ldap/servers/slapd/configdse.c | 1 +
ldap/servers/slapd/libglobs.c | 36 ++++++++++++++++++++++++++++++++++++
ldap/servers/slapd/proto-slap.h | 2 ++
ldap/servers/slapd/saslbind.c | 2 ++
ldap/servers/slapd/slap.h | 2 ++
5 files changed, 43 insertions(+)
New commits:
commit e3aac6618a00236b73e44b99d15abed647708187
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Dec 5 17:43:30 2012 -0500
Ticket 395 - RFE: 389-ds shouldn't advertise in the rootDSE that we can handle a
sasl mech if we really can't
Bug Description: The root DSE lists all the mechanisms the SASL library can handle
(sasl_listmech), but that's
not necessarily what the server/co-products can support (e.g.
communicating with IPA).
Fix Description: Added new config setting to specifiy the SASL mechanisms that are
allowed. If none are specified,
than all are allowed. This setting now impacts the SASL callback
SASL_CB_GETOPT(ids_sasl_getopt), so
it applies to all SASL operations. So, the root DSE information is
correct, and you can now control
what mechanisms the server actually allows.
https://fedorahosted.org/389/ticket/395
Reviewed by: richm(Thanks!)
diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c
index b54062d..bd1566e 100644
--- a/ldap/servers/slapd/configdse.c
+++ b/ldap/servers/slapd/configdse.c
@@ -81,6 +81,7 @@ static const char *requires_restart[] = {
#endif
"cn=config:" CONFIG_RETURN_EXACT_CASE_ATTRIBUTE,
"cn=config:" CONFIG_SCHEMA_IGNORE_TRAILING_SPACES,
+ "cn=config:nsslapd-allowed-sasl-mechanisms",
"cn=config,cn=ldbm:nsslapd-idlistscanlimit",
"cn=config,cn=ldbm:nsslapd-parentcheck",
"cn=config,cn=ldbm:nsslapd-dbcachesize",
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index dee7812..ab366fc 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1006,6 +1006,10 @@ static struct config_get_and_set {
NULL, 0,
(void**)&global_slapdFrontendConfig.ndn_cache_max_size,
CONFIG_INT, (ConfigGetFunc)config_get_ndn_cache_size, DEFAULT_NDN_SIZE},
+ {CONFIG_ALLOWED_SASL_MECHS, config_set_allowed_sasl_mechs,
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.allowed_sasl_mechs,
+ CONFIG_STRING, (ConfigGetFunc)config_get_allowed_sasl_mechs,
DEFAULT_ALLOWED_TO_DELETE_ATTRS},
#ifdef MEMPOOL_EXPERIMENTAL
,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
NULL, 0,
@@ -1423,6 +1427,7 @@ FrontendConfig_init () {
cfg->entryusn_import_init = slapi_ch_strdup(ENTRYUSN_IMPORT_INIT);
cfg->allowed_to_delete_attrs = slapi_ch_strdup("nsslapd-listenhost
nsslapd-securelistenhost nsslapd-defaultnamingcontext");
cfg->default_naming_context = NULL; /* store normalized dn */
+ cfg->allowed_sasl_mechs = NULL;
init_disk_monitoring = cfg->disk_monitoring = LDAP_OFF;
cfg->disk_threshold = 2097152; /* 2 mb */
@@ -6556,6 +6561,37 @@ config_set_allowed_to_delete_attrs( const char *attrname, char
*value,
}
char *
+config_get_allowed_sasl_mechs()
+{
+ char *retVal;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapdFrontendConfig->allowed_sasl_mechs;
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+ return retVal;
+}
+
+/* separated list of sasl mechs to allow */
+int
+config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, int
apply )
+{
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ if(!apply || slapdFrontendConfig->allowed_sasl_mechs){
+ /* we only set this at startup, if we try again just return SUCCESS */
+ return LDAP_SUCCESS;
+ }
+
+ CFG_LOCK_WRITE(slapdFrontendConfig);
+ slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
+ CFG_UNLOCK_WRITE(slapdFrontendConfig);
+
+ return LDAP_SUCCESS;
+}
+
+char *
config_get_default_naming_context(void)
{
char *retVal;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index a17f40d..37b4647 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -549,6 +549,8 @@ int config_get_disk_logging_critical();
int config_get_ndn_cache_count();
size_t config_get_ndn_cache_size();
int config_get_ndn_cache_enabled();
+char *config_get_allowed_sasl_mechs();
+int config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, int
apply);
PLHashNumber hashNocaseString(const void *key);
PRIntn hashNocaseCompare(const void *v1, const void *v2);
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index f75e977..f9ddbfc 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -184,6 +184,8 @@ static int ids_sasl_getopt(
}
} else if (strcasecmp(option, "auxprop_plugin") == 0) {
*result = "iDS";
+ } else if (strcasecmp(option, "mech_list") == 0){
+ *result = config_get_allowed_sasl_mechs();
}
if (*result) *len = strlen(*result);
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 8b43f5a..a510d8a 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -2048,6 +2048,7 @@ typedef struct _slapdEntryPoints {
#define CONFIG_DISK_LOGGING_CRITICAL
"nsslapd-disk-monitoring-logging-critical"
#define CONFIG_NDN_CACHE "nsslapd-ndn-cache-enabled"
#define CONFIG_NDN_CACHE_SIZE "nsslapd-ndn-cache-max-size"
+#define CONFIG_ALLOWED_SASL_MECHS "nsslapd-allowed-sasl-mechanisms"
#ifdef MEMPOOL_EXPERIMENTAL
#define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
@@ -2258,6 +2259,7 @@ typedef struct _slapdFrontendConfig {
char *entryusn_import_init; /* Entry USN: determine the initital value of import */
int pagedsizelimit;
char *default_naming_context; /* Default naming context (normalized) */
+ char *allowed_sasl_mechs; /* comma/space separated list of allowed sasl mechs */
/* disk monitoring */
int disk_monitoring;