[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'upstream-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Wed Jun 27 17:03:49 UTC 2012
Rebased ref, commits from common ancestor:
commit ff00f1db991e91420d1d0d8d5b8218bdede4b38e
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Jun 21 15:12:36 2012 -0600
bump version to 1.2.11.6
diff --git a/VERSION.sh b/VERSION.sh
index 1fa17c4..87f74d8 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=2
-VERSION_MAINT=11.5
+VERSION_MAINT=11.6
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 18f324124dfcb374fab8085939c72ae1bcc33b04
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Thu Jun 14 14:40:27 2012 -0700
audit log does not log unhashed password: enabled, by default.
(cherry picked from commit df5293373d49c3a875d6fba3fec44babfff7b4f6)
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 81afe3e..f6afd10 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -55,7 +55,7 @@ char *attr_changetype = ATTR_CHANGETYPE;
char *attr_newrdn = ATTR_NEWRDN;
char *attr_deleteoldrdn = ATTR_DELETEOLDRDN;
char *attr_modifiersname = ATTR_MODIFIERSNAME;
-static int hide_unhashed_pw = 0;
+static int hide_unhashed_pw = 1;
/* Forward Declarations */
static void write_audit_file( int optype, const char *dn, void *change, int flag, time_t curtime );
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 2540e25..59561c7 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1075,7 +1075,7 @@ FrontendConfig_init () {
cfg->auditlog_minfreespace = 5;
cfg->auditlog_exptime = 1;
cfg->auditlog_exptimeunit = slapi_ch_strdup("month");
- cfg->auditlog_logging_hide_unhashed_pw = LDAP_OFF;
+ cfg->auditlog_logging_hide_unhashed_pw = LDAP_ON;
cfg->entryusn_global = LDAP_OFF;
cfg->entryusn_import_init = slapi_ch_strdup("0");
commit cfee4234ff1676fc4afa904192544d6f373f6f88
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Tue Jun 12 16:41:39 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: unhashed#user#password is skipped to check acl
in acl_check_mod.
Fix Description: Set SLAPI_ATTR_FLAG_NOUSERMOD to unhashed#user#
password schema. It makes clients' modifying the unhashed password
fail by UNWILLING TO PERFORM.
(cherry picked from commit 1629311d7201a6a7842db15865e02042a2894383)
(cherry picked from commit 75224010ef566f96a953e9070dff10542a7a20a1)
diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index 8d99879..f6f3cf3 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -306,7 +306,10 @@ pw_init ( void ) {
slapi_add_internal_attr_syntax( PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID,
- OCTETSTRING_SYNTAX_OID, 0, 0 );
+ OCTETSTRING_SYNTAX_OID, 0,
+ /* Clients don't need to directly modify
+ * PSEUDO_ATTR_UNHASHEDUSERPASSWORD */
+ SLAPI_ATTR_FLAG_NOUSERMOD );
}
commit b4dddacb9aed0a44f8cb8a05213f3c9ffa9b77e1
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Mon Jun 11 16:57:50 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: Deref still retrieved unhashed password.
Fix Description: Added code to Deref plugin to check the deref attribute.
If it is unhashed password, skip it.
(cherry picked from commit 26b5121d84232cf453fa917f11ba6518a40358ea)
(cherry picked from commit 9e15a73380e32947f08e2d8cc3bce87f467fab80)
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index fb6a54a..d97dc0a 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -632,6 +632,12 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
int needpartialattr = 1; /* need PartialAttribute sequence? */
int needvalsset = 1;
+ if (is_type_forbidden(retattrs[ii])) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
+ "skip forbidden attribute [%s]\n", derefdn);
+ continue;
+ }
+
deref_get_values(entries[0], retattrs[ii], &results, &type_name_disposition,
&actual_type_name, flags, &buffer_flags);
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index c3ebd79..1b62c13 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -639,7 +639,7 @@ int is_rootdse( const char *dn );
int get_entry_object_type();
int entry_computed_attr_init();
void send_referrals_from_entry(Slapi_PBlock *pb, Slapi_Entry *referral);
-
+int is_type_forbidden(const char *type);
/*
* dse.c
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 2f0afc7..75f8e8f 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -331,7 +331,6 @@ int entry_next_deleted_attribute( const Slapi_Entry *e, Slapi_Attr **a);
/* entry.c */
int entry_apply_mods( Slapi_Entry *e, LDAPMod **mods );
int is_type_protected(const char *type);
-int is_type_forbidden(const char *type);
int slapi_entries_diff(Slapi_Entry **old_entries, Slapi_Entry **new_entries, int testall, const char *logging_prestr, const int force_update, void *plg_id);
commit 2ebeb4a56b7ce4359b4601133889293d1546ffe1
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Fri Jun 8 11:39:56 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: unhashed password is stored in the entry in memory
when an entry/a password is added or the password is modified.
