Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb
In directory
cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19724/ldapserver/ldap/servers/plugins/chainingdb
Modified Files:
cb_instance.c
Log Message:
Resolves: bug 479253
Bug Description: Configuring Server to Server GSSAPI over SSL - Need better Error Message
Reviewed by: nkinder (Thanks!)
Fix Description: If the user attempts to set the bind mech to GSSAPI, and a secure
transport is being used, the server will return LDAP_UNWILLING_TO_PERFORM and provide a
useful error message. Same if GSSAPI is being used and the user attempts to use a secure
transport.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: cb_instance.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb_instance.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- cb_instance.c 2 Dec 2008 15:29:30 -0000 1.13
+++ cb_instance.c 27 Jan 2009 22:37:17 -0000 1.14
@@ -722,7 +722,18 @@
return(LDAP_INVALID_SYNTAX);
}
- if (apply) {
+ if (ludp && (ludp->lud_options & LDAP_URL_OPT_SECURE) && inst
&& inst->rwl_config_lock) {
+ int isgss = 0;
+ PR_RWLock_Rlock(inst->rwl_config_lock);
+ isgss = inst->pool->mech && !PL_strcasecmp(inst->pool->mech,
"GSSAPI");
+ PR_RWLock_Unlock(inst->rwl_config_lock);
+ if (isgss) {
+ PR_snprintf (errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use LDAPS if using
GSSAPI - please change the %s to use something other than GSSAPI before changing
connection to use LDAPS", CB_CONFIG_BINDMECH);
+ rc = LDAP_UNWILLING_TO_PERFORM;
+ }
+ }
+
+ if ((LDAP_SUCCESS == rc) && apply) {
PR_RWLock_Wlock(inst->rwl_config_lock);
@@ -1346,7 +1357,18 @@
cb_backend_instance * inst=(cb_backend_instance *) arg;
int rc = LDAP_SUCCESS;
- if (apply) {
+ if (value && inst && inst->rwl_config_lock) {
+ int isgss = 0;
+ PR_RWLock_Rlock(inst->rwl_config_lock);
+ isgss = inst->pool->mech && !PL_strcasecmp(inst->pool->mech,
"GSSAPI");
+ PR_RWLock_Unlock(inst->rwl_config_lock);
+ if (isgss) {
+ PR_snprintf (errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use startTLS if using
GSSAPI - please change the %s to use something other than GSSAPI before changing
connection to use startTLS", CB_CONFIG_BINDMECH);
+ rc = LDAP_UNWILLING_TO_PERFORM;
+ }
+ }
+
+ if ((LDAP_SUCCESS == rc) && apply) {
PR_RWLock_Wlock(inst->rwl_config_lock);
inst->pool->starttls=(int) ((uintptr_t)value);
PR_RWLock_Unlock(inst->rwl_config_lock);
@@ -1374,7 +1396,18 @@
cb_backend_instance * inst=(cb_backend_instance *) arg;
int rc=LDAP_SUCCESS;
- if (apply) {
+ if (value && !PL_strcasecmp((char *) value, "GSSAPI") && inst
&& inst->rwl_config_lock) {
+ int secure = 0;
+ PR_RWLock_Rlock(inst->rwl_config_lock);
+ secure = inst->pool->secure || inst->pool->starttls;
+ PR_RWLock_Unlock(inst->rwl_config_lock);
+ if (secure) {
+ PR_snprintf (errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if
using SSL or TLS - please change the connection to use no security before changing %s to
use GSSAPI", CB_CONFIG_BINDMECH);
+ rc = LDAP_UNWILLING_TO_PERFORM;
+ }
+ }
+
+ if ((LDAP_SUCCESS == rc) && apply) {
PR_RWLock_Wlock(inst->rwl_config_lock);
if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) &&
( phase != CB_CONFIG_PHASE_STARTUP )) {
Show replies by date