[389-ds-base] branch 389-ds-base-1.3.8 updated: Ticket 50396 - Crash in PAM plugin when user does not exist
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.8
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.8 by this push:
new 1b17bee Ticket 50396 - Crash in PAM plugin when user does not exist
1b17bee is described below
commit 1b17bee5aa0d7eb1bf74dcbb58a8d21012f25186
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Mon May 20 15:06:54 2019 -0400
Ticket 50396 - Crash in PAM plugin when user does not exist
Description: pam passthru & addn plugin causes crash in bind when
user does not exist. Need to make sure we don't
dereference NULL pointer.
https://pagure.io/389-ds-base/issue/50396
Reviewed by: mreynolds & tbordaz
(cherry picked from commit 0935b8af6c8925c7a79a0a22103142ef5f7c5960)
---
ldap/servers/plugins/pam_passthru/pam_ptpreop.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
index de9448b..b62c3c6 100644
--- a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
+++ b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
@@ -436,8 +436,9 @@ pam_passthru_bindpreop(Slapi_PBlock *pb)
* We only handle simple bind requests that include non-NULL binddn and
* credentials. Let the Directory Server itself handle everything else.
*/
- if ((method != LDAP_AUTH_SIMPLE) || (*normbinddn == '\0') ||
- (creds->bv_len == 0)) {
+ if (method != LDAP_AUTH_SIMPLE || normbinddn == NULL ||
+ *normbinddn == '\0' || creds->bv_len == 0)
+ {
slapi_log_err(SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_bindpreop - Not handled (not simple bind or NULL dn/credentials)\n");
return retcode;
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 10 months
[389-ds-base] branch 389-ds-base-1.3.9 updated: Ticket 50396 - Crash in PAM plugin when user does not exist
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.9
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push:
new 8b279b4 Ticket 50396 - Crash in PAM plugin when user does not exist
8b279b4 is described below
commit 8b279b4923bbbc01cc616d8d431941463cb1665c
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Mon May 20 15:06:54 2019 -0400
Ticket 50396 - Crash in PAM plugin when user does not exist
Description: pam passthru & addn plugin causes crash in bind when
user does not exist. Need to make sure we don't
dereference NULL pointer.
https://pagure.io/389-ds-base/issue/50396
Reviewed by: mreynolds & tbordaz
(cherry picked from commit 0935b8af6c8925c7a79a0a22103142ef5f7c5960)
---
ldap/servers/plugins/pam_passthru/pam_ptpreop.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
index de9448b..b62c3c6 100644
--- a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
+++ b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
@@ -436,8 +436,9 @@ pam_passthru_bindpreop(Slapi_PBlock *pb)
* We only handle simple bind requests that include non-NULL binddn and
* credentials. Let the Directory Server itself handle everything else.
*/
- if ((method != LDAP_AUTH_SIMPLE) || (*normbinddn == '\0') ||
- (creds->bv_len == 0)) {
+ if (method != LDAP_AUTH_SIMPLE || normbinddn == NULL ||
+ *normbinddn == '\0' || creds->bv_len == 0)
+ {
slapi_log_err(SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_bindpreop - Not handled (not simple bind or NULL dn/credentials)\n");
return retcode;
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 10 months
[389-ds-base] branch 389-ds-base-1.4.0 updated: Ticket 50396 - Crash in PAM plugin when user does not exist
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.0
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.0 by this push:
new f76845f Ticket 50396 - Crash in PAM plugin when user does not exist
f76845f is described below
commit f76845fe9965cd88dd11fcd604ca34db2da2b39e
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Mon May 20 15:06:54 2019 -0400
Ticket 50396 - Crash in PAM plugin when user does not exist
Description: pam passthru & addn plugin causes crash in bind when
user does not exist. Need to make sure we don't
dereference NULL pointer.
https://pagure.io/389-ds-base/issue/50396
Reviewed by: mreynolds & tbordaz
(cherry picked from commit 0935b8af6c8925c7a79a0a22103142ef5f7c5960)
---
ldap/servers/plugins/pam_passthru/pam_ptpreop.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
index de9448b..b62c3c6 100644
--- a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
+++ b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
@@ -436,8 +436,9 @@ pam_passthru_bindpreop(Slapi_PBlock *pb)
* We only handle simple bind requests that include non-NULL binddn and
* credentials. Let the Directory Server itself handle everything else.
