation->o_csngen_handler)
{
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
index 3b2b84b..4810e03 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
@@ -479,6 +479,13 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
goto error_return; /* error result sent by find_entry2modify() */
}
e_in_cache = 1; /* e is in the cache and locked */
+ if (slapi_entry_flag_is_set(e->ep_entry, SLAPI_ENTRY_FLAG_TOMBSTONE) ) {
+ ldap_result_code = LDAP_UNWILLING_TO_PERFORM;
+ ldap_result_message = "Operation not allowed on tombstone entry.";
+ slapi_log_error(SLAPI_LOG_FATAL, "ldbm_back_modrdn",
+ "Attempt to rename a tombstone entry %s\n", slapi_sdn_get_dn(slapi_entry_get_sdn_const( e->ep_entry )));
+ goto error_return;
+ }
/* Check that an entry with the same DN doesn't already exist. */
{
Slapi_Entry *entry;
10 years, 9 months
Branch '389-ds-base-1.3.1' - 2 commits - ldap/servers
by Ludwig Krispenz
ldap/servers/plugins/acctpolicy/acct_config.c | 13 ++++++++++++-
ldap/servers/plugins/acctpolicy/acct_init.c | 2 +-
ldap/servers/plugins/acctpolicy/acct_plugin.c | 18 +++++++++++++-----
ldap/servers/plugins/acctpolicy/acct_util.c | 13 +++++++++++++
ldap/servers/plugins/acctpolicy/acctpolicy.h | 5 +++++
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 7 +++++++
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 7 +++++++
7 files changed, 58 insertions(+), 7 deletions(-)
New commits:
commit 869a184a6311bf5c326f7b12af5349e0783c976d
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Thu Jun 20 17:59:09 2013 +0200
Ticket 47395 47397 v2 correct behaviour of account policy if only stateattr
is configured or no alternate attr is configured
Bug Description: The tickets relate to two specific configurations of
the account policy plugin
1] if createtimestamp is configured as stateattr it is treated like a
normal timstamp attribute and is updated, which should not happen.
As a side effect the account is not locked out based on the original
createtimestamp
2] if no altstateattr is configured, always createtimestamp is used, but
the intention was to base account inactivation only on lastlogintime
Fix Description: 1] prevent update of createtimestamp, even if used as stateattr
2] if no altstateattr is configured still use the default, but
accept "1.1" as null value and check only stateattr
https://fedorahosted.org/389/ticket/47395
https://fedorahosted.org/389/ticket/47397
Reviewed by: ?
diff --git a/ldap/servers/plugins/acctpolicy/acct_config.c b/ldap/servers/plugins/acctpolicy/acct_config.c
index 3da338a..8dfde0b 100644
--- a/ldap/servers/plugins/acctpolicy/acct_config.c
+++ b/ldap/servers/plugins/acctpolicy/acct_config.c
@@ -82,12 +82,23 @@ acct_policy_entry2config( Slapi_Entry *e, acctPluginCfg *newcfg ) {
newcfg->state_attr_name = get_attr_string_val( e, CFG_LASTLOGIN_STATE_ATTR );
if( newcfg->state_attr_name == NULL ) {
newcfg->state_attr_name = slapi_ch_strdup( DEFAULT_LASTLOGIN_STATE_ATTR );
+ } else if (!update_is_allowed_attr(newcfg->state_attr_name)) {
+ /* log a warning that this attribute cannot be updated */
+ slapi_log_error( SLAPI_LOG_FATAL, PLUGIN_NAME,
+ "The configured state attribute [%s] cannot be updated, accounts will always become inactive.\n",
+ newcfg->state_attr_name );
}
newcfg->alt_state_attr_name = get_attr_string_val( e, CFG_ALT_LASTLOGIN_STATE_ATTR );
+ /* alt_state_attr_name should be optional, but for backward compatibility,
+ * if not specified use a default. If the attribute is "1.1", no fallback
+ * will be used
+ */
if( newcfg->alt_state_attr_name == NULL ) {
newcfg->alt_state_attr_name = slapi_ch_strdup( DEFAULT_ALT_LASTLOGIN_STATE_ATTR );
- }
+ } else if ( !strcmp( newcfg->alt_state_attr_name, "1.1" ) ) {
