From: Kurt Zeilenga Date: Thu, 27 Feb 2003 18:05:06 +0000 (+0000) Subject: Ready 2.1.14 X-Git-Tag: OPENLDAP_REL_ENG_2_1_14~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cab359371dca21f00b41b8a58dbb78410e88b792;p=thirdparty%2Fopenldap.git Ready 2.1.14 --- diff --git a/CHANGES b/CHANGES index 64f6dd3093..cfccaa60af 100644 --- a/CHANGES +++ b/CHANGES @@ -1,11 +1,14 @@ OpenLDAP 2.1 Change Log OpenLDAP 2.1.14 Engineering - Fix slapd directoryString exact index normalization bug - Fix back-bdb bdb_cache_find_entry* retry bug - Fix back-bdb log message bug - Fix back-bdb group/atttribute txn code + Fixed slapd directoryString exact index normalization bug + Fixed slapd schema_check name check crash + Fixed slapd DirectoryString extraneous space bug (ITS#2328) + Fixed back-bdb bdb_cache_find_entry* retry bug + Fixed back-bdb log message bug + Fixed back-bdb group/atttribute txn code Updated slapadd to complain about holes in the DIT + Build Environment Documentation Misc man page updates diff --git a/clients/tools/common.c b/clients/tools/common.c index 2600d67a9e..864d9262d1 100644 --- a/clients/tools/common.c +++ b/clients/tools/common.c @@ -544,7 +544,7 @@ tool_args( int argc, char **argv ) #endif } else { #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - if ( authmethod = LDAP_AUTH_KRBV4 || authmethod == LDAP_AUTH_KRBV41 ) { + if ( authmethod == LDAP_AUTH_KRBV4 || authmethod == LDAP_AUTH_KRBV41 ) { fprintf( stderr, "%s: -k/-K incompatible with LDAPv%d\n", prog, protocol ); exit( EXIT_FAILURE ); diff --git a/contrib/ldapsasl/README b/contrib/ldapsasl/README index 36c3f6b990..db8d31e117 100644 --- a/contrib/ldapsasl/README +++ b/contrib/ldapsasl/README @@ -48,3 +48,19 @@ better for a real production environment. Please send feedback via the openldap-software mailing list for now. -- Howard Chu, 2002-07-12 + +Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://. +This is fast and secure, and needs no username or password to be stored. +The SASL config file is just + +ldapdb_uri: ldapi:// +ldapdb_mech: EXTERNAL + +The slapd.conf will need to map these usernames to LDAP DNs: + +sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth + ldap:///dc=example,dc=com??sub?(&(uidNumber=$1)(gidNumber=$2)) + +sasl-regexp uid=(.*),cn=external,cn=auth + ldap:///dc=example,dc=com??sub?(uid=$1) + diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index 800508ce79..42151425f5 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -13,6 +13,15 @@ is not an actual database; instead it acts as a proxy to forward incoming requests to another LDAP server. While processing requests it will also chase referrals, so that referrals are fully processed instead of being returned to the slapd client. + +Sessions that explicitly Bind to the back-ldap database always create their +own private connection to the remote LDAP server. Anonymous sessions will +share a single anonymous connection to the remote server. For sessions bound +through other mechanisms, all sessions with the same DN will share the +same connection. This connection pooling strategy can enhance the proxy's +efficiency by reducing the overhead of repeatedly making/breaking multiple +connections. + .SH CONFIGURATION These .B slapd.conf @@ -59,6 +68,14 @@ check permissions. .B bindpw Password used with the bind DN above. .TP +.B proxy-whoami +Turns on proxying of the WhoAmI extended operation. If this option is +given, back-ldap will replace slapd's original WhoAmI routine with its +own. On slapd sessions that were authenticated by back-ldap, the WhoAmI +request will be forwarded to the remote LDAP server. Other sessions will +be handled by the local slapd, as