[389-ds-base] branch master updated (5d611f1 -> 6fe6101)
by git repository hosting
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a change to branch master
in repository 389-ds-base.
from 5d611f1 Ticket 49814 - dscreate should handle selinux ports that are in a range
add 6fe6101 Ticket 49927 - dsctl db2index does not work
No new revisions were added by this update.
Summary of changes:
src/lib389/lib389/__init__.py | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 5 months
[389-ds-base] branch 389-ds-base-1.3.8 updated: Ticket 49543 - fix certmap dn comparison
by git repository hosting
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.8
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.8 by this push:
new 818807d Ticket 49543 - fix certmap dn comparison
818807d is described below
commit 818807d551e211298e205313b7c29f8318403081
Author: Fraser Tweedale <ftweedal(a)redhat.com>
AuthorDate: Fri Mar 16 15:16:56 2018 +1000
Ticket 49543 - fix certmap dn comparison
Bug Description: Differences in DN string representations between
the value included in certmap.conf, and the stringified value of the
Issuer DN produced by NSS, as well as buggy DN normalisation code in
389 itself, cause 389 to wrongly reject the correct certmap
configuration to use. Authentication fails. This behaviour was
observed when there is an escaped comma in an attribute value.
Fix Description: Instead of comparing stringified DNs, parse the DN
represented in certmap.conf into an NSS CertNAME. Use the NSS DN
comparison routine when comparing certificate Issuer DNs against the
certmap configurations. Remove the buggy DN normalisation routine.
https://pagure.io/389-ds-base/issue/49543
Author: Fraser Tweedale <ftweedal(a)redhat.com>
Review by: ???
---
include/ldaputil/certmap.h | 20 +++---
include/ldaputil/ldaputil.h | 2 +-
lib/ldaputil/cert.c | 27 ++++++--
lib/ldaputil/certmap.c | 162 +++++++------------------------------------
lib/ldaputil/examples/init.c | 3 +-
5 files changed, 62 insertions(+), 152 deletions(-)
diff --git a/include/ldaputil/certmap.h b/include/ldaputil/certmap.h
index fec2dd9..50fd4d1 100644
--- a/include/ldaputil/certmap.h
+++ b/include/ldaputil/certmap.h
@@ -16,6 +16,7 @@
/* What was extcmap.h begins ... */
#include <ldap.h>
+#include <nss3/cert.h>
#ifndef NSAPI_PUBLIC
#define NSAPI_PUBLIC
@@ -156,7 +157,7 @@ typedef int (*CertVerifyFn_t)(void *cert, LDAP *ld, void *certmap_info, LDAPMess
* otherwise return LDAPU_CERT_MAP_INITFN_FAILED. The server startup will be
* aborted if the return value is not LDAPU_SUCCESS.
*/
-typedef int (*CertMapInitFn_t)(void *certmap_info, const char *issuerName, const char *issuerDN, const char *libname);
+typedef int (*CertMapInitFn_t)(void *certmap_info, const char *issuerName, const CERTName *issuerDN, const char *libname);
/*
* Refer to the description of the function ldapu_get_cert_ava_val
@@ -209,27 +210,30 @@ extern "C" {
NSAPI_PUBLIC int ldapu_cert_to_ldap_entry(void *cert, LDAP *ld, const char *basedn, LDAPMessage **res);
-NSAPI_PUBLIC int ldapu_set_cert_mapfn(const char *issuerDN,
+NSAPI_PUBLIC int ldapu_set_cert_mapfn(const CERTName *issuerDN,
CertMapFn_t mapfn);
-NSAPI_PUBLIC CertMapFn_t ldapu_get_cert_mapfn(const char *issuerDN);
+NSAPI_PUBLIC CertMapFn_t ldapu_get_cert_mapfn(const CERTName *issuerDN);
-NSAPI_PUBLIC int ldapu_set_cert_searchfn(const char *issuerDN,
+NSAPI_PUBLIC int ldapu_set_cert_searchfn(const CERTName *issuerDN,
CertSearchFn_t searchfn);
-NSAPI_PUBLIC CertSearchFn_t ldapu_get_cert_searchfn(const char *issuerDN);
+NSAPI_PUBLIC CertSearchFn_t ldapu_get_cert_searchfn(const CERTName *issuerDN);
-NSAPI_PUBLIC int ldapu_set_cert_verifyfn(const char *issuerDN,
+NSAPI_PUBLIC int ldapu_set_cert_verifyfn(const CERTName *issuerDN,
CertVerifyFn_t verifyFn);
-NSAPI_PUBLIC CertVerifyFn_t ldapu_get_cert_verifyfn(const char *issuerDN);
+NSAPI_PUBLIC CertVerifyFn_t ldapu_get_cert_verifyfn(const CERTName *issuerDN);
NSAPI_PUBLIC int ldapu_get_cert_subject_dn(void *cert, char **subjectDN);
+NSAPI_PUBLIC CERTName *ldapu_get_cert_issuer_dn_as_CERTName(CERTCertificate *cert);
+
+
NSAPI_PUBLIC int ldapu_get_cert_issuer_dn(void *cert, char **issuerDN);
@@ -242,7 +246,7 @@ NSAPI_PUBLIC int ldapu_free_cert_ava_val(char **val);
NSAPI_PUBLIC int ldapu_get_cert_der(void *cert, unsigned char **derCert, unsigned int *len);
-NSAPI_PUBLIC int ldapu_issuer_certinfo(const char *issuerDN,
+NSAPI_PUBLIC int ldapu_issuer_certinfo(const CERTName *issuerDN,
void **certmap_info);
diff --git a/include/ldaputil/ldaputil.h b/include/ldaputil/ldaputil.h
index e0e028c..b172819 100644
--- a/include/ldaputil/ldaputil.h
+++ b/include/ldaputil/ldaputil.h
@@ -48,7 +48,7 @@ enum
typedef struct
{
char *issuerName; /* issuer (symbolic/short) name */
- char *issuerDN; /* cert issuer's DN */
+ CERTName *issuerDN; /* cert issuer's DN */
LDAPUPropValList_t *propval; /* pointer to the prop-val pairs list */
CertMapFn_t mapfn; /* cert to ldapdn & filter mapping func */
CertVerifyFn_t verifyfn; /* verify cert function */
diff --git a/lib/ldaputil/cert.c b/lib/ldaputil/cert.c
index 65a4815..73abba1 100644
--- a/lib/ldaputil/cert.c
+++ b/lib/ldaputil/cert.c
@@ -54,15 +54,30 @@ ldapu_get_cert_subject_dn(void *cert_in, char **subjectDN)
return *subjectDN ? LDAPU_SUCCESS : LDAPU_ERR_EXTRACT_SUBJECTDN_FAILED;
}
+/*
+ * Return the Issuer DN as a CERTName.
+ * The CERTName is owned by the CERTCertificate.
+ */
+NSAPI_PUBLIC CERTName *
+ldapu_get_cert_issuer_dn_as_CERTName(CERTCertificate *cert_in)
+{
+ return &cert_in->issuer;
+}
+
+/*
+ * Return the Issuer DN as a string.
+ * The string should be freed by the caller.