+ slapi_ch_free_string( &newcfg->alt_state_attr_name ); /*none - NULL */
+ } /* else use configured value */
newcfg->spec_attr_name = get_attr_string_val( e, CFG_SPEC_ATTR );
if( newcfg->spec_attr_name == NULL ) {
diff --git a/ldap/servers/plugins/acctpolicy/acct_init.c b/ldap/servers/plugins/acctpolicy/acct_init.c
index af29140..52e0cfa 100644
--- a/ldap/servers/plugins/acctpolicy/acct_init.c
+++ b/ldap/servers/plugins/acctpolicy/acct_init.c
@@ -132,7 +132,7 @@ acct_policy_start( Slapi_PBlock *pb ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PLUGIN_NAME, "acct_policy_start config: "
"stateAttrName=%s altStateAttrName=%s specAttrName=%s limitAttrName=%s "
"alwaysRecordLogin=%d\n",
- cfg->state_attr_name, cfg->alt_state_attr_name, cfg->spec_attr_name,
+ cfg->state_attr_name, cfg->alt_state_attr_name?cfg->alt_state_attr_name:"not configured", cfg->spec_attr_name,
cfg->limit_attr_name, cfg->always_record_login);
return( CALLBACK_OK );
}
diff --git a/ldap/servers/plugins/acctpolicy/acct_plugin.c b/ldap/servers/plugins/acctpolicy/acct_plugin.c
index 508fb23..b4db811 100644
--- a/ldap/servers/plugins/acctpolicy/acct_plugin.c
+++ b/ldap/servers/plugins/acctpolicy/acct_plugin.c
@@ -44,14 +44,16 @@ acct_inact_limit( Slapi_PBlock *pb, const char *dn, Slapi_Entry *target_entry, a
cfg->state_attr_name ) ) != NULL ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
"\"%s\" login timestamp is %s\n", dn, lasttimestr );
- } else if( ( lasttimestr = get_attr_string_val( target_entry,
- cfg->alt_state_attr_name ) ) != NULL ) {
+ } else if( cfg->alt_state_attr_name && (( lasttimestr = get_attr_string_val( target_entry,
+ cfg->alt_state_attr_name ) ) != NULL) ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
"\"%s\" alternate timestamp is %s\n", dn, lasttimestr );
} else {
+ /* the primary or alternate attribute might not yet exist eg.
+ * if only lastlogintime is specified and it id the first login
+ */
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
- "\"%s\" has no login or creation timestamp\n", dn );
- rc = -1;
+ "\"%s\" has no value for stateattr or altstateattr \n", dn );
goto done;
}
@@ -105,6 +107,13 @@ acct_record_login( const char *dn )
int skip_mod_attrs = 1; /* value doesn't matter as long as not NULL */
cfg = get_config();
+
+ /* if we are not allowed to modify the state attr we're done
+ * this could be intentional, so just return
+ */
+ if (! update_is_allowed_attr(cfg->state_attr_name) )
+ return rc;
+
plugin_id = get_identity();
timestr = epochtimeToGentime( time( (time_t*)0 ) );
@@ -283,7 +292,6 @@ acct_bind_postop( Slapi_PBlock *pb )
} else {
if( target_entry && has_attr( target_entry,
cfg->spec_attr_name, NULL ) ) {
- /* This account has a policy specifier */
tracklogin = 1;
}
}
diff --git a/ldap/servers/plugins/acctpolicy/acct_util.c b/ldap/servers/plugins/acctpolicy/acct_util.c
index 8e220c3..a02382f 100644
--- a/ldap/servers/plugins/acctpolicy/acct_util.c
+++ b/ldap/servers/plugins/acctpolicy/acct_util.c
@@ -255,3 +255,16 @@ epochtimeToGentime( time_t epochtime ) {
return( gentimestr );
}
+int update_is_allowed_attr (const char *attr)
+{
+ int i;
+
+ /* check list of attributes that cannot be used for login recording */
+ for (i = 0; protected_attrs_login_recording[i]; i ++) {
+ if (strcasecmp (attr, protected_attrs_login_recording[i]) == 0) {
+ /* this attribute is not allowed */
+ return 0;
+ }
+ }
+ return 1;
+}
diff --git a/ldap/servers/plugins/acctpolicy/acctpolicy.h b/ldap/servers/plugins/acctpolicy/acctpolicy.h
index e6f1497..78412cd 100644
--- a/ldap/servers/plugins/acctpolicy/acctpolicy.h
+++ b/ldap/servers/plugins/acctpolicy/acctpolicy.h
@@ -35,6 +35,10 @@ Hewlett-Packard Development Company, L.P.