The password could be visible by the ordinary search if the type
"unhashed#user#password" is specified in the attribute list.
Fix Description:
1. Set "unhashed#user#password" to the forbidden attribute list,
which is dropped from the search attribute list.
2. Get effective right does not return "unhashed#user#password"
3. In the modify operation, adding "unhashed#user#password" to or
deleting "unhashed#user#password" from the entry never returns
an error regardless of the attribute value. Internally, the
operation is ignored.
(cherry picked from commit 9df3c438ebd05bbaa5e7b2506fc5d5e9f3ff4a95)
(cherry picked from commit 8f0811a86a1b233cf9566349653ef7f184278144)
(Fixed conflicts in ldap/servers/slapd/{entry.c,entrywsi.c,slapi-private.h)
(cherry picked from commit 8f9e49e73efb45f6741dee371b7dec3cd2fc1ddd)
diff --git a/ldap/servers/slapd/attr.c b/ldap/servers/slapd/attr.c
index 95a7808..eab20e5 100644
--- a/ldap/servers/slapd/attr.c
+++ b/ldap/servers/slapd/attr.c
@@ -805,7 +805,14 @@ attr_add_valuearray(Slapi_Attr *a, Slapi_Value **vals, const char *dn)
for ( i = 0; vals[i] != NULL; ++i ) {
if ( slapi_attr_value_find( a, slapi_value_get_berval(vals[i]) ) == 0 ) {
duplicate_index = i;
- rc = LDAP_TYPE_OR_VALUE_EXISTS;
+ if (is_type_forbidden(a->a_type)) {
+ /* If the attr is in the forbidden list
+ * (e.g., unhashed password),
+ * we don't return any useful info to the clients. */
+ rc = LDAP_OTHER;
+ } else {
+ rc = LDAP_TYPE_OR_VALUE_EXISTS;
+ }
break;
}
}
diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
index 03ec117..4f60703 100644
--- a/ldap/servers/slapd/entry.c
+++ b/ldap/servers/slapd/entry.c
@@ -70,6 +70,9 @@ static char *protected_attrs_all [] = {PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
SLAPI_ATTR_ENTRYDN,
NULL};
+static char *forbidden_attrs [] = {PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
+ NULL};
+
/*
* An attribute name is of the form 'basename[;option]'.
* The state informaion is encoded in options. For example:
@@ -1624,6 +1627,18 @@ is_type_protected(const char *type)
return 0;
}
+int
+is_type_forbidden(const char *type)
+{
+ char **paap = NULL;
+ for (paap = forbidden_attrs; paap && *paap; paap++) {
+ if (0 == strcasecmp(type, *paap)) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
static void
entry2str_internal_put_attrlist( const Slapi_Attr *attrlist, int attr_state, int entry2str_ctrl, char **ecur, char **typebuf, size_t *typebuf_len)
{
@@ -3408,7 +3423,7 @@ delete_values_sv_internal(
* add/mod operation is done, while the retried entry from the db does not
* contain the attribute.
*/
- if (is_type_protected(type)) {
+ if (is_type_protected(type) || is_type_forbidden(type)) {
flags |= SLAPI_VALUE_FLAG_IGNOREERROR;
}
@@ -3419,7 +3434,6 @@ delete_values_sv_internal(
retVal = attrlist_delete( &e->e_attrs, type);
if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
return LDAP_SUCCESS;
- } else {
}
return(retVal ? LDAP_NO_SUCH_ATTRIBUTE : LDAP_SUCCESS);
}
@@ -3429,6 +3443,9 @@ delete_values_sv_internal(
if ( a == NULL ) {
LDAPDebug( LDAP_DEBUG_ARGS, "could not find attribute %s\n",
type, 0, 0 );
+ if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
+ return LDAP_SUCCESS;
+ }
return( LDAP_NO_SUCH_ATTRIBUTE );
}
@@ -3457,8 +3474,11 @@ delete_values_sv_internal(
"value for attribute type %s found in "
"entry %s\n", a->a_type, slapi_entry_get_dn_const(e), 0 );
}
+ if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
+ retVal = LDAP_SUCCESS;
+ }
}
- }
+ }
return( retVal );
}
diff --git a/ldap/servers/slapd/entrywsi.c b/ldap/servers/slapd/entrywsi.c
index 05dbb36..8c6a122 100644
--- a/ldap/servers/slapd/entrywsi.c
+++ b/ldap/servers/slapd/entrywsi.c
@@ -634,7 +634,13 @@ entry_delete_present_values_wsi(Slapi_Entry *e, const char *type, struct berval
}
else if (attr_state==ATTRIBUTE_DELETED)
{
- retVal= LDAP_NO_SUCH_ATTRIBUTE;
+ /* If the type is in the forbidden attr list (e.g., unhashed password),
+ * we don't return the reason of the failure to the clients. */
+ if (is_type_forbidden(type)) {
+ retVal = LDAP_SUCCESS;
+ } else {
+ retVal= LDAP_NO_SUCH_ATTRIBUTE;
+ }
}
else if (attr_state==ATTRIBUTE_NOTFOUND)
{
@@ -643,8 +649,10 @@ entry_delete_present_values_wsi(Slapi_Entry *e, const char *type, struct berval
* failure, as the attribute could only exist in the entry in the
* memory when the add/mod operation is done, while the retried entry
* from the db does not contain the attribute.