*/
- if ((method != LDAP_AUTH_SIMPLE) || (*normbinddn == '\0') ||
- (creds->bv_len == 0)) {
+ if (method != LDAP_AUTH_SIMPLE || normbinddn == NULL ||
+ *normbinddn == '\0' || creds->bv_len == 0)
+ {
slapi_log_err(SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_bindpreop - Not handled (not simple bind or NULL dn/credentials)\n");
return retcode;
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 10 months
[389-ds-base] branch master updated: Ticket 50396 - Crash in PAM plugin when user does not exist
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch master
in repository 389-ds-base.
The following commit(s) were added to refs/heads/master by this push:
new 0935b8a Ticket 50396 - Crash in PAM plugin when user does not exist
0935b8a is described below
commit 0935b8af6c8925c7a79a0a22103142ef5f7c5960
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Mon May 20 15:06:54 2019 -0400
Ticket 50396 - Crash in PAM plugin when user does not exist
Description: pam passthru & addn plugin causes crash in bind when
user does not exist. Need to make sure we don't
dereference NULL pointer.
https://pagure.io/389-ds-base/issue/50396
Reviewed by: mreynolds & tbordaz
---
ldap/servers/plugins/pam_passthru/pam_ptpreop.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
index de9448b..b62c3c6 100644
--- a/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
+++ b/ldap/servers/plugins/pam_passthru/pam_ptpreop.c
@@ -436,8 +436,9 @@ pam_passthru_bindpreop(Slapi_PBlock *pb)
* We only handle simple bind requests that include non-NULL binddn and
* credentials. Let the Directory Server itself handle everything else.
*/
- if ((method != LDAP_AUTH_SIMPLE) || (*normbinddn == '\0') ||
- (creds->bv_len == 0)) {
+ if (method != LDAP_AUTH_SIMPLE || normbinddn == NULL ||
+ *normbinddn == '\0' || creds->bv_len == 0)
+ {
slapi_log_err(SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"pam_passthru_bindpreop - Not handled (not simple bind or NULL dn/credentials)\n");
return retcode;
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 10 months
[389-ds-base] branch 389-ds-base-1.4.0 updated: Issue 50390 - Add Managed Entries Plug-in Config Entry schema
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
spichugi pushed a commit to branch 389-ds-base-1.4.0
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.0 by this push:
new 7c71e76 Issue 50390 - Add Managed Entries Plug-in Config Entry schema
7c71e76 is described below
commit 7c71e76286db98cdc44e266ee27d824023cca806
Author: Simon Pichugin <spichugi(a)redhat.com>
AuthorDate: Fri May 17 19:20:03 2019 +0200
Issue 50390 - Add Managed Entries Plug-in Config Entry schema
Description: Add AttributeTypes and an ObjectClass to Managed Entries
Plug-in Configuration entry schema.
Fix MEPConfigs(DSLdapObjects) accordingly.
https://pagure.io/389-ds-base/issue/50390
Reviewed by: mreynolds (Thanks!)
(cherry picked from commit 31c89d3bbd0bcfea71b4e6be912ad4bb9f43e171)
---
ldap/schema/10mep-plugin.ldif | 37 +++++++++++++++++++++++++++++++++++++
src/lib389/lib389/plugins.py | 7 ++++---
2 files changed, 41 insertions(+), 3 deletions(-)
diff --git a/ldap/schema/10mep-plugin.ldif b/ldap/schema/10mep-plugin.ldif
index d765049..a1488c5 100644
--- a/ldap/schema/10mep-plugin.ldif
+++ b/ldap/schema/10mep-plugin.ldif
@@ -49,6 +49,43 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2090 NAME 'mepRDNAttr'
#
################################################################################
#
+attributeTypes: ( 2.16.840.1.113730.3.1.2360 NAME 'originScope'
+ DESC 'Managed Entries search scope'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ X-ORIGIN '389 Directory Server' )
+#
+################################################################################
+#
+attributeTypes: ( 2.16.840.1.113730.3.1.2361 NAME 'originFilter'
+ DESC 'Managed Entries search filter'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ X-ORIGIN '389 Directory Server' )
+#
+################################################################################
+#
+attributeTypes: ( 2.16.840.1.113730.3.1.2362 NAME 'managedBase'
+ DESC 'Managed Entries subtree for the managed entries'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ X-ORIGIN '389 Directory Server' )
+#
+################################################################################
+#
+attributeTypes: ( 2.16.840.1.113730.3.1.2363 NAME 'managedTemplate'
+ DESC 'Managed Entries Template Entry DN'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ X-ORIGIN '389 Directory Server' )
+#
+################################################################################
+#
+objectClasses: ( 2.16.840.1.113730.3.2.336 NAME 'mepConfigEntry'
+ DESC 'Managed Entries Configurational Entry'
+ SUP top
+ AUXILIARY
+ MUST ( cn $ originScope $ originFilter $ managedBase $ managedTemplate )
+ X-ORIGIN '389 Directory Server' )
+#
+################################################################################
+#
objectClasses: ( 2.16.840.1.113730.3.2.319 NAME 'mepManagedEntry'
DESC 'Managed Entries Managed Entry'
SUP top
diff --git a/src/lib389/lib389/plugins.py b/src/lib389/lib389/plugins.py
index 0b78c21..53e3448 100644
--- a/src/lib389/lib389/plugins.py
+++ b/src/lib389/lib389/plugins.py
@@ -294,8 +294,9 @@ class MEPConfig(DSLdapObject):
def __init__(self, instance, dn):
super(MEPConfig, self).__init__(instance, dn)
self._rdn_attribute = 'cn'
- self._must_attributes = ['cn']
- self._create_objectclasses = ['top', 'extensibleObject']
+ self._must_attributes = ['cn', 'originScope', 'originFilter',
+ 'managedBase', 'managedTemplate']
+ self._create_objectclasses = ['top', 'mepConfigEntry']
self._protected = False
@@ -310,7 +311,7 @@ class MEPConfigs(DSLdapObjects):
def __init__(self, instance, basedn=None):
super(MEPConfigs, self).__init__(instance)
- self._objectclasses = ['top', 'extensibleObject']
+ self._objectclasses = ['top', 'mepConfigEntry']
self._filterattrs = ['cn']
self._childobject = MEPConfig
# So we can set the configArea easily
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 10 months
[389-ds-base] branch master updated: Ticket 50306 - Fix regression with maxbersize
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch master
in repository 389-ds-base.
The following commit(s) were added to refs/heads/master by this push:
new 26b9e1b Ticket 50306 - Fix regression with maxbersize
26b9e1b is described below
commit 26b9e1b01384b7e99daefe61d9688d1db4f1b8f5
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Thu May 16 16:26:49 2019 -0400
Ticket 50306 - Fix regression with maxbersize
Description: When passing the max BER size to openldap we were using the wrong
integer type, and it caused it to not be enforced.