#define DEFAULT_INACT_LIMIT_ATTR "accountInactivityLimit"
#define DEFAULT_RECORD_LOGIN 1
+/* attributes that no clients are allowed to add or modify */
+static char *protected_attrs_login_recording [] = { "createTimestamp",
+ NULL };
+
#define PLUGIN_VENDOR "Hewlett-Packard Company"
#define PLUGIN_VERSION "1.0"
#define PLUGIN_CONFIG_DN "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config"
@@ -74,6 +78,7 @@ void* get_identity();
void set_identity(void*);
time_t gentimeToEpochtime( char *gentimestr );
char* epochtimeToGentime( time_t epochtime );
+int update_is_allowed_attr (const char *attr);
/* acct_config.c */
int acct_policy_load_config_startup( Slapi_PBlock* pb, void* plugin_id );
commit 8f31ee321bc25bea789646e4980800f1c86f7f3e
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Tue Jun 18 15:00:20 2013 +0200
Ticket 47396 - crash on modrdn of tombstone
Bug Description: a client modrdn operation on a tombstone entry can crash the server
Fix Description: client modrdns and modifies on tombstone entries should not be
accepted. Tombstones aer internally kept for eventual conflict resolution, normal
clients should not touch them.
an exception would be to force purging of tombstones or a kind of "undo" for
a delete, which could resurrect a tombstone, but this is not in the scope of this ticket
https://fedorahosted.org/389/ticket/47396
Reviewed by: Rich, thanks
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index 1e728da..b6a2298 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -475,6 +475,13 @@ ldbm_back_modify( Slapi_PBlock *pb )
if ( !is_fixup_operation )
{
+ if (slapi_entry_flag_is_set(e->ep_entry, SLAPI_ENTRY_FLAG_TOMBSTONE) ) {
+ ldap_result_code = LDAP_UNWILLING_TO_PERFORM;
+ ldap_result_message = "Operation not allowed on tombstone entry.";
+ slapi_log_error(SLAPI_LOG_FATAL, "ldbm_back_modify",
+ "Attempt to modify a tombstone entry %s\n", slapi_sdn_get_dn(slapi_entry_get_sdn_const( e->ep_entry )));
+ goto error_return;
+ }
opcsn = operation_get_csn (operation);
if (NULL == opcsn && operation->o_csngen_handler)
{
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
index 80bf2f4..8f898aa 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
@@ -479,6 +479,13 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
goto error_return; /* error result sent by find_entry2modify() */
}
e_in_cache = 1; /* e is in the cache and locked */
+ if (slapi_entry_flag_is_set(e->ep_entry, SLAPI_ENTRY_FLAG_TOMBSTONE) ) {
+ ldap_result_code = LDAP_UNWILLING_TO_PERFORM;
+ ldap_result_message = "Operation not allowed on tombstone entry.";
+ slapi_log_error(SLAPI_LOG_FATAL, "ldbm_back_modrdn",
+ "Attempt to rename a tombstone entry %s\n", slapi_sdn_get_dn(slapi_entry_get_sdn_const( e->ep_entry )));
+ goto error_return;
+ }
/* Check that an entry with the same DN doesn't already exist. */
{
Slapi_Entry *entry;
10 years, 9 months
Branch '389-ds-base-1.3.0' - ldap/servers
by Noriko Hosoi
ldap/servers/slapd/search.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
New commits:
commit 2980304df4e8d98dadb0de02fafe986ee4e3213b
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Jun 20 14:05:35 2013 -0700
Ticket #47402 - Attribute names are incorrect in search results
Bug Description: Attribute list given by a client to ldapsearch
is first copied to op->o_searchattrs to respect the client input.
