ldap/servers/plugins/replication/repl5.h | 1
ldap/servers/plugins/replication/repl5_agmt.c | 15 ++--------
ldap/servers/plugins/replication/repl5_agmtlist.c | 31 +---------------------
3 files changed, 6 insertions(+), 41 deletions(-)
New commits:
commit de4130733cfe32d29f5e1c60d22a067346c55a53
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Fri Apr 1 12:44:23 2011 -0600
Bug 692937 - Replica install fails after step for "enable GSSAPI for
replication"
https://bugzilla.redhat.com/show_bug.cgi?id=692937
Resolves: bug 692937
Bug Description: Replica install fails after step for "enable GSSAPI for
replication"
Reviewed by: nhosoi (Thanks!)
Branch: 389-ds-base-1.2.8
Fix Description: Allow the deletion of the nsds5replicabinddn and
nsds5replicacredentials attributes from the replication agreement. These
are not needed for SASL/EXTERNAL or SASL/GSSAPI. NOTE: the agreement code
will not warn that nsds5replicabinddn and nsds5replicacredentials are needed
for simple and other bind methods. It is the responsibility of the user
to make sure these are specified.
If the modify code executed in such a way that the transportinfo was set
before bindmethod, the code would report an error that ldaps or tls cannot
be used with SASL/GSSAPI. There is no clean way to check to see if the
state of the agreement is consistent after applying all mods, so we just
remove this check. With recent versions of the server, you can mix
ssl/tls with sasl/gssapi.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 27ff25d8d928dc788b56ee614535f91dcf5f7f6f)
diff --git a/ldap/servers/plugins/replication/repl5.h
b/ldap/servers/plugins/replication/repl5.h
index d59169d..0b85306 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -306,6 +306,7 @@ int agmt_set_credentials_from_entry( Repl_Agmt *ra, const Slapi_Entry
*e );
int agmt_set_binddn_from_entry( Repl_Agmt *ra, const Slapi_Entry *e );
int agmt_set_bind_method_from_entry( Repl_Agmt *ra, const Slapi_Entry *e );
int agmt_set_transportinfo_from_entry( Repl_Agmt *ra, const Slapi_Entry *e );
+int agmt_set_port_from_entry( Repl_Agmt *ra, const Slapi_Entry *e );
const char *agmt_get_long_name(const Repl_Agmt *ra);
int agmt_initialize_replica(const Repl_Agmt *agmt);
void agmt_replica_init_done (const Repl_Agmt *agmt);
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c
b/ldap/servers/plugins/replication/repl5_agmt.c
index a8b7a05..b5e66ee 100644
--- a/ldap/servers/plugins/replication/repl5_agmt.c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -209,13 +209,6 @@ agmt_is_valid(Repl_Agmt *ra)
"is malformed: invalid pausetime %ld.\n", slapi_sdn_get_dn(ra->dn),
ra->pausetime);
return_value = 0;
}
- if ((0 != ra->transport_flags) && (BINDMETHOD_SASL_GSSAPI ==
ra->bindmethod)) {
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "Replication agreement
\"%s\" "
- " is malformed: cannot use SASL/GSSAPI if using SSL or TLS - please "
- "change %s to LDAP before changing %s to use SASL/GSSAPI\n",
- slapi_sdn_get_dn(ra->dn), type_nsds5TransportInfo,
type_nsds5ReplicaBindMethod);
- return_value = 0;
- }
if ((0 == ra->transport_flags) && (BINDMETHOD_SSL_CLIENTAUTH ==
ra->bindmethod)) {
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "Replication agreement
\"%s\" "
" is malformed: cannot use SSLCLIENTAUTH if using plain LDAP - please "
@@ -279,7 +272,7 @@ agmt_new_from_entry(Slapi_Entry *e)
ra->transport_flags = 0;
agmt_set_transportinfo_no_lock(ra, e);
- /* DN to use when binding. May be empty if cert-based auth is to be used. */
+ /* DN to use when binding. May be empty if certain SASL auth is to be used e.g. EXTERNAL
GSSAPI. */
ra->binddn = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBindDN);