https://pagure.io/389-ds-base/issue/50306
Reviewed by: mreynolds(one line commit rule)
---
ldap/servers/slapd/daemon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index 9e7d3e5..4d0902f 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -2372,7 +2372,7 @@ handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, i
PRNetAddr from = {{0}};
PRFileDesc *pr_clonefd = NULL;
slapdFrontendConfig_t *fecfg = getFrontendConfig();
- int32_t maxbersize;
+ ber_len_t maxbersize;
if (newconn) {
*newconn = NULL;
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 10 months
[389-ds-base] branch 389-ds-base-1.4.0 updated: Ticket 50251 - clear text passwords visable in CLI verbose mode logging
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.0
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.0 by this push:
new 1bb8882 Ticket 50251 - clear text passwords visable in CLI verbose mode logging
1bb8882 is described below
commit 1bb8882dfc3884a4866af629366191127f106c8a
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Mon May 13 11:58:57 2019 -0400
Ticket 50251 - clear text passwords visable in CLI verbose mode logging
Bug Description: If you run any of the CLI tools using "-v", and set a password,
that password will be displayed in clear text in the console.
Fix Description: Create an internal list of sensitive attributes to filter, and
mask them in the operation debug logging. But still allow the
password to be seen if you set the env variable DEBUGGING=true
We also still print the root DN password if it is a container
installation.
https://pagure.io/389-ds-base/issue/50251
Reviewed by: spichugi, firstyear, and mhonek (Thanks!!!)
(cherry picked from commit 632ecb90d96ac0535656f5aaf67fd2be4b81d310)
---
src/lib389/lib389/_constants.py | 6 ++++++
src/lib389/lib389/_entry.py | 7 ++++---
src/lib389/lib389/_mapped_object.py | 16 +++++++++-------
src/lib389/lib389/instance/setup.py | 4 ++--
src/lib389/lib389/tests/utils_test.py | 11 +++++++++++
src/lib389/lib389/utils.py | 22 +++++++++++++++++++++-
6 files changed, 53 insertions(+), 13 deletions(-)
diff --git a/src/lib389/lib389/_constants.py b/src/lib389/lib389/_constants.py
index 9b720a6..ee5ed9e 100644
--- a/src/lib389/lib389/_constants.py
+++ b/src/lib389/lib389/_constants.py
@@ -41,6 +41,12 @@ REPLICATION_BIND_METHOD = RA_METHOD
REPLICATION_TRANSPORT = RA_TRANSPORT_PROT
REPLICATION_TIMEOUT = RA_TIMEOUT
+# Attributes that should be masked from logging output
+SENSITIVE_ATTRS = ['userpassword',
+ 'nsslapd-rootpw',
+ 'nsds5replicacredentials',
+ 'nsmultiplexorcredentials']
+
TRANS_STARTTLS = "starttls"
TRANS_SECURE = "secure"
TRANS_NORMAL = "normal"
diff --git a/src/lib389/lib389/_entry.py b/src/lib389/lib389/_entry.py
index 1f039ff..399e717 100644
--- a/src/lib389/lib389/_entry.py
+++ b/src/lib389/lib389/_entry.py
@@ -6,7 +6,6 @@
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ---
-import re
import six
import logging
import ldif
@@ -17,12 +16,13 @@ import sys
from lib389._constants import *
from lib389.properties import *
-from lib389.utils import ensure_str, ensure_bytes, ensure_list_bytes
+from lib389.utils import (ensure_str, ensure_bytes, ensure_list_bytes, display_log_data)
MAJOR, MINOR, _, _, _ = sys.version_info
log = logging.getLogger(__name__)
+
class FormatDict(cidict):
def __getitem__(self, name):
if name in self:
@@ -258,12 +258,13 @@ class Entry(object):
def update(self, dct):
"""Update passthru to the data attribute."""