Then the attribute types are normalized and if the list contains
any forbidden attributes, they are removed from the list. When
the search result is returned, the internal normalized attribute
types are replaced with the original input op->o_searchattrs,
respectively. Since forbidden attributes are in op->o_searchattrs
but not in the internal attribute list, wrong type from copy is
associated to the value and returned to the client.
Fix Description: This patch removes the forbidden attribute
before copying the original attribute list to op->o_searchattrs.
https://fedorahosted.org/389/ticket/47402
Reviewed by Nathan (Thank you!!)
(cherry picked from commit 29236cd1000f5f9391db4a39511603b8bed707f2)
diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
index 7719727..1a824b2 100644
--- a/ldap/servers/slapd/search.c
+++ b/ldap/servers/slapd/search.c
@@ -329,6 +329,8 @@ do_search( Slapi_PBlock *pb )
gerattrs[gerattridx] = NULL;
}
+ /* Set attrs to SLAPI_SEARCH_ATTRS once to get rid of the forbidden attrs */
+ slapi_pblock_set( pb, SLAPI_SEARCH_ATTRS, attrs );
operation->o_searchattrs = cool_charray_dup( attrs );
for ( i = 0; attrs[i] != NULL; i++ ) {
char *type;
@@ -338,7 +340,7 @@ do_search( Slapi_PBlock *pb )
attrs[i] = type;
}
}
- if ( slapd_ldap_debug & LDAP_DEBUG_ARGS ) {
+ if ( slapd_ldap_debug & LDAP_DEBUG_ARGS ) {
char abuf[ 1024 ], *astr;
if ( NULL == attrs ) {
10 years, 9 months
ldap/servers
by Mark Reynolds
ldap/servers/slapd/backend.c | 26 +++++++++++++++++++++-----
ldap/servers/slapd/slapi-plugin.h | 2 ++
2 files changed, 23 insertions(+), 5 deletions(-)
New commits:
commit 8879ed2efa48e96f2b920a3ab83036b07e3b3ae4
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Fri Jun 21 10:47:09 2013 -0400
Ticket 47329 - Improve slapi_back_transaction_begin() return code when transactions are not available
Bug Description: The slapi_back_transaction_begin() function needs it's return codes
to be changed to be more friendly for plug-in writers when
transactions are not available.
Fix Description: Added new error code SLAPI_BACK_TRANSACTION_NOT_SUPPORTED, and
updated the slapi_plugin.h
https://fedorahosted.org/389/ticket/47329
Reviewed by: Noriko, Ludwig, and Rich(Thanks!!!)
diff --git a/ldap/servers/slapd/backend.c b/ldap/servers/slapd/backend.c
index ad253f1..ead251e 100644
--- a/ldap/servers/slapd/backend.c
+++ b/ldap/servers/slapd/backend.c
@@ -648,8 +648,13 @@ int
slapi_back_transaction_begin(Slapi_PBlock *pb)
{
IFP txn_begin;
- slapi_pblock_get(pb, SLAPI_PLUGIN_DB_BEGIN_FN, (void*)&txn_begin);
- return txn_begin(pb);
+ if(slapi_pblock_get(pb, SLAPI_PLUGIN_DB_BEGIN_FN, (void*)&txn_begin) ||
+ !txn_begin)
+ {
+ return SLAPI_BACK_TRANSACTION_NOT_SUPPORTED;
+ } else {
+ return txn_begin(pb);
+ }
}
/* API to expose DB transaction commit */
@@ -657,7 +662,13 @@ int
slapi_back_transaction_commit(Slapi_PBlock *pb)
{
IFP txn_commit;
- slapi_pblock_get(pb, SLAPI_PLUGIN_DB_COMMIT_FN, (void*)&txn_commit);
+ if(slapi_pblock_get(pb, SLAPI_PLUGIN_DB_COMMIT_FN, (void*)&txn_commit) ||
+ !txn_commit)
+ {
+ return SLAPI_BACK_TRANSACTION_NOT_SUPPORTED;
+ } else {
+ return txn_commit(pb);
+ }
return txn_commit(pb);
}
@@ -666,6 +677,11 @@ int
slapi_back_transaction_abort(Slapi_PBlock *pb)
{
IFP txn_abort;
- slapi_pblock_get(pb, SLAPI_PLUGIN_DB_ABORT_FN, (void*)&txn_abort);
- return txn_abort(pb);
+ if(slapi_pblock_get(pb, SLAPI_PLUGIN_DB_ABORT_FN, (void*)&txn_abort) ||
+ !txn_abort)
+ {
+ return SLAPI_BACK_TRANSACTION_NOT_SUPPORTED;
+ } else {
+ return txn_abort(pb);
+ }
}