+ */
NSAPI_PUBLIC int
ldapu_get_cert_issuer_dn(void *cert_in, char **issuerDN)
{
- CERTCertificate *cert = (CERTCertificate *)cert_in;
- char *cert_issuer = CERT_NameToAscii(&cert->issuer);
-
- *issuerDN = strdup(cert_issuer);
- PR_Free(cert_issuer);
-
+ *issuerDN = NULL;
+ CERTName *dn = ldapu_get_cert_issuer_dn_as_CERTName((CERTCertificate *)cert_in);
+ if (dn != NULL) {
+ char *cert_issuer = CERT_NameToAscii(dn);
+ *issuerDN = strdup(cert_issuer);
+ PR_Free(cert_issuer);
+ }
return *issuerDN ? LDAPU_SUCCESS : LDAPU_ERR_EXTRACT_ISSUERDN_FAILED;
}
diff --git a/lib/ldaputil/certmap.c b/lib/ldaputil/certmap.c
index 78bb363..0db2de1 100644
--- a/lib/ldaputil/certmap.c
+++ b/lib/ldaputil/certmap.c
@@ -52,7 +52,6 @@ static char this_dllname[256];
static const char *LIB_DIRECTIVE = "certmap";
static const int LIB_DIRECTIVE_LEN = 7; /* strlen("LIB_DIRECTIVE") */
-static char *ldapu_dn_normalize(char *dn);
static void *ldapu_propval_free(void *propval_in, void *arg);
typedef struct
@@ -337,8 +336,13 @@ dbinfo_to_certinfo(DBConfDBInfo_t *db_info,
certinfo->issuerName = db_info->dbname;
db_info->dbname = 0;
- certinfo->issuerDN = ldapu_dn_normalize(db_info->url);
- db_info->url = 0;
+ /* Parse the Issuer DN. */
+ certinfo->issuerDN = CERT_AsciiToName(db_info->url);
+ if (NULL == certinfo->issuerDN /* invalid DN */
+ && ldapu_strcasecmp(db_info->url, "default") != 0 /* not "default" */) {
+ rv = LDAPU_ERR_MALFORMED_SUBJECT_DN;
+ goto error;
+ }
/* hijack actual prop-vals from dbinfo -- to avoid strdup calls */
if (db_info->firstprop) {
@@ -890,24 +894,26 @@ ldapu_cert_searchfn_default(void *cert, LDAP *ld, void *certmap_info_in, const c
}
NSAPI_PUBLIC int
-ldapu_issuer_certinfo(const char *issuerDN, void **certmap_info)
+ldapu_issuer_certinfo(const CERTName *issuerDN, void **certmap_info)
{
*certmap_info = 0;
- if (!issuerDN || !*issuerDN || !ldapu_strcasecmp(issuerDN, "default")) {
- *certmap_info = default_certmap_info;
- } else if (certmap_listinfo) {
- char *n_issuerDN = ldapu_dn_normalize(ldapu_strdup(issuerDN));
+ if (certmap_listinfo) {
LDAPUListNode_t *cur = certmap_listinfo->head;
while (cur) {
- if (!ldapu_strcasecmp(n_issuerDN, ((LDAPUCertMapInfo_t *)cur->info)->issuerDN)) {
+ LDAPUCertMapInfo_t *info = (LDAPUCertMapInfo_t *)cur->info;
+
+ if (NULL == info->issuerDN) {
+ /* no DN to compare to (probably the default certmap info) */
+ continue;
+ }
+
+ if (CERT_CompareName(issuerDN, info->issuerDN) == SECEqual) {
*certmap_info = cur->info;
break;
}
cur = cur->next;
}
- if (n_issuerDN)
- ldapu_free(n_issuerDN);
}
return *certmap_info ? LDAPU_SUCCESS : LDAPU_FAILED;
}
@@ -1128,7 +1134,7 @@ ldapu_cert_mapfn_default(void *cert_in, LDAP *ld __attribute__((unused)), void *
}
NSAPI_PUBLIC int
-ldapu_set_cert_mapfn(const char *issuerDN,
+ldapu_set_cert_mapfn(const CERTName *issuerDN,
CertMapFn_t mapfn)
{
LDAPUCertMapInfo_t *certmap_info;
@@ -1161,7 +1167,7 @@ ldapu_get_cert_mapfn_sub(LDAPUCertMapInfo_t *certmap_info)
}
NSAPI_PUBLIC CertMapFn_t
-ldapu_get_cert_mapfn(const char *issuerDN)
+ldapu_get_cert_mapfn(const CERTName *issuerDN)
{
LDAPUCertMapInfo_t *certmap_info = 0;
@@ -1173,7 +1179,7 @@ ldapu_get_cert_mapfn(const char *issuerDN)
}
NSAPI_PUBLIC int
-ldapu_set_cert_searchfn(const char *issuerDN,
+ldapu_set_cert_searchfn(const CERTName *issuerDN,
CertSearchFn_t searchfn)
{
LDAPUCertMapInfo_t *certmap_info;
@@ -1206,7 +1212,7 @@ ldapu_get_cert_searchfn_sub(LDAPUCertMapInfo_t *certmap_info)
}
NSAPI_PUBLIC CertSearchFn_t
-ldapu_get_cert_searchfn(const char *issuerDN)
+ldapu_get_cert_searchfn(const CERTName *issuerDN)
{
LDAPUCertMapInfo_t *certmap_info = 0;
@@ -1218,7 +1224,7 @@ ldapu_get_cert_searchfn(const char *issuerDN)
}
NSAPI_PUBLIC int
-ldapu_set_cert_verifyfn(const char *issuerDN,
+ldapu_set_cert_verifyfn(const CERTName *issuerDN,
CertVerifyFn_t verifyfn)
{
LDAPUCertMapInfo_t *certmap_info;
@@ -1251,7 +1257,7 @@ ldapu_get_cert_verifyfn_sub(LDAPUCertMapInfo_t *certmap_info)
}
NSAPI_PUBLIC CertVerifyFn_t
-ldapu_get_cert_verifyfn(const char *issuerDN)
+ldapu_get_cert_verifyfn(const CERTName *issuerDN)
{
LDAPUCertMapInfo_t *certmap_info = 0;
@@ -1288,7 +1294,6 @@ static int ldapu_certinfo_copy (const LDAPUCertMapInfo_t *from,
NSAPI_PUBLIC int
ldapu_cert_to_ldap_entry(void *cert, LDAP *ld, const char *basedn, LDAPMessage **res)
{
- char *issuerDN = 0;
char *ldapDN = 0;
char *filter = 0;
LDAPUCertMapInfo_t *certmap_info;
@@ -1308,14 +1313,14 @@ ldapu_cert_to_ldap_entry(void *cert, LDAP *ld, const char *basedn, LDAPMessage *
certmap_attrs[3] = 0;
}
- rv = ldapu_get_cert_issuer_dn(cert, &issuerDN);
+ CERTName *issuerDN = ldapu_get_cert_issuer_dn_as_CERTName(cert);
+ /* ^ don't need to free this; it will be freed with ^ the cert */
- if (rv != LDAPU_SUCCESS)
+ if (NULL == issuerDN)
return LDAPU_ERR_NO_ISSUERDN_IN_CERT;
/* don't free the certmap_info -- its a pointer to an internal structure */
rv = ldapu_issuer_certinfo(issuerDN, (void **)&certmap_info);
- free(issuerDN);
if (!certmap_info)
certmap_info = default_certmap_info;
@@ -1604,118 +1609,3 @@ ldapu_realloc(void *ptr, int size)
{
return realloc(ptr, size);
}
-
-#define DNSEPARATOR(c) (c == ',' || c == ';')
-#define SEPARATOR(c) (c == ',' || c == ';' || c == '+')
-#define SPACE(c) (c == ' ' || c == '\n')
-#define NEEDSESCAPE(c) (c == '\\' || c == '"')
-#define B4TYPE 0
-#define INTYPE 1
-#define B4EQUAL 2
-#define B4VALUE 3
-#define INVALUE 4
-#define INQUOTEDVALUE 5
-#define B4SEPARATOR 6
-
-static char *
-ldapu_dn_normalize(char *dn)
-{
- char *d, *s;
- int state, gotesc;
-
- gotesc = 0;
- state = B4TYPE;
- for (d = s = dn; *s; s++) {
- switch (state) {
- case B4TYPE:
- if (!SPACE(*s)) {
- state = INTYPE;
- *d++ = *s;
- }
- break;
- case INTYPE:
- if (*s == '=') {
- state = B4VALUE;
- *d++ = *s;
- } else if (SPACE(*s)) {
- state = B4EQUAL;
- } else {
- *d++ = *s;
- }
- break;
- case B4EQUAL:
- if (*s == '=') {
- state = B4VALUE;
- *d++ = *s;
- } else if (!SPACE(*s)) {
- /* not a valid dn - but what can we do here? */
- *d++ = *s;
- }
- break;
- case B4VALUE:
- if (*s == '"') {
- state = INQUOTEDVALUE;
- *d++ = *s;
- } else if (!SPACE(*s)) {
- state = INVALUE;
- *d++ = *s;
- }
- break;
- case INVALUE:
- if (!gotesc && SEPARATOR(*s)) {
- while (SPACE(*(d - 1)))
- d--;
- state = B4TYPE;
- if (*s == '+') {
- *d++ = *s;
- } else {
- *d++ = ',';
- }
- } else if (gotesc && !NEEDSESCAPE(*s) &&
- !SEPARATOR(*s)) {
- *--d = *s;
- d++;
- } else {
- *d++ = *s;
- }
- break;
- case INQUOTEDVALUE:
- if (!gotesc && *s == '"') {
- state = B4SEPARATOR;
- *d++ = *s;
- } else if (gotesc && !NEEDSESCAPE(*s)) {
- *--d = *s;
- d++;
- } else {
- *d++ = *s;
- }
- break;
- case B4SEPARATOR:
- if (SEPARATOR(*s)) {
- state = B4TYPE;
- if (*s == '+') {
- *d++ = *s;
- } else {
- *d++ = ',';
- }
- }
- break;
- default:
- break;
- }
- if (*s == '\\') {
- gotesc = 1;
- } else {
- gotesc = 0;
- }
- }
- *d = '\0';
-
- /* Trim trailing spaces */
- d--;
- while (d >= dn && *d == ' ') {
- *d-- = '\0';
- }
-
- return (dn);
-}
diff --git a/lib/ldaputil/examples/init.c b/lib/ldaputil/examples/init.c
index 74db977..fd1edc9 100644
--- a/lib/ldaputil/examples/init.c
+++ b/lib/ldaputil/examples/init.c
@@ -15,12 +15,13 @@
#include <stdio.h>
#include <string.h>
#include <ctype.h>
+#include <nss3/cert.h>
#include "certmap.h" /* Public Certmap API */
#include "plugin.h" /* must define extern "C" functions */
NSAPI_PUBLIC int
-plugin_init_fn(void *certmap_info, const char *issuerName, const char *issuerDN, const char *libname)
+plugin_init_fn(void *certmap_info, const char *issuerName, const CERTName *issuerDN, const char *libname)
{
static int initialized = 0;
int rv;
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 5 months
[389-ds-base] branch 389-ds-base-1.3.9 updated: Ticket 49543 - fix certmap dn comparison
by git repository hosting
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.9
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push:
new 1a93d63 Ticket 49543 - fix certmap dn comparison
1a93d63 is described below
commit 1a93d63fa1fa95599c0dda1a1f3b2a72ab90d634
Author: Fraser Tweedale <ftweedal(a)redhat.com>
AuthorDate: Fri Mar 16 15:16:56 2018 +1000
Ticket 49543 - fix certmap dn comparison
Bug Description: Differences in DN string representations between
the value included in certmap.conf, and the stringified value of the
Issuer DN produced by NSS, as well as buggy DN normalisation code in
389 itself, cause 389 to wrongly reject the correct certmap
configuration to use. Authentication fails. This behaviour was
observed when there is an escaped comma in an attribute value.
Fix Description: Instead of comparing stringified DNs, parse the DN
represented in certmap.conf into an NSS CertNAME. Use the NSS DN
comparison routine when comparing certificate Issuer DNs against the
certmap configurations. Remove the buggy DN normalisation routine.
https://pagure.io/389-ds-base/issue/49543
Author: Fraser Tweedale <ftweedal(a)redhat.com>
Review by: ???
---
include/ldaputil/certmap.h | 20 +++---
include/ldaputil/ldaputil.h | 2 +-
lib/ldaputil/cert.c | 27 ++++++--
lib/ldaputil/certmap.c | 162 +++++++------------------------------------
lib/ldaputil/examples/init.c | 3 +-
5 files changed, 62 insertions(+), 152 deletions(-)
diff --git a/include/ldaputil/certmap.h b/include/ldaputil/certmap.h
index fec2dd9..50fd4d1 100644
--- a/include/ldaputil/certmap.h
+++ b/include/ldaputil/certmap.h
@@ -16,6 +16,7 @@
/* What was extcmap.h begins ... */
#include <ldap.h>
+#include <nss3/cert.h>
#ifndef NSAPI_PUBLIC
#define NSAPI_PUBLIC
@@ -156,7 +157,7 @@ typedef int (*CertVerifyFn_t)(void *cert, LDAP *ld, void *certmap_info, LDAPMess
* otherwise return LDAPU_CERT_MAP_INITFN_FAILED. The server startup will be
* aborted if the return value is not LDAPU_SUCCESS.
*/
-typedef int (*CertMapInitFn_t)(void *certmap_info, const char *issuerName, const char *issuerDN, const char *libname);
+typedef int (*CertMapInitFn_t)(void *certmap_info, const char *issuerName, const CERTName *issuerDN, const char *libname);
/*
* Refer to the description of the function ldapu_get_cert_ava_val
@@ -209,27 +210,30 @@ extern "C" {
NSAPI_PUBLIC int ldapu_cert_to_ldap_entry(void *cert, LDAP *ld, const char *basedn, LDAPMessage **res);
-NSAPI_PUBLIC int ldapu_set_cert_mapfn(const char *issuerDN,
+NSAPI_PUBLIC int ldapu_set_cert_mapfn(const CERTName *issuerDN,
CertMapFn_t mapfn);
-NSAPI_PUBLIC CertMapFn_t ldapu_get_cert_mapfn(const char *issuerDN);
+NSAPI_PUBLIC CertMapFn_t ldapu_get_cert_mapfn(const CERTName *issuerDN);
-NSAPI_PUBLIC int ldapu_set_cert_searchfn(const char *issuerDN,
+NSAPI_PUBLIC int ldapu_set_cert_searchfn(const CERTName *issuerDN,
CertSearchFn_t searchfn);
-NSAPI_PUBLIC CertSearchFn_t ldapu_get_cert_searchfn(const char *issuerDN);
+NSAPI_PUBLIC CertSearchFn_t ldapu_get_cert_searchfn(const CERTName *issuerDN);
-NSAPI_PUBLIC int ldapu_set_cert_verifyfn(const char *issuerDN,
+NSAPI_PUBLIC int ldapu_set_cert_verifyfn(const CERTName *issuerDN,
CertVerifyFn_t verifyFn);
-NSAPI_PUBLIC CertVerifyFn_t ldapu_get_cert_verifyfn(const char *issuerDN);
+NSAPI_PUBLIC CertVerifyFn_t ldapu_get_cert_verifyfn(const CERTName *issuerDN);
NSAPI_PUBLIC int ldapu_get_cert_subject_dn(void *cert, char **subjectDN);
+NSAPI_PUBLIC CERTName *ldapu_get_cert_issuer_dn_as_CERTName(CERTCertificate *cert);
+
+
NSAPI_PUBLIC int ldapu_get_cert_issuer_dn(void *cert, char **issuerDN);
@@ -242,7 +246,7 @@ NSAPI_PUBLIC int ldapu_free_cert_ava_val(char **val);
NSAPI_PUBLIC int ldapu_get_cert_der(void *cert, unsigned char **derCert, unsigned int *len);
-NSAPI_PUBLIC int ldapu_issuer_certinfo(const char *issuerDN,
+NSAPI_PUBLIC int ldapu_issuer_certinfo(const CERTName *issuerDN,
void **certmap_info);
diff --git a/include/ldaputil/ldaputil.h b/include/ldaputil/ldaputil.h
index e0e028c..b172819 100644
--- a/include/ldaputil/ldaputil.h
+++ b/include/ldaputil/ldaputil.h
@@ -48,7 +48,7 @@ enum
typedef struct
{
char *issuerName; /* issuer (symbolic/short) name */
- char *issuerDN; /* cert issuer's DN */
+ CERTName *issuerDN; /* cert issuer's DN */
LDAPUPropValList_t *propval; /* pointer to the prop-val pairs list */
CertMapFn_t mapfn; /* cert to ldapdn & filter mapping func */
CertVerifyFn_t verifyfn; /* verify cert function */
diff --git a/lib/ldaputil/cert.c b/lib/ldaputil/cert.c
index 65a4815..73abba1 100644
--- a/lib/ldaputil/cert.c
+++ b/lib/ldaputil/cert.c
@@ -54,15 +54,30 @@ ldapu_get_cert_subject_dn(void *cert_in, char **subjectDN)
return *subjectDN ? LDAPU_SUCCESS : LDAPU_ERR_EXTRACT_SUBJECTDN_FAILED;
}
+/*
+ * Return the Issuer DN as a CERTName.
+ * The CERTName is owned by the CERTCertificate.
+ */
+NSAPI_PUBLIC CERTName *
+ldapu_get_cert_issuer_dn_as_CERTName(CERTCertificate *cert_in)
+{
+ return &cert_in->issuer;
+}
+
+/*
+ * Return the Issuer DN as a string.
+ * The string should be freed by the caller.
+ */
NSAPI_PUBLIC int
ldapu_get_cert_issuer_dn(void *cert_in, char **issuerDN)
{
- CERTCertificate *cert = (CERTCertificate *)cert_in;
- char *cert_issuer = CERT_NameToAscii(&cert->issuer);
-
- *issuerDN = strdup(cert_issuer);
- PR_Free(cert_issuer);
-
+ *issuerDN = NULL;
+ CERTName *dn = ldapu_get_cert_issuer_dn_as_CERTName((CERTCertificate *)cert_in);
+ if (dn != NULL) {
+ char *cert_issuer = CERT_NameToAscii(dn);
+ *issuerDN = strdup(cert_issuer);
+ PR_Free(cert_issuer);
+ }
return *issuerDN ? LDAPU_SUCCESS : LDAPU_ERR_EXTRACT_ISSUERDN_FAILED;
}
diff --git a/lib/ldaputil/certmap.c b/lib/ldaputil/certmap.c
index 78bb363..0db2de1 100644
--- a/lib/ldaputil/certmap.c
+++ b/lib/ldaputil/certmap.c
@@ -52,7 +52,6 @@ static char this_dllname[256];
static const char *LIB_DIRECTIVE = "certmap";
static const int LIB_DIRECTIVE_LEN = 7; /* strlen("LIB_DIRECTIVE") */
-static char *ldapu_dn_normalize(char *dn);
static void *ldapu_propval_free(void *propval_in, void *arg);
typedef struct
@@ -337,8 +336,13 @@ dbinfo_to_certinfo(DBConfDBInfo_t *db_info,
certinfo->issuerName = db_info->dbname;
db_info->dbname = 0;
- certinfo->issuerDN = ldapu_dn_normalize(db_info->url);
- db_info->url = 0;
+ /* Parse the Issuer DN. */
+ certinfo->issuerDN = CERT_AsciiToName(db_info->url);
+ if (NULL == certinfo->issuerDN /* invalid DN */
+ && ldapu_strcasecmp(db_info->url, "default") != 0 /* not "default" */) {
+ rv = LDAPU_ERR_MALFORMED_SUBJECT_DN;
+ goto error;
+ }
/* hijack actual prop-vals from dbinfo -- to avoid strdup calls */
if (db_info->firstprop) {
@@ -890,24 +894,26 @@ ldapu_cert_searchfn_default(void *cert, LDAP *ld, void *certmap_info_in, const c
}
NSAPI_PUBLIC int
-ldapu_issuer_certinfo(const char *issuerDN, void **certmap_info)
+ldapu_issuer_certinfo(const CERTName *issuerDN, void **certmap_info)
{
*certmap_info = 0;
- if (!issuerDN || !*issuerDN || !ldapu_strcasecmp(issuerDN, "default")) {
- *certmap_info = default_certmap_info;
- } else if (certmap_listinfo) {
- char *n_issuerDN = ldapu_dn_normalize(ldapu_strdup(issuerDN));
+ if (certmap_listinfo) {
LDAPUListNode_t *cur = certmap_listinfo->head;
while (cur) {
- if (!ldapu_strcasecmp(n_issuerDN, ((LDAPUCertMapInfo_t *)cur->info)->issuerDN)) {
+ LDAPUCertMapInfo_t *info = (LDAPUCertMapInfo_t *)cur->info;
+
+ if (NULL == info->issuerDN) {
+ /* no DN to compare to (probably the default certmap info) */
+ continue;
+ }
+
+ if (CERT_CompareName(issuerDN, info->issuerDN) == SECEqual) {
*certmap_info = cur->info;
break;
}