- log.debug("update dn: %r with %r" % (self.dn, dct))
+ log.debug("updating dn: {}".format(self.dn))
for k, v in list(dct.items()):
if isinstance(v, list) or isinstance(v, tuple):
self.data[k] = v
else:
self.data[k] = [v]
+ log.debug("updated dn: {} with {}".format(self.dn, display_log_data(dct)))
def __repr__(self):
"""Convert the Entry to its LDIF representation"""
diff --git a/src/lib389/lib389/_mapped_object.py b/src/lib389/lib389/_mapped_object.py
index 9486979..b9d1fd0 100644
--- a/src/lib389/lib389/_mapped_object.py
+++ b/src/lib389/lib389/_mapped_object.py
@@ -7,18 +7,18 @@
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ---
+import os
import ldap
import ldap.dn
from ldap import filter as ldap_filter
import logging
import json
from functools import partial
-
from lib389._entry import Entry
from lib389._constants import DIRSRV_STATE_ONLINE, SER_ROOT_DN, SER_ROOT_PW
from lib389.utils import (
ensure_bytes, ensure_str, ensure_int, ensure_list_bytes, ensure_list_str,
- ensure_list_int
+ ensure_list_int, display_log_value, display_log_data
)
# This function filter and term generation provided thanks to
@@ -359,7 +359,7 @@ class DSLdapObject(DSLogging):
action_txt = "UNKNOWN"
if value is None or len(value) < 512:
- self._log.debug("%s set %s: (%r, %r)" % (self._dn, action_txt, key, value))
+ self._log.debug("%s set %s: (%r, %r)" % (self._dn, action_txt, key, display_log_value(key, value)))
else:
self._log.debug("%s set %s: (%r, value too large)" % (self._dn, action_txt, key))
if self._instance.state != DIRSRV_STATE_ONLINE:
@@ -763,11 +763,11 @@ class DSLdapObject(DSLogging):
"""
assert(len(self._create_objectclasses) > 0)
basedn = ensure_str(basedn)
- self._log.debug('Checking "%s" under %s : %s' % (rdn, basedn, properties))
+ self._log.debug('Checking "%s" under %s : %s' % (rdn, basedn, display_log_data(properties)))
# Add the objectClasses to the properties
(dn, valid_props) = self._validate(rdn, properties, basedn)
# Check if the entry exists or not? .add_s is going to error anyway ...
- self._log.debug('Validated dn %s : valid_props %s' % (dn, valid_props))
+ self._log.debug('Validated dn {}'.format(dn))
exists = False
@@ -795,9 +795,11 @@ class DSLdapObject(DSLogging):
e.update({'objectclass': ensure_list_bytes(self._create_objectclasses)})
e.update(valid_props)
# We rely on exceptions here to indicate failure to the parent.
- self._log.debug('Creating entry %s : %s' % (dn, e))
self._instance.add_ext_s(e, serverctrls=self._server_controls, clientctrls=self._client_controls)
- # If it worked, we need to fix our instance dn
+ self._log.debug('Created entry %s : %s' % (dn, display_log_data(e.data)))
+ # If it worked, we need to fix our instance dn for the object's self reference. Because
+ # we may not have a self reference yet (just created), it may have changed (someone
+ # set dn, but validate altered it).
self._dn = dn
return self
diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py
index 1437a47..0a52be2 100644
--- a/src/lib389/lib389/instance/setup.py
+++ b/src/lib389/lib389/instance/setup.py
@@ -431,7 +431,7 @@ class SetupDs(object):
backend['suffix'] = val
break
else:
- print("The suffix \"{}\" is not a valid DN")
+ print("The suffix \"{}\" is not a valid DN".format(val))
continue
else:
backend['suffix'] = suffix
@@ -915,7 +915,7 @@ class SetupDs(object):
if self.containerised:
# In a container build we need to stop DirSrv at the end
ds_instance.stop()
+ self.log.debug("Root DN password: {}".format(slapd['root_password']))
else:
# Restart for changes to take effect - this could be removed later
ds_instance.restart(post_open=False)
-
diff --git a/src/lib389/lib389/tests/utils_test.py b/src/lib389/lib389/tests/utils_test.py
index 8104b62..5378066 100644
--- a/src/lib389/lib389/tests/utils_test.py
+++ b/src/lib389/lib389/tests/utils_test.py
@@ -134,6 +134,17 @@ def test_formatInfData_withconfigserver():
log.info("content: %r" % ret)
+(a)pytest.mark.parametrize('data', [
+ ({'userpaSSwoRd': '1234', 'nsslaPd-rootpw': '5678', 'regularAttr': 'originalvalue'},
+ {'userpaSSwoRd': '********', 'nsslaPd-rootpw': '********', 'regularAttr': 'originalvalue'}),
+ ({'userpassword': ['1', '2', '3'], 'nsslapd-rootpw': ['x']},
+ {'userpassword': ['********', '********', '********'], 'nsslapd-rootpw': ['********']})
+])
+def test_get_log_data(data):
+ before, after = data
+ assert display_log_data(before) == after
+
+
if __name__ == "__main__":
CURRENT_FILE = os.path.realpath(__file__)
pytest.main("-s -v %s" % CURRENT_FILE)
diff --git a/src/lib389/lib389/utils.py b/src/lib389/lib389/utils.py
index 0b90da2..e7a7bf7 100644
--- a/src/lib389/lib389/utils.py
+++ b/src/lib389/lib389/utils.py
@@ -46,7 +46,7 @@ from lib389.paths import Paths
from lib389.dseldif import DSEldif
from lib389._constants import (
DEFAULT_USER, VALGRIND_WRAPPER, DN_CONFIG, CFGSUFFIX, LOCALHOST,
- ReplicaRole, CONSUMER_REPLICAID
+ ReplicaRole, CONSUMER_REPLICAID, SENSITIVE_ATTRS
)
from lib389.properties import (
SER_HOST, SER_USER_ID, SER_GROUP_ID, SER_STRICT_HOSTNAME_CHECKING, SER_PORT,
@@ -56,6 +56,8 @@ from lib389.properties import (
MAJOR, MINOR, _, _, _ = sys.version_info
+DEBUGGING = os.getenv('DEBUGGING', default=False)
+
log = logging.getLogger(__name__)
#
@@ -1170,6 +1172,7 @@ def get_instance_list(prefix=None):
insts.sort()
return insts
+
def get_user_is_ds_owner():
# Check if we have permission to administer the DS instance. This is required
# for some tasks such as installing, killing, or editing configs for the
@@ -1186,3 +1189,20 @@ def get_user_is_ds_owner():
return False
+def display_log_value(attr, value, hide_sensitive=True):
+ # Mask all the sensitive attribute values
+ if DEBUGGING or not hide_sensitive:
+ return value
+ else:
+ if attr.lower() in SENSITIVE_ATTRS:
+ if type(value) in (list, tuple):
+ return list(map(lambda _: '********', value))
+ else:
+ return '********'
+ else:
+ return value
+
+
+def display_log_data(data, hide_sensitive=True):
+ # Take a dict and mask all the sensitive data
+ return {a: display_log_value(a, v, hide_sensitive) for a, v in data.items()}
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 10 months
[389-ds-base] branch 389-ds-base-1.3.8 updated: Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.8
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.8 by this push:
new bbfad17 Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
bbfad17 is described below
commit bbfad17e30c446b676ecf83cb245058f32bd5401
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Wed May 15 16:04:55 2019 -0400
Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
Description: When the client is a IPv6 client, any ACI's that contain bind rules
for IPv4 addresses essentially break that aci causing it to not be
fully evaluated.
For example we have an aci like this:
aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
read,search,compare) userdn="ldap:///anyone" and
(ip="127.0.0.1" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)
So when the client is IPv6 we start processing the IP addresses in
the ACI, as soon as a IPv4 address is found the ACI evaluation stops
and in this case the IPv6 address is never checked and access is denied.