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index d7d968d..d1e90de 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -6061,6 +6061,7 @@ const char * slapi_be_gettype(Slapi_Backend *be);
*
* \param pb Pblock which is supposed to set (Slapi_Backend *) to SLAPI_BACKEND
* \return 0 if successful
+ * \return SLAPI_BACK_TRANSACTION_NOT_SUPPORTED if transaction support is not available for this backend
* \return Non-zero if an error occurred
*
* \see slapi_back_transaction_commit
@@ -6908,6 +6909,7 @@ typedef struct slapi_plugindesc {
#define SLAPI_PARENT_TXN 190
#define SLAPI_TXN 191
#define SLAPI_TXN_RUV_MODS_FN 1901
+#define SLAPI_BACK_TRANSACTION_NOT_SUPPORTED 1902
/*
* The following are used to pass information back and forth
10 years, 9 months
ldap/servers
by Ludwig Krispenz
ldap/servers/plugins/acctpolicy/acct_config.c | 13 ++++++++++++-
ldap/servers/plugins/acctpolicy/acct_init.c | 2 +-
ldap/servers/plugins/acctpolicy/acct_plugin.c | 18 +++++++++++++-----
ldap/servers/plugins/acctpolicy/acct_util.c | 13 +++++++++++++
ldap/servers/plugins/acctpolicy/acctpolicy.h | 5 +++++
5 files changed, 44 insertions(+), 7 deletions(-)
New commits:
commit 4aed9c6bc490719e5ec66d37d64651ac0d58c9d6
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Thu Jun 20 17:59:09 2013 +0200
Ticket 47395 47397 v2 correct behaviour of account policy if only stateattr
is configured or no alternate attr is configured
Bug Description: The tickets relate to two specific configurations of
the account policy plugin
1] if createtimestamp is configured as stateattr it is treated like a
normal timstamp attribute and is updated, which should not happen.
As a side effect the account is not locked out based on the original
createtimestamp
2] if no altstateattr is configured, always createtimestamp is used, but
the intention was to base account inactivation only on lastlogintime
Fix Description: 1] prevent update of createtimestamp, even if used as stateattr
2] if no altstateattr is configured still use the default, but
accept "1.1" as null value and check only stateattr
https://fedorahosted.org/389/ticket/47395
https://fedorahosted.org/389/ticket/47397
Reviewed by: ?
diff --git a/ldap/servers/plugins/acctpolicy/acct_config.c b/ldap/servers/plugins/acctpolicy/acct_config.c
index 3da338a..8dfde0b 100644
--- a/ldap/servers/plugins/acctpolicy/acct_config.c
+++ b/ldap/servers/plugins/acctpolicy/acct_config.c
@@ -82,12 +82,23 @@ acct_policy_entry2config( Slapi_Entry *e, acctPluginCfg *newcfg ) {
newcfg->state_attr_name = get_attr_string_val( e, CFG_LASTLOGIN_STATE_ATTR );
if( newcfg->state_attr_name == NULL ) {
newcfg->state_attr_name = slapi_ch_strdup( DEFAULT_LASTLOGIN_STATE_ATTR );
+ } else if (!update_is_allowed_attr(newcfg->state_attr_name)) {
+ /* log a warning that this attribute cannot be updated */
+ slapi_log_error( SLAPI_LOG_FATAL, PLUGIN_NAME,
+ "The configured state attribute [%s] cannot be updated, accounts will always become inactive.\n",
+ newcfg->state_attr_name );
}
newcfg->alt_state_attr_name = get_attr_string_val( e, CFG_ALT_LASTLOGIN_STATE_ATTR );
+ /* alt_state_attr_name should be optional, but for backward compatibility,
+ * if not specified use a default. If the attribute is "1.1", no fallback
+ * will be used
+ */
if( newcfg->alt_state_attr_name == NULL ) {
newcfg->alt_state_attr_name = slapi_ch_strdup( DEFAULT_ALT_LASTLOGIN_STATE_ATTR );
- }
+ } else if ( !strcmp( newcfg->alt_state_attr_name, "1.1" ) ) {
+ slapi_ch_free_string( &newcfg->alt_state_attr_name ); /*none - NULL */
+ } /* else use configured value */
newcfg->spec_attr_name = get_attr_string_val( e, CFG_SPEC_ATTR );
if( newcfg->spec_attr_name == NULL ) {
diff --git a/ldap/servers/plugins/acctpolicy/acct_init.c b/ldap/servers/plugins/acctpolicy/acct_init.c
index af29140..52e0cfa 100644
--- a/ldap/servers/plugins/acctpolicy/acct_init.c
+++ b/ldap/servers/plugins/acctpolicy/acct_init.c
@@ -132,7 +132,7 @@ acct_policy_start( Slapi_PBlock *pb ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PLUGIN_NAME, "acct_policy_start config: "
"stateAttrName=%s altStateAttrName=%s specAttrName=%s limitAttrName=%s "
"alwaysRecordLogin=%d\n",
- cfg->state_attr_name, cfg->alt_state_attr_name, cfg->spec_attr_name,
+ cfg->state_attr_name, cfg->alt_state_attr_name?cfg->alt_state_attr_name:"not configured", cfg->spec_attr_name,
cfg->limit_attr_name, cfg->always_record_login);
return( CALLBACK_OK );
}
diff --git a/ldap/servers/plugins/acctpolicy/acct_plugin.c b/ldap/servers/plugins/acctpolicy/acct_plugin.c
index 508fb23..b4db811 100644
--- a/ldap/servers/plugins/acctpolicy/acct_plugin.c
+++ b/ldap/servers/plugins/acctpolicy/acct_plugin.c
@@ -44,14 +44,16 @@ acct_inact_limit( Slapi_PBlock *pb, const char *dn, Slapi_Entry *target_entry, a
cfg->state_attr_name ) ) != NULL ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
"\"%s\" login timestamp is %s\n", dn, lasttimestr );
- } else if( ( lasttimestr = get_attr_string_val( target_entry,
- cfg->alt_state_attr_name ) ) != NULL ) {
+ } else if( cfg->alt_state_attr_name && (( lasttimestr = get_attr_string_val( target_entry,
+ cfg->alt_state_attr_name ) ) != NULL) ) {
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
"\"%s\" alternate timestamp is %s\n", dn, lasttimestr );
} else {
+ /* the primary or alternate attribute might not yet exist eg.
+ * if only lastlogintime is specified and it id the first login
+ */
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
- "\"%s\" has no login or creation timestamp\n", dn );
- rc = -1;
+ "\"%s\" has no value for stateattr or altstateattr \n", dn );
goto done;
}
@@ -105,6 +107,13 @@ acct_record_login( const char *dn )
int skip_mod_attrs = 1; /* value doesn't matter as long as not NULL */
cfg = get_config();
+
+ /* if we are not allowed to modify the state attr we're done
+ * this could be intentional, so just return
+ */
+ if (! update_is_allowed_attr(cfg->state_attr_name) )
+ return rc;
+
plugin_id = get_identity();
timestr = epochtimeToGentime( time( (time_t*)0 ) );
@@ -283,7 +292,6 @@ acct_bind_postop( Slapi_PBlock *pb )
} else {
if( target_entry && has_attr( target_entry,
cfg->spec_attr_name, NULL ) ) {
- /* This account has a policy specifier */
tracklogin = 1;
}
}
diff --git a/ldap/servers/plugins/acctpolicy/acct_util.c b/ldap/servers/plugins/acctpolicy/acct_util.c
index 8e220c3..a02382f 100644
--- a/ldap/servers/plugins/acctpolicy/acct_util.c
+++ b/ldap/servers/plugins/acctpolicy/acct_util.c
@@ -255,3 +255,16 @@ epochtimeToGentime( time_t epochtime ) {
return( gentimestr );
}
+int update_is_allowed_attr (const char *attr)
+{
+ int i;
+
+ /* check list of attributes that cannot be used for login recording */
+ for (i = 0; protected_attrs_login_recording[i]; i ++) {
+ if (strcasecmp (attr, protected_attrs_login_recording[i]) == 0) {
+ /* this attribute is not allowed */
+ return 0;
+ }
+ }
+ return 1;
+}
diff --git a/ldap/servers/plugins/acctpolicy/acctpolicy.h b/ldap/servers/plugins/acctpolicy/acctpolicy.h
index e6f1497..78412cd 100644
--- a/ldap/servers/plugins/acctpolicy/acctpolicy.h
+++ b/ldap/servers/plugins/acctpolicy/acctpolicy.h
@@ -35,6 +35,10 @@ Hewlett-Packard Development Company, L.P.