cur = cur->next;
}
- if (n_issuerDN)
- ldapu_free(n_issuerDN);
}
return *certmap_info ? LDAPU_SUCCESS : LDAPU_FAILED;
}
@@ -1128,7 +1134,7 @@ ldapu_cert_mapfn_default(void *cert_in, LDAP *ld __attribute__((unused)), void *
}
NSAPI_PUBLIC int
-ldapu_set_cert_mapfn(const char *issuerDN,
+ldapu_set_cert_mapfn(const CERTName *issuerDN,
CertMapFn_t mapfn)
{
LDAPUCertMapInfo_t *certmap_info;
@@ -1161,7 +1167,7 @@ ldapu_get_cert_mapfn_sub(LDAPUCertMapInfo_t *certmap_info)
}
NSAPI_PUBLIC CertMapFn_t
-ldapu_get_cert_mapfn(const char *issuerDN)
+ldapu_get_cert_mapfn(const CERTName *issuerDN)
{
LDAPUCertMapInfo_t *certmap_info = 0;
@@ -1173,7 +1179,7 @@ ldapu_get_cert_mapfn(const char *issuerDN)
}
NSAPI_PUBLIC int
-ldapu_set_cert_searchfn(const char *issuerDN,
+ldapu_set_cert_searchfn(const CERTName *issuerDN,
CertSearchFn_t searchfn)
{
LDAPUCertMapInfo_t *certmap_info;
@@ -1206,7 +1212,7 @@ ldapu_get_cert_searchfn_sub(LDAPUCertMapInfo_t *certmap_info)
}
NSAPI_PUBLIC CertSearchFn_t
-ldapu_get_cert_searchfn(const char *issuerDN)
+ldapu_get_cert_searchfn(const CERTName *issuerDN)
{
LDAPUCertMapInfo_t *certmap_info = 0;
@@ -1218,7 +1224,7 @@ ldapu_get_cert_searchfn(const char *issuerDN)
}
NSAPI_PUBLIC int
-ldapu_set_cert_verifyfn(const char *issuerDN,
+ldapu_set_cert_verifyfn(const CERTName *issuerDN,
CertVerifyFn_t verifyfn)
{
LDAPUCertMapInfo_t *certmap_info;
@@ -1251,7 +1257,7 @@ ldapu_get_cert_verifyfn_sub(LDAPUCertMapInfo_t *certmap_info)
}
NSAPI_PUBLIC CertVerifyFn_t
-ldapu_get_cert_verifyfn(const char *issuerDN)
+ldapu_get_cert_verifyfn(const CERTName *issuerDN)
{
LDAPUCertMapInfo_t *certmap_info = 0;
@@ -1288,7 +1294,6 @@ static int ldapu_certinfo_copy (const LDAPUCertMapInfo_t *from,
NSAPI_PUBLIC int
ldapu_cert_to_ldap_entry(void *cert, LDAP *ld, const char *basedn, LDAPMessage **res)
{
- char *issuerDN = 0;
char *ldapDN = 0;
char *filter = 0;
LDAPUCertMapInfo_t *certmap_info;
@@ -1308,14 +1313,14 @@ ldapu_cert_to_ldap_entry(void *cert, LDAP *ld, const char *basedn, LDAPMessage *
certmap_attrs[3] = 0;
}
- rv = ldapu_get_cert_issuer_dn(cert, &issuerDN);
+ CERTName *issuerDN = ldapu_get_cert_issuer_dn_as_CERTName(cert);
+ /* ^ don't need to free this; it will be freed with ^ the cert */
- if (rv != LDAPU_SUCCESS)
+ if (NULL == issuerDN)
return LDAPU_ERR_NO_ISSUERDN_IN_CERT;
/* don't free the certmap_info -- its a pointer to an internal structure */
rv = ldapu_issuer_certinfo(issuerDN, (void **)&certmap_info);
- free(issuerDN);
if (!certmap_info)
certmap_info = default_certmap_info;
@@ -1604,118 +1609,3 @@ ldapu_realloc(void *ptr, int size)
{
return realloc(ptr, size);
}
-
-#define DNSEPARATOR(c) (c == ',' || c == ';')
-#define SEPARATOR(c) (c == ',' || c == ';' || c == '+')
-#define SPACE(c) (c == ' ' || c == '\n')
-#define NEEDSESCAPE(c) (c == '\\' || c == '"')
-#define B4TYPE 0
-#define INTYPE 1
-#define B4EQUAL 2
-#define B4VALUE 3
-#define INVALUE 4
-#define INQUOTEDVALUE 5
-#define B4SEPARATOR 6
-
-static char *
-ldapu_dn_normalize(char *dn)
-{
- char *d, *s;
- int state, gotesc;
-
- gotesc = 0;
- state = B4TYPE;
- for (d = s = dn; *s; s++) {
- switch (state) {
- case B4TYPE:
- if (!SPACE(*s)) {
- state = INTYPE;
- *d++ = *s;
- }
- break;
- case INTYPE:
- if (*s == '=') {
- state = B4VALUE;
- *d++ = *s;
- } else if (SPACE(*s)) {
- state = B4EQUAL;
- } else {
- *d++ = *s;
- }
- break;
- case B4EQUAL:
- if (*s == '=') {
- state = B4VALUE;
- *d++ = *s;
- } else if (!SPACE(*s)) {
- /* not a valid dn - but what can we do here? */
- *d++ = *s;
- }
- break;
- case B4VALUE:
- if (*s == '"') {
- state = INQUOTEDVALUE;
- *d++ = *s;
- } else if (!SPACE(*s)) {
- state = INVALUE;
- *d++ = *s;
- }
- break;
- case INVALUE:
- if (!gotesc && SEPARATOR(*s)) {
- while (SPACE(*(d - 1)))
- d--;
- state = B4TYPE;
- if (*s == '+') {
- *d++ = *s;
- } else {
- *d++ = ',';
- }
- } else if (gotesc && !NEEDSESCAPE(*s) &&
- !SEPARATOR(*s)) {
- *--d = *s;
- d++;
- } else {
- *d++ = *s;
- }
- break;
- case INQUOTEDVALUE:
- if (!gotesc && *s == '"') {
- state = B4SEPARATOR;
- *d++ = *s;
- } else if (gotesc && !NEEDSESCAPE(*s)) {
- *--d = *s;
- d++;
- } else {
- *d++ = *s;
- }
- break;
- case B4SEPARATOR:
- if (SEPARATOR(*s)) {
- state = B4TYPE;
- if (*s == '+') {
- *d++ = *s;
- } else {
- *d++ = ',';
- }
- }
- break;
- default:
- break;
- }
- if (*s == '\\') {
- gotesc = 1;
- } else {
- gotesc = 0;
- }
- }
- *d = '\0';
-
- /* Trim trailing spaces */
- d--;
- while (d >= dn && *d == ' ') {
- *d-- = '\0';
- }
-
- return (dn);
-}
diff --git a/lib/ldaputil/examples/init.c b/lib/ldaputil/examples/init.c
index 74db977..fd1edc9 100644
--- a/lib/ldaputil/examples/init.c
+++ b/lib/ldaputil/examples/init.c
@@ -15,12 +15,13 @@
#include <stdio.h>
#include <string.h>
#include <ctype.h>
+#include <nss3/cert.h>
#include "certmap.h" /* Public Certmap API */
#include "plugin.h" /* must define extern "C" functions */
NSAPI_PUBLIC int
-plugin_init_fn(void *certmap_info, const char *issuerName, const char *issuerDN, const char *libname)
+plugin_init_fn(void *certmap_info, const char *issuerName, const CERTName *issuerDN, const char *libname)
{
static int initialized = 0;
int rv;
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 5 months
[389-ds-base] branch master updated (70bdd33 -> 5d611f1)
by git repository hosting
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a change to branch master
in repository 389-ds-base.
from 70bdd33 Ticket 49543 - fix certmap dn comparison
add 5d611f1 Ticket 49814 - dscreate should handle selinux ports that are in a range
No new revisions were added by this update.