The problem is that we set the wrong return code variable in libaccess
https://pagure.io/389-ds-base/issue/50378
Reviewed by: mreynolds (one line commit rule)
(cherry picked from commit 41c30fd557d4cc0aaaf8a9f7767d37746f4c4bc4)
---
lib/libaccess/lasip.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/libaccess/lasip.cpp b/lib/libaccess/lasip.cpp
index eea7aff..30c546d 100644
--- a/lib/libaccess/lasip.cpp
+++ b/lib/libaccess/lasip.cpp
@@ -598,7 +598,7 @@ int LASIpEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
node = context->treetop_ipv6;
if ( node == NULL ) {
- retcode = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
+ rc = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
} else {
addr = PR_ntohs( ipv6->_S6_un._S6_u16[field]);
for (bit = 127; bit >= 0 ; bit--, bit_position--) {
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 10 months
[389-ds-base] branch 389-ds-base-1.3.9 updated: Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.9
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push:
new 661ce15 Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
661ce15 is described below
commit 661ce1542f2ab835a236bd5227aa846bd7efbb8a
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Wed May 15 16:04:55 2019 -0400
Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
Description: When the client is a IPv6 client, any ACI's that contain bind rules
for IPv4 addresses essentially break that aci causing it to not be
fully evaluated.
For example we have an aci like this:
aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
read,search,compare) userdn="ldap:///anyone" and
(ip="127.0.0.1" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)
So when the client is IPv6 we start processing the IP addresses in
the ACI, as soon as a IPv4 address is found the ACI evaluation stops
and in this case the IPv6 address is never checked and access is denied.
The problem is that we set the wrong return code variable in libaccess
https://pagure.io/389-ds-base/issue/50378
Reviewed by: mreynolds (one line commit rule)
(cherry picked from commit 41c30fd557d4cc0aaaf8a9f7767d37746f4c4bc4)
---
lib/libaccess/lasip.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/libaccess/lasip.cpp b/lib/libaccess/lasip.cpp
index eea7aff..30c546d 100644
--- a/lib/libaccess/lasip.cpp
+++ b/lib/libaccess/lasip.cpp
@@ -598,7 +598,7 @@ int LASIpEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
node = context->treetop_ipv6;
if ( node == NULL ) {
- retcode = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
+ rc = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
} else {
addr = PR_ntohs( ipv6->_S6_un._S6_u16[field]);
for (bit = 127; bit >= 0 ; bit--, bit_position--) {
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 10 months
[389-ds-base] branch 389-ds-base-1.4.0 updated: Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.0
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.0 by this push:
new 64a784f Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
64a784f is described below
commit 64a784f4086ff291dcacc0955dddad3d0002fdf5
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Wed May 15 16:04:55 2019 -0400
Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients
Description: When the client is a IPv6 client, any ACI's that contain bind rules
for IPv4 addresses essentially break that aci causing it to not be
fully evaluated.
For example we have an aci like this:
aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
read,search,compare) userdn="ldap:///anyone" and
(ip="127.0.0.1" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)
So when the client is IPv6 we start processing the IP addresses in
the ACI, as soon as a IPv4 address is found the ACI evaluation stops
and in this case the IPv6 address is never checked and access is denied.
The problem is that we set the wrong return code variable in libaccess
https://pagure.io/389-ds-base/issue/50378
Reviewed by: mreynolds (one line commit rule)
(cherry picked from commit 41c30fd557d4cc0aaaf8a9f7767d37746f4c4bc4)
---
lib/libaccess/lasip.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/libaccess/lasip.cpp b/lib/libaccess/lasip.cpp
index eea7aff..30c546d 100644
--- a/lib/libaccess/lasip.cpp
+++ b/lib/libaccess/lasip.cpp
@@ -598,7 +598,7 @@ int LASIpEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
node = context->treetop_ipv6;
if ( node == NULL ) {
- retcode = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
+ rc = (comparator == CMP_OP_EQ ? LAS_EVAL_FALSE : LAS_EVAL_TRUE);
} else {
addr = PR_ntohs( ipv6->_S6_un._S6_u16[field]);
for (bit = 127; bit >= 0 ; bit--, bit_position--) {
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
4 years, 10 months