+ * So is in the forbidden_attrs list. We don't return the reason
+ * of the failure.
*/
- if (is_type_protected(type)) {
+ if (is_type_protected(type) || is_type_forbidden(type)) {
retVal = LDAP_SUCCESS;
} else {
if (!urp) {
diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
index 4be8efd..baee7a7 100644
--- a/ldap/servers/slapd/pblock.c
+++ b/ldap/servers/slapd/pblock.c
@@ -3060,6 +3060,22 @@ slapi_pblock_set( Slapi_PBlock *pblock, int arg, void *value )
case SLAPI_SEARCH_ATTRS:
if(pblock->pb_op!=NULL)
{
+ char **attrs;
+ for (attrs = (char **)value; attrs && *attrs; attrs++) {
+ /* Get rid of forbidden attr, e.g.,
+ * PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
+ * which never be returned. */
+ if (is_type_forbidden(*attrs)) {
+ char **ptr;
+ for (ptr = attrs; ptr && *ptr; ptr++) {
+ if (ptr == attrs) {
+ slapi_ch_free_string(ptr); /* free unhashed type */
+ }
+ *ptr = *(ptr + 1); /* attrs is NULL terminated;
+ the NULL is copied here. */
+ }
+ }
+ }
pblock->pb_op->o_params.p.p_search.search_attrs = (char **) value;
}
break;
diff --git a/ldap/servers/slapd/plugin_internal_op.c b/ldap/servers/slapd/plugin_internal_op.c
index cf65c2c..4c7462d 100644
--- a/ldap/servers/slapd/plugin_internal_op.c
+++ b/ldap/servers/slapd/plugin_internal_op.c
@@ -291,6 +291,7 @@ slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base,
int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || base == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -304,7 +305,9 @@ slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base,
slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &scope);
slapi_pblock_set(pb, SLAPI_SEARCH_STRFILTER, (void*)filter);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
if (uniqueid)
{
@@ -322,6 +325,7 @@ slapi_search_internal_set_pb_ext (Slapi_PBlock *pb, Slapi_DN *sdn,
int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || sdn == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -337,7 +341,9 @@ slapi_search_internal_set_pb_ext (Slapi_PBlock *pb, Slapi_DN *sdn,
slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &scope);
slapi_pblock_set(pb, SLAPI_SEARCH_STRFILTER, (void*)filter);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
if (uniqueid)
{
@@ -351,6 +357,7 @@ void slapi_seq_internal_set_pb(Slapi_PBlock *pb, char *base, int type, char *att
Slapi_ComponentId *plugin_identity, int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || base == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -364,8 +371,10 @@ void slapi_seq_internal_set_pb(Slapi_PBlock *pb, char *base, int type, char *att
slapi_pblock_set(pb, SLAPI_SEQ_TYPE, &type);
slapi_pblock_set(pb, SLAPI_SEQ_ATTRNAME, attrname);
slapi_pblock_set(pb, SLAPI_SEQ_VAL, val);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
slapi_pblock_set(pb, SLAPI_PLUGIN_IDENTITY, plugin_identity);
}
@@ -383,6 +392,7 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
char *base;
char *attrname, *val;
Slapi_DN *sdn = NULL;
+ char **tmp_attrs = NULL;
slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, (void *)&base );
slapi_pblock_get(pb, SLAPI_CONTROLS_ARG, &controls);
@@ -445,6 +455,9 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
slapi_sdn_free(&sdn);
slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, NULL);
+ slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &tmp_attrs);
+ slapi_ch_array_free(tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, NULL);
return rc;
}
@@ -731,6 +744,7 @@ search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
char *ifstr;
int opresult;
int rc = 0;
+ char **tmp_attrs = NULL;
PR_ASSERT (pb);
@@ -801,10 +815,13 @@ search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
done:
slapi_ch_free((void **) & fstr);
- if (filter != NULL)
+ if (filter != NULL)
{
slapi_filter_free(filter, 1 /* recurse */);
}
+ slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &tmp_attrs);
+ slapi_ch_array_free(tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, NULL);
return(rc);
}
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index 50b1cbc..12f11c3 100644
--- a/ldap/servers/slapd/schema.c
+++ b/ldap/servers/slapd/schema