Summary of changes:
src/lib389/lib389/utils.py | 5 +++++
1 file changed, 5 insertions(+)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 5 months
[389-ds-base] branch master updated (683bc57 -> 70bdd33)
by git repository hosting
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a change to branch master
in repository 389-ds-base.
from 683bc57 Ticket 49994 - comment out dev paths
add 70bdd33 Ticket 49543 - fix certmap dn comparison
No new revisions were added by this update.
Summary of changes:
include/ldaputil/certmap.h | 20 +++---
include/ldaputil/ldaputil.h | 2 +-
lib/ldaputil/cert.c | 27 ++++++--
lib/ldaputil/certmap.c | 162 +++++++------------------------------------
lib/ldaputil/examples/init.c | 3 +-
5 files changed, 62 insertions(+), 152 deletions(-)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 5 months
[389-ds-base] branch master updated: Ticket 49994 - comment out dev paths
by git repository hosting
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch master
in repository 389-ds-base.
The following commit(s) were added to refs/heads/master by this push:
new 683bc57 Ticket 49994 - comment out dev paths
683bc57 is described below
commit 683bc575af84d8cbe11ad56efdfa5d99db3cebc1
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Fri Nov 23 11:08:12 2018 -0500
Ticket 49994 - comment out dev paths
Description: Accidentally left dev paths for CLI tools in UI uncommented
https://pagure.io/389-ds-base/issue/49994
---
src/cockpit/389-console/src/ds.js | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/cockpit/389-console/src/ds.js b/src/cockpit/389-console/src/ds.js
index e781138..46233ff 100644
--- a/src/cockpit/389-console/src/ds.js
+++ b/src/cockpit/389-console/src/ds.js
@@ -29,13 +29,13 @@ var DSCTL = "dsctl";
var DSCREATE = "dscreate";
var ENV = "";
-
+/*
// Used for local development testing
var DSCONF = '/home/mareynol/source/ds389/389-ds-base/src/lib389/cli/dsconf';
var DSCTL = '/home/mareynol/source/ds389/389-ds-base/src/lib389/cli/dsctl';
var DSCREATE = '/home/mareynol/source/ds389/389-ds-base/src/lib389/cli/dscreate';
var ENV = 'PYTHONPATH=/home/mareynol/source/ds389/389-ds-base/src/lib389';
-
+*/
/*
* Console logging function for CLI commands
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 5 months
[389-ds-base] branch master updated (9d736d6 -> 89886ba)
by git repository hosting
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a change to branch master
in repository 389-ds-base.
from 9d736d6 Issue 48081 - Add new CI tests for password
add 89886ba Ticket 49994 - Add backend features to CLI
No new revisions were added by this update.
Summary of changes:
ldap/servers/slapd/back-ldbm/vlv.c | 11 +-
src/cockpit/389-console/src/backend.js | 25 +
src/cockpit/389-console/src/ds.js | 7 +-
src/cockpit/389-console/src/monitor.html | 4 +-
src/cockpit/389-console/src/replication.html | 8 +-
src/cockpit/389-console/src/replication.js | 2 +-
src/cockpit/389-console/src/schema.js | 1 -
src/cockpit/389-console/src/servers.js | 11 +-
src/cockpit/389-console/src/static/jstree.min.js | 12 +-
src/lib389/cli/dsconf | 22 +-
src/lib389/lib389/__init__.py | 3 +-
src/lib389/lib389/_mapped_object.py | 4 +-
src/lib389/lib389/agreement.py | 4 +-
src/lib389/lib389/backend.py | 202 +++++-
src/lib389/lib389/chaining.py | 176 ++++++
src/lib389/lib389/cli_base/__init__.py | 20 +-
src/lib389/lib389/cli_conf/backend.py | 748 ++++++++++++++++++++++-
src/lib389/lib389/cli_conf/chaining.py | 265 ++++++++
src/lib389/lib389/cli_conf/config.py | 1 -
src/lib389/lib389/cli_conf/plugin.py | 14 +-
src/lib389/lib389/cli_conf/pwpolicy.py | 14 +-
src/lib389/lib389/cli_conf/replication.py | 15 +-
src/lib389/lib389/cli_conf/schema.py | 54 +-
src/lib389/lib389/encrypted_attributes.py | 5 +-
src/lib389/lib389/index.py | 118 +++-
src/lib389/lib389/monitor.py | 56 +-
src/lib389/lib389/tasks.py | 115 ++--
src/lib389/lib389/tools.py | 2 -
src/lib389/lib389/utils.py | 37 +-
29 files changed, 1748 insertions(+), 208 deletions(-)
create mode 100644 src/lib389/lib389/chaining.py
create mode 100644 src/lib389/lib389/cli_conf/chaining.py
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 5 months
[389-ds-base] branch master updated (7ee2be8 -> 9d736d6)
by git repository hosting
This is an automated email from the git hooks/post-receive script.
vashirov pushed a change to branch master
in repository 389-ds-base.
from 7ee2be8 Bump version to 1.4.0.19
add 9d736d6 Issue 48081 - Add new CI tests for password
No new revisions were added by this update.
Summary of changes:
.../tests/suites/password/pwdModify_test.py | 267 +++++++++++++++++++++
1 file changed, 267 insertions(+)
create mode 100644 dirsrvtests/tests/suites/password/pwdModify_test.py
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 5 months
[389-ds-base] branch 389-ds-base-1.3.8 updated: Ticket 50020 - during MODRDN referential integrity can fail erronously while updating large groups
by git repository hosting
This is an automated email from the git hooks/post-receive script.
tbordaz pushed a commit to branch 389-ds-base-1.3.8
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.8 by this push:
new 3800388 Ticket 50020 - during MODRDN referential integrity can fail erronously while updating large groups
3800388 is described below
commit 38003882f03a4e2473ef2fef524cf153e691de0b
Author: Thierry Bordaz <tbordaz(a)redhat.com>
AuthorDate: Fri Nov 9 17:07:11 2018 +0100
Ticket 50020 - during MODRDN referential integrity can fail erronously while updating large groups
Bug Description:
During a MODRDN of a group member, referential integrity will update the groups containing this member.
Under specific conditions, the MODRDN can fail (err=1).
on MODRDN Referential integrity checks if the original DN of the target MODRDN entry is
member of a given group. If it is then it updates the group.
The returned code of the group update is using the variable 'rc'.
It does a normalized DN comparison to compare original DN with members DN, to determine if
a group needs to be updated.
If the group does not need to be updated, 'rc' is not set.
The bug is that it uses 'rc' to normalize the DN and if the group is not updated
the returned code reflects the normalization returned code rather that the group update.