#define DEFAULT_INACT_LIMIT_ATTR "accountInactivityLimit"
#define DEFAULT_RECORD_LOGIN 1
+/* attributes that no clients are allowed to add or modify */
+static char *protected_attrs_login_recording [] = { "createTimestamp",
+ NULL };
+
#define PLUGIN_VENDOR "Hewlett-Packard Company"
#define PLUGIN_VERSION "1.0"
#define PLUGIN_CONFIG_DN "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config"
@@ -74,6 +78,7 @@ void* get_identity();
void set_identity(void*);
time_t gentimeToEpochtime( char *gentimestr );
char* epochtimeToGentime( time_t epochtime );
+int update_is_allowed_attr (const char *attr);
/* acct_config.c */
int acct_policy_load_config_startup( Slapi_PBlock* pb, void* plugin_id );
10 years, 9 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Noriko Hosoi
ldap/servers/slapd/search.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
New commits:
commit 29236cd1000f5f9391db4a39511603b8bed707f2
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Jun 20 14:05:35 2013 -0700
Ticket #47402 - Attribute names are incorrect in search results
Bug Description: Attribute list given by a client to ldapsearch
is first copied to op->o_searchattrs to respect the client input.
Then the attribute types are normalized and if the list contains
any forbidden attributes, they are removed from the list. When
the search result is returned, the internal normalized attribute
types are replaced with the original input op->o_searchattrs,
respectively. Since forbidden attributes are in op->o_searchattrs
but not in the internal attribute list, wrong type from copy is
associated to the value and returned to the client.
Fix Description: This patch removes the forbidden attribute
before copying the original attribute list to op->o_searchattrs.
https://fedorahosted.org/389/ticket/47402
Reviewed by Nathan (Thank you!!)
diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
index 7719727..1a824b2 100644
--- a/ldap/servers/slapd/search.c
+++ b/ldap/servers/slapd/search.c
@@ -329,6 +329,8 @@ do_search( Slapi_PBlock *pb )
gerattrs[gerattridx] = NULL;
}
+ /* Set attrs to SLAPI_SEARCH_ATTRS once to get rid of the forbidden attrs */
+ slapi_pblock_set( pb, SLAPI_SEARCH_ATTRS, attrs );
operation->o_searchattrs = cool_charray_dup( attrs );
for ( i = 0; attrs[i] != NULL; i++ ) {
char *type;
@@ -338,7 +340,7 @@ do_search( Slapi_PBlock *pb )
attrs[i] = type;
}
}
- if ( slapd_ldap_debug & LDAP_DEBUG_ARGS ) {
+ if ( slapd_ldap_debug & LDAP_DEBUG_ARGS ) {
char abuf[ 1024 ], *astr;
if ( NULL == attrs ) {
10 years, 9 months
ldap/servers
by Ludwig Krispenz
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 7 +++++++
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 7 +++++++
2 files changed, 14 insertions(+)
New commits:
commit 0c9e3b140803af8cb9530f5d4a67c1869620a3bd
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Tue Jun 18 15:00:20 2013 +0200
Ticket 47396 - crash on modrdn of tombstone
Bug Description: a client modrdn operation on a tombstone entry can crash the server
Fix Description: client modrdns and modifies on tombstone entries should not be
accepted. Tombstones aer internally kept for eventual conflict resolution, normal
clients should not touch them.