before. This option is mainly useful +in conjunction with Proxy Authorization. +.TP .B rebind-as-user If this option is given, the client's bind credentials are remembered for rebinds when chasing referrals. diff --git a/servers/slapd/schema_check.c b/servers/slapd/schema_check.c index d2fb876ba7..6125db6811 100644 --- a/servers/slapd/schema_check.c +++ b/servers/slapd/schema_check.c @@ -21,6 +21,10 @@ static char * oc_check_required( ObjectClass *oc, struct berval *ocname ); +static int entry_naming_check( + Entry *e, + const char** text, + char *textbuf, size_t textlen ); /* * entry_schema_check - check that entry e conforms to the schema required * by its object class(es). @@ -218,51 +222,10 @@ entry_schema_check( return LDAP_NO_OBJECT_CLASS_MODS; } - { /* naming check */ - LDAPRDN *rdn; - const char *p; - ber_len_t cnt; - - /* - * Get attribute type(s) and attribute value(s) of our RDN - */ - if ( ldap_bv2rdn( &e->e_name, &rdn, (char **)&p, - LDAP_DN_FORMAT_LDAP ) ) - { - *text = "unrecongized attribute type(s) in RDN"; - return LDAP_INVALID_DN_SYNTAX; - } - - /* Check that each AVA of the RDN is present in the entry */ - /* FIXME: Should also check that each AVA lists a distinct type */ - for ( cnt = 0; rdn[0][cnt]; cnt++ ) { - LDAPAVA *ava = rdn[0][cnt]; - AttributeDescription *desc = NULL; - Attribute *attr; - const char *errtext; - - rc = slap_bv2ad( &ava->la_attr, &desc, &errtext ); - if ( rc != LDAP_SUCCESS ) { - snprintf( textbuf, textlen, "%s (in RDN)", errtext ); - return rc; - } - - /* find the naming attribute */ - attr = attr_find( e->e_attrs, desc ); - if ( attr == NULL ) { - snprintf( textbuf, textlen, - "naming attribute '%s' is not present in entry", - ava->la_attr ); - return LDAP_NO_SUCH_ATTRIBUTE; - } - - if ( value_find( desc, attr->a_vals, &ava->la_value ) != 0 ) { - snprintf( textbuf, textlen, - "value of naming attribute '%s' is not present in entry", - ava->la_attr ); - return LDAP_NO_SUCH_ATTRIBUTE; - } - } + /* naming check */ + rc = entry_naming_check( e, text, textbuf, textlen ); + if ( rc != LDAP_SUCCESS ) { + return rc; } #ifdef SLAP_EXTENDED_SCHEMA @@ -838,3 +801,64 @@ int mods_structural_class( return structural_class( ocmod->sml_bvalues, sc, NULL, text, textbuf, textlen ); } + + +static int +entry_naming_check( + Entry *e, + const char** text, + char *textbuf, size_t textlen ) +{ + /* naming check */ + LDAPRDN *rdn = NULL; + const char *p = NULL; + ber_len_t cnt; + int rc = LDAP_SUCCESS; + + /* + * Get attribute type(s) and attribute value(s) of our RDN + */ + if ( ldap_bv2rdn( &e->e_name, &rdn, (char **)&p, + LDAP_DN_FORMAT_LDAP ) ) + { + *text = "unrecongized attribute type(s) in RDN"; + return LDAP_INVALID_DN_SYNTAX; + } + + /* Check that each AVA of the RDN is present in the entry */ + /* FIXME: Should also check that each AVA lists a distinct type */ + for ( cnt = 0; rdn[0][cnt]; cnt++ ) { + LDAPAVA *ava = rdn[0][cnt]; + AttributeDescription *desc = NULL; + Attribute *attr; + const char *errtext; + + rc = slap_bv2ad( &ava->la_attr, &desc, &errtext ); + if ( rc != LDAP_SUCCESS ) { + snprintf( textbuf, textlen, "%s (in RDN)", errtext ); + break; + } + + /* find the naming attribute */ + attr = attr_find( e->e_attrs, desc ); + if ( attr == NULL ) { + snprintf( textbuf, textlen, + "naming attribute '%s' is not present in entry", + ava->la_attr.bv_val ); + rc = LDAP_NO_SUCH_ATTRIBUTE; + break; + } + + if ( value_find( desc, attr->a_vals, &ava->la_value ) != 0 ) { + snprintf( textbuf, textlen, + "value of naming attribute '%s' is not present in entry", + ava->la_attr.bv_val ); + rc = LDAP_NO_SUCH_ATTRIBUTE; + break; + } + } + + ldap_rdnfree( rdn ); + return rc; +} +