The bug is hit in specific conditions
One of the evaluated group contains more than 128 members
the last member (last value) of the group is not the moved entry
the last member (last value) of the group is a DN value that contains escaped chars
Fix Description:
Use a local variable to check the result of the DN normalization
https://pagure.io/389-ds-base/issue/50020
Reviewed by: Simon Pichugin, Mark Reynolds (thanks)
Platforms tested: F27
Flag Day: no
---
dirsrvtests/tests/suites/plugins/referint_test.py | 103 ++++++++++++++++++++++
ldap/servers/plugins/referint/referint.c | 18 ++--
2 files changed, 113 insertions(+), 8 deletions(-)
diff --git a/dirsrvtests/tests/suites/plugins/referint_test.py b/dirsrvtests/tests/suites/plugins/referint_test.py
new file mode 100644
index 0000000..67a11de
--- /dev/null
+++ b/dirsrvtests/tests/suites/plugins/referint_test.py
@@ -0,0 +1,103 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+'''
+Created on Dec 12, 2019
+
+@author: tbordaz
+'''
+import logging
+import subprocess
+import pytest
+from lib389 import Entry
+from lib389.utils import *
+from lib389.plugins import *
+from lib389._constants import *
+from lib389.idm.user import UserAccounts, UserAccount
+from lib389.idm.group import Groups
+from lib389.topologies import topology_st as topo
+
+log = logging.getLogger(__name__)
+
+ESCAPED_RDN_BASE = "foo\,oo"
+def _user_get_dn(no):
+ uid = '%s%d' % (ESCAPED_RDN_BASE, no)
+ dn = 'uid=%s,%s' % (uid, SUFFIX)
+ return (uid, dn)
+
+def add_escaped_user(server, no):
+ (uid, dn) = _user_get_dn(no)
+ log.fatal('Adding user (%s): ' % dn)
+ server.add_s(Entry((dn, {'objectclass': ['top', 'person', 'organizationalPerson', 'inetOrgPerson'],
+ 'uid': [uid],
+ 'sn' : [uid],
+ 'cn' : [uid]})))
+ return dn
+
+(a)pytest.mark.ds50020
+def test_referential_false_failure(topo):
+ """On MODRDN referential integrity can erronously fail
+
+ :id: f77aeb80-c4c4-471b-8c1b-4733b714778b
+ :setup: Standalone Instance
+ :steps:
+ 1. Configure the plugin
+ 2. Create a group
+ - 1rst member the one that will be move
+ - more than 128 members
+ - last member is a DN containing escaped char
+ 3. Rename the 1rst member
+ :expectedresults:
+ 1. should succeed
+ 2. should succeed
+ 3. should succeed
+ """
+
+ inst = topo[0]
+
+ # stop the plugin, and start it
+ plugin = ReferentialIntegrityPlugin(inst)
+ plugin.disable()
+ plugin.enable()
+
+ ############################################################################
+ # Configure plugin
+ ############################################################################
+ GROUP_CONTAINER = "ou=groups,%s" % DEFAULT_SUFFIX
+ plugin.replace('referint-membership-attr', 'member')
+ plugin.replace('nsslapd-plugincontainerscope', GROUP_CONTAINER)
+
+ ############################################################################
+ # Creates a group with members having escaped DN
+ ############################################################################
+ # Add some users and a group
+ users = UserAccounts(inst, DEFAULT_SUFFIX, None)
+ user1 = users.create_test_user(uid=1001)
+ user2 = users.create_test_user(uid=1002)
+
+ groups = Groups(inst, GROUP_CONTAINER, None)
+ group = groups.create(properties={'cn': 'group'})
+ group.add('member', user2.dn)
+ group.add('member', user1.dn)
+
+ # Add more than 128 members so that referint follows the buggy path
+ for i in range(130):
+ escaped_user = add_escaped_user(inst, i)
+ group.add('member', escaped_user)
+
+ ############################################################################
+ # Check that the MODRDN succeeds
+ ###########################################################################
+ # Here we need to restart so that member values are taken in the right order
+ # the last value is the escaped one
+ inst.restart()
+
+ # Here if the bug is fixed, referential is able to update the member value
+ inst.rename_s(user1.dn, 'uid=new_test_user_1001', newsuperior=SUFFIX, delold=0)
+
+
diff --git a/ldap/servers/plugins/referint/referint.c b/ldap/servers/plugins/referint/referint.c
index f6d1c27..9e4e680 100644
--- a/ldap/servers/plugins/referint/referint.c
+++ b/ldap/servers/plugins/referint/referint.c
@@ -824,20 +824,21 @@ _update_one_per_mod(Slapi_DN *entrySDN, /* DN of the searched entry */
*/
for (nval = slapi_attr_first_value(attr, &v); nval != -1;
nval = slapi_attr_next_value(attr, nval, &v)) {
+ int normalize_rc;
p = NULL;
dnlen = 0;
/* DN syntax, which should be a string */
sval = slapi_ch_strdup(slapi_value_get_string(v));
- rc = slapi_dn_normalize_case_ext(sval, 0, &p, &dnlen);
- if (rc == 0) { /* sval is passed in; not terminated */
+ normalize_rc = slapi_dn_normalize_case_ext(sval, 0, &p, &dnlen);
+ if (normalize_rc == 0) { /* sval is passed in; not terminated */
*(p + dnlen) = '\0';
sval = p;
- } else if (rc > 0) {
+ } else if (normalize_rc > 0) {
slapi_ch_free_string(&sval);
sval = p;
}
- /* else: (rc < 0) Ignore the DN normalization error for now. */
+ /* else: (normalize_rc < 0) Ignore the DN normalization error for now. */
p = PL_strstr(sval, slapi_sdn_get_ndn(origDN));
if (p == sval) {
@@ -1013,20 +1014,21 @@ _update_all_per_mod(Slapi_DN *entrySDN, /* DN of the searched entry */
for (nval = slapi_attr_first_value(attr, &v);
nval != -1;
nval = slapi_attr_next_value(attr, nval, &v)) {
+ int normalize_rc;
p = NULL;
dnlen = 0;
/* DN syntax, which should be a string */
sval = slapi_ch_strdup(slapi_value_get_string(v));
- rc = slapi_dn_normalize_case_ext(sval, 0, &p, &dnlen);
- if (rc == 0) { /* sval is passed in; not terminated */
+ normalize_rc = slapi_dn_normalize_case_ext(sval, 0, &p, &dnlen);
+ if (normalize_rc == 0) { /* sval is passed in; not terminated */
*(p + dnlen) = '\0';
sval = p;
- } else if (rc > 0) {
+ } else if (normalize_rc > 0) {
slapi_ch_free_string(&sval);
sval = p;
}
- /* else: (rc < 0) Ignore the DN normalization error for now. */
+ /* else: normalize_rc < 0) Ignore the DN normalization error for now. */
p = PL_strstr(sval, slapi_sdn_get_ndn(origDN));
if (p == sval) {
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 5 months
[389-ds-base] branch 389-ds-base-1.3.9 updated: Ticket 50020 - during MODRDN referential integrity can fail erronously while updating large groups
by git repository hosting
This is an automated email from the git hooks/post-receive script.
tbordaz pushed a commit to branch 389-ds-base-1.3.9
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push:
new 9740c20 Ticket 50020 - during MODRDN referential integrity can fail erronously while updating large groups
9740c20 is described below
commit 9740c206c581858adcdafbb7f28748cdf26aefbb
Author: Thierry Bordaz <tbordaz(a)redhat.com>
AuthorDate: Fri Nov 9 17:07:11 2018 +0100
Ticket 50020 - during MODRDN referential integrity can fail erronously while updating large groups
Bug Description:
During a MODRDN of a group member, referential integrity will update the groups containing this member.
Under specific conditions, the MODRDN can fail (err=1).
on MODRDN Referential integrity checks if the original DN of the target MODRDN entry is
member of a given group. If it is then it updates the group.
The returned code of the group update is using the variable 'rc'.
It does a normalized DN comparison to compare original DN with members DN, to determine if
a group needs to be updated.
If the group does not need to be updated, 'rc' is not set.
The bug is that it uses 'rc' to normalize the DN and if the group is not updated
the returned code reflects the normalization returned code rather that the group update.
The bug is hit in specific conditions
One of the evaluated group contains more than 128 members
the last member (last value) of the group is not the moved entry
the last member (last value) of the group is a DN value that contains escaped chars
Fix Description:
Use a local variable to check the result of the DN normalization
https://pagure.io/389-ds-base/issue/50020
Reviewed by: Simon Pichugin, Mark Reynolds (thanks)
Platforms tested: F27
Flag Day: no
---
dirsrvtests/tests/suites/plugins/referint_test.py | 103 ++++++++++++++++++++++
ldap/servers/plugins/referint/referint.c | 18 ++--
2 files changed, 113 insertions(+), 8 deletions(-)
diff --git a/dirsrvtests/tests/suites/plugins/referint_test.py b/dirsrvtests/tests/suites/plugins/referint_test.py
new file mode 100644
index 0000000..67a11de
--- /dev/null
+++ b/dirsrvtests/tests/suites/plugins/referint_test.py
@@ -0,0 +1,103 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+'''
+Created on Dec 12, 2019
+
+@author: tbordaz
+'''
+import logging
+import subprocess
+import pytest
+from lib389 import Entry
+from lib389.utils import *
+from lib389.plugins import *
+from lib389._constants import *
+from lib389.idm.user import UserAccounts, UserAccount
+from lib389.idm.group import Groups
+from lib389.topologies import topology_st as topo
+
+log = logging.getLogger(__name__)
+
+ESCAPED_RDN_BASE = "foo\,oo"
+def _user_get_dn(no):
+ uid = '%s%d' % (ESCAPED_RDN_BASE, no)
+ dn = 'uid=%s,%s' % (uid, SUFFIX)
+ return (uid, dn)
+
+def add_escaped_user(server, no):
+ (uid, dn) = _user_get_dn(no)
+ log.fatal('Adding user (%s): ' % dn)
+ server.add_s(Entry((dn, {'objectclass': ['top', 'person', 'organizationalPerson', 'inetOrgPerson'],
+ 'uid': [uid],
+ 'sn' : [uid],
+ 'cn' : [uid]})))
+ return dn
+
+(a)pytest.mark.ds50020
+def test_referential_false_failure(topo):
+ """On MODRDN referential integrity can erronously fail
+
+ :id: f77aeb80-c4c4-471b-8c1b-4733b714778b
+ :setup: Standalone Instance
+ :steps:
+ 1. Configure the plugin
+ 2. Create a group
+ - 1rst member the one that will be move
+ - more than 128 members
+ - last member is a DN containing escaped char
+ 3. Rename the 1rst member
+ :expectedresults:
+ 1. should succeed
+ 2. should succeed
+ 3. should succeed
+ """
+
+ inst = topo[0]
+
+ # stop the plugin, and start it
+ plugin = ReferentialIntegrityPlugin(inst)
+ plugin.disable()
+ plugin.enable()
+
+ ############################################################################
+ # Configure plugin
+ ############################################################################
+ GROUP_CONTAINER = "ou=groups,%s" % DEFAULT_SUFFIX
+ plugin.replace('referint-membership-attr', 'member')
+ plugin.replace('nsslapd-plugincontainerscope', GROUP_CONTAINER)
+
+ ############################################################################
+ # Creates a group with members having escaped DN
+ ############################################################################
+ # Add some users and a group
+ users = UserAccounts(inst, DEFAULT_SUFFIX, None)
+ user1 = users.create_test_user(uid=1001)
+ user2 = users.create_test_user(uid=1002)
+
+ groups = Groups(inst, GROUP_CONTAINER, None)
+ group = groups.create(properties={'cn': 'group'})
+ group.add('member', user2.dn)
+ group.add('member', user1.dn)
+
+ # Add more than 128 members so that referint follows the buggy path
+ for i in range(130):
+ escaped_user = add_escaped_user(inst, i)
+ group.add('member', escaped_user)
+
+ ############################################################################
+ # Check that the MODRDN succeeds
+ ###########################################################################
+ # Here we need to restart so that member values are taken in the right order
+ # the last value is the escaped one
+ inst.restart()
+
+ # Here if the bug is fixed, referential is able to update the member value
+ inst.rename_s(user1.dn, 'uid=new_test_user_1001', newsuperior=SUFFIX, delold=0)
+
+
diff --git a/ldap/servers/plugins/referint/referint.c b/ldap/servers/plugins/referint/referint.c
index f6d1c27..9e4e680 100644
--- a/ldap/servers/plugins/referint/referint.c
+++ b/ldap/servers/plugins/referint/referint.c
@@ -824,20 +824,21 @@ _update_one_per_mod(Slapi_DN *entrySDN, /* DN of the searched entry */
*/
for (nval = slapi_attr_first_value(attr, &v); nval != -1;
nval = slapi_attr_next_value(attr, nval, &v)) {
+ int normalize_rc;
p = NULL;
dnlen = 0;
/* DN syntax, which should be a string */
sval = slapi_ch_strdup(slapi_value_get_string(v));
- rc = slapi_dn_normalize_case_ext(sval, 0, &p, &dnlen);
- if (rc == 0) { /* sval is passed in; not terminated */
+ normalize_rc = slapi_dn_normalize_case_ext(sval, 0, &p, &dnlen);
+ if (normalize_rc == 0) { /* sval is passed in; not terminated */
*(p + dnlen) = '\0';
sval = p;
- } else if (rc > 0) {
+ } else if (normalize_rc > 0) {
slapi_ch_free_string(&sval);
sval = p;
}
- /* else: (rc < 0) Ignore the DN normalization error for now. */
+ /* else: (normalize_rc < 0) Ignore the DN normalization error for now. */
p = PL_strstr(sval, slapi_sdn_get_ndn(origDN));
if (p == sval) {
@@ -1013,20 +1014,21 @@ _update_all_per_mod(Slapi_DN *entrySDN, /* DN of the searched entry */
for (nval = slapi_attr_first_value(attr, &v);
nval != -1;
nval = slapi_attr_next_value(attr, nval, &v)) {
+ int normalize_rc;
p = NULL;
dnlen = 0;
/* DN syntax, which should be a string */
sval = slapi_ch_strdup(slapi_value_get_string(v));
- rc = slapi_dn_normalize_case_ext(sval, 0, &p, &dnlen);
- if (rc == 0) { /* sval is passed in; not terminated */
+ normalize_rc = slapi_dn_normalize_case_ext(sval, 0, &p, &dnlen);
+ if (normalize_rc == 0) { /* sval is passed in; not terminated */
*(p + dnlen) = '\0';
sval = p;
- } else if (rc > 0) {
+ } else if (normalize_rc > 0) {
slapi_ch_free_string(&sval);
sval = p;
}
- /* else: (rc < 0) Ignore the DN normalization error for now. */
+ /* else: normalize_rc < 0) Ignore the DN normalization error for now. */
p = PL_strstr(sval, slapi_sdn_get_ndn(origDN));
if (p == sval) {
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 5 months