an exception would be to force purging of tombstones or a kind of "undo" for
a delete, which could resurrect a tombstone, but this is not in the scope of this ticket
https://fedorahosted.org/389/ticket/47396
Reviewed by: Rich, thanks
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index 17adc87..c00194b 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -485,6 +485,13 @@ ldbm_back_modify( Slapi_PBlock *pb )
if ( !is_fixup_operation )
{
+ if (slapi_entry_flag_is_set(e->ep_entry, SLAPI_ENTRY_FLAG_TOMBSTONE) ) {
+ ldap_result_code = LDAP_UNWILLING_TO_PERFORM;
+ ldap_result_message = "Operation not allowed on tombstone entry.";
+ slapi_log_error(SLAPI_LOG_FATAL, "ldbm_back_modify",
+ "Attempt to modify a tombstone entry %s\n", slapi_sdn_get_dn(slapi_entry_get_sdn_const( e->ep_entry )));
+ goto error_return;
+ }
opcsn = operation_get_csn (operation);
if (NULL == opcsn && operation->o_csngen_handler)
{
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
index bcc59b3..fe53554 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
@@ -479,6 +479,13 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
goto error_return; /* error result sent by find_entry2modify() */
}
e_in_cache = 1; /* e is in the cache and locked */
+ if (slapi_entry_flag_is_set(e->ep_entry, SLAPI_ENTRY_FLAG_TOMBSTONE) ) {
+ ldap_result_code = LDAP_UNWILLING_TO_PERFORM;
+ ldap_result_message = "Operation not allowed on tombstone entry.";
+ slapi_log_error(SLAPI_LOG_FATAL, "ldbm_back_modrdn",
+ "Attempt to rename a tombstone entry %s\n", slapi_sdn_get_dn(slapi_entry_get_sdn_const( e->ep_entry )));
+ goto error_return;
+ }
/* Check that an entry with the same DN doesn't already exist. */
{
Slapi_Entry *entry;
10 years, 9 months
Branch '389-ds-base-1.3.0' - ldap/servers
by Noriko Hosoi
ldap/servers/plugins/dna/dna.c | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
New commits:
commit d1d2ed05e405a711682e43c465712e0b153a209f
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Jun 19 16:19:28 2013 -0700
Ticket #47400 - MMR stress test with dna enabled causes a deadlock
Bug description: Under the heavy add/delete posix user entries,
dna_update_config_event causes a deadlock.
Fix description: dna_update_config_event starts transaction
before updating the shared config entry to avoid the deadlock
situation.
https://fedorahosted.org/389/ticket/47400
Reviewed by Rich (Thank you!!)
(cherry picked from commit c6a72a50e6c948647b220e4a44978f2c9c7e8466)
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index 8e5bec8..a631208 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -1273,6 +1273,22 @@ dna_update_config_event(time_t event_time, void *arg)
/* If a shared config dn is set, update the shared config. */
if (config_entry->shared_cfg_dn != NULL) {
+ int rc = 0;
+ Slapi_PBlock *dna_pb = NULL;
+ Slapi_DN *sdn = slapi_sdn_new_normdn_byref(config_entry->shared_cfg_dn);
+ Slapi_Backend *be = slapi_be_select(sdn);
+ slapi_sdn_free(&sdn);
+ if (be) {
+ dna_pb = slapi_pblock_new();
+ slapi_pblock_set(dna_pb, SLAPI_BACKEND, be);
+ /* We need to start transaction to avoid the deadlock */
+ rc = slapi_back_transaction_begin(dna_pb);
+ if (rc) {
+ slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
+ "dna_update_config_event: failed to start transaction\n");
+ }
+ }
+
slapi_lock_mutex(config_entry->lock);
/* First delete the existing shared config entry. This
@@ -1288,6 +1304,12 @@ dna_update_config_event(time_t event_time, void *arg)
dna_update_shared_config(config_entry);
slapi_unlock_mutex(config_entry->lock);
+ if (dna_pb) {
+ if (0 == rc) {
+ slapi_back_transaction_commit(dna_pb);
+ }
+ slapi_pblock_destroy(dna_pb);
+ }
slapi_pblock_init(pb);
}
@@ -1536,7 +1558,7 @@ dna_get_shared_servers(struct configEntry *config_entry, PRCList **servers)
}
}
if(!inserted){
- dna_free_shared_server(&server);
+ dna_free_shared_server(&server);
}
}
}
10 years, 9 months