if (NULL == ra->binddn)
{
@@ -953,7 +946,7 @@ int
agmt_set_credentials_from_entry(Repl_Agmt *ra, const Slapi_Entry *e)
{
Slapi_Attr *sattr = NULL;
- int return_value = -1;
+ int return_value = 0;
PR_ASSERT(NULL != ra);
slapi_entry_attr_find(e, type_nsds5ReplicaCredentials, &sattr);
@@ -970,7 +963,6 @@ agmt_set_credentials_from_entry(Repl_Agmt *ra, const Slapi_Entry *e)
ra->creds->bv_val = slapi_ch_calloc(1, bv->bv_len + 1);
memcpy(ra->creds->bv_val, bv->bv_val, bv->bv_len);
ra->creds->bv_len = bv->bv_len;
- return_value = 0;
}
}
/* If no credentials set, set to zero-length string */
@@ -989,7 +981,7 @@ int
agmt_set_binddn_from_entry(Repl_Agmt *ra, const Slapi_Entry *e)
{
Slapi_Attr *sattr = NULL;
- int return_value = -1;
+ int return_value = 0;
PR_ASSERT(NULL != ra);
slapi_entry_attr_find(e, type_nsds5ReplicaBindDN, &sattr);
@@ -1004,7 +996,6 @@ agmt_set_binddn_from_entry(Repl_Agmt *ra, const Slapi_Entry *e)
{
const char *val = slapi_value_get_string(sval);
ra->binddn = slapi_ch_strdup(val);
- return_value = 0;
}
}
/* If no BindDN set, set to zero-length string */
diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c
b/ldap/servers/plugins/replication/repl5_agmtlist.c
index cf497b6..34da6d0 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -389,22 +389,8 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore,
Slapi_Entry
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5TransportInfo))
{
- /* do not allow GSSAPI if using TLS/SSL */
- char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5TransportInfo);
- /* if some value was set, and the value was not set to LDAP (i.e. was set to use
security),
- and we're already using gssapi, deny the change */
- if (tmpstr && PL_strcasecmp(tmpstr, "LDAP") &&
(BINDMETHOD_SASL_GSSAPI == agmt_get_bindmethod(agmt)))
- {
- /* Report the error to the client */
- PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if
using SSL or TLS - please change %s to a value other than SASL/GSSAPI before changing %s
to use security", type_nsds5ReplicaBindMethod, type_nsds5TransportInfo);
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback:
"
- "%s", errortext);
-
- *returncode = LDAP_UNWILLING_TO_PERFORM;
- rc = SLAPI_DSE_CALLBACK_ERROR;
- }
/* New Transport info */
- else if (agmt_set_transportinfo_from_entry(agmt, e) != 0)
+ if (agmt_set_transportinfo_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
"agmtlist_modify_callback: "
"failed to update transport info for agreement
%s\n",
@@ -416,19 +402,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore,
Slapi_Entry
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicaBindMethod))
{
- /* do not allow GSSAPI if using TLS/SSL */
- char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBindMethod);
- if (tmpstr && !PL_strcasecmp(tmpstr, "SASL/GSSAPI") &&
agmt_get_transport_flags(agmt))
- {
- /* Report the error to the client */
- PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if
using SSL or TLS - please change %s to LDAP before changing %s to use SASL/GSSAPI",
type_nsds5TransportInfo, type_nsds5ReplicaBindMethod);
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback:
"
- "%s", errortext);
-
- *returncode = LDAP_UNWILLING_TO_PERFORM;
- rc = SLAPI_DSE_CALLBACK_ERROR;
- }
- else if (agmt_set_bind_method_from_entry(agmt, e) != 0)
+ if (agmt_set_bind_method_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
"agmtlist_modify_callback: "
"failed to update bind method for agreement
%s\n",
@@ -436,7 +410,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore,
Slapi_Entry
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
- slapi_ch_free_string(&tmpstr);
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicatedAttributeList))