ldap/servers/plugins/chainingdb/cb_conn_stateless.c | 18 ++++++++++++++++++
ldap/servers/plugins/chainingdb/cb_instance.c | 5 +++++
2 files changed, 23 insertions(+)
New commits:
commit 9b2c0192846f4e02903b0d4ef98f437a90bff8c7
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Mon Aug 22 13:18:53 2011 -0600
Bug 633803 - passwordisglobalpolicy attribute brakes TLS chaining
https://bugzilla.redhat.com/show_bug.cgi?id=633803
Resolves: bug 633803
Bug Description: passwordisglobalpolicy attribute brakes TLS chaining
Reviewed by: nkinder (Thanks!)
Branch: 389-ds-base-1.2.9
Fix Description: If not binding in cb_get_connection, we need to explicitly
do the start_tls. The start_tls and mechanism settings were not being
applied to the bind_pool connections.
I tried setting passwordIsGlobalPolicy on and off. That did not seem to make
a difference. I believe the problem is caused by the
nsslapd-require-secure-binds attribute set to "on".
setting.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
diff --git a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
index 02130cb..1d173ab 100644
--- a/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
+++ b/ldap/servers/plugins/chainingdb/cb_conn_stateless.c
@@ -458,6 +458,24 @@ cb_get_connection(cb_conn_pool * pool,
}
ldap_controls_free(serverctrls);
}
+ } else if (secure == 2) {
+ int rc;
+ /* the start_tls operation is usually performed in slapi_ldap_bind, but
+ since we are not binding we still need to start_tls */
+ if (cb_debug_on()) {
+ slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
+ "<= cb_get_connection doing start_tls on connection 0x%p\n", conn
);
+ }
+ if ((rc = ldap_start_tls_s(ld, NULL, NULL))) {
+ PRErrorCode prerr = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, CB_PLUGIN_SUBSYSTEM,
+ "Unable to do start_tls on connection to %s:%d "
+ "LDAP error %d:%s NSS error %d:%s\n", hostname, port,
+ rc, ldap_err2string(rc), prerr,
+ slapd_pr_strerror(prerr));
+
+ goto unlock_and_return;
+ }
}
conn = (cb_outgoing_conn *) slapi_ch_malloc(sizeof(cb_outgoing_conn));
diff --git a/ldap/servers/plugins/chainingdb/cb_instance.c
b/ldap/servers/plugins/chainingdb/cb_instance.c
index e3cb932..1bc71db 100644
--- a/ldap/servers/plugins/chainingdb/cb_instance.c
+++ b/ldap/servers/plugins/chainingdb/cb_instance.c
@@ -1391,6 +1391,7 @@ static int cb_instance_starttls_set(void *arg, void *value, char
*errorbuf, int
if ((LDAP_SUCCESS == rc) && apply) {
PR_RWLock_Wlock(inst->rwl_config_lock);
inst->pool->starttls=(int) ((uintptr_t)value);
+ inst->bind_pool->starttls=inst->pool->starttls;
PR_RWLock_Unlock(inst->rwl_config_lock);
if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) &&
( phase != CB_CONFIG_PHASE_STARTUP )) {
@@ -1443,6 +1444,9 @@ static int cb_instance_bindmech_set(void *arg, void *value, char
*errorbuf, int
if (inst->pool->mech) {
charray_add(&inst->pool->waste_basket,inst->pool->mech);
}
+ if (inst->bind_pool->mech) {
+ charray_add(&inst->pool->waste_basket,inst->bind_pool->mech);
+ }
rc=CB_REOPEN_CONN;
}
@@ -1451,6 +1455,7 @@ static int cb_instance_bindmech_set(void *arg, void *value, char
*errorbuf, int
} else {
inst->pool->mech=slapi_ch_strdup((char *) value);
}
+ inst->bind_pool->mech = slapi_ch_strdup(inst->pool->mech);
PR_RWLock_Unlock(inst->rwl_config_lock);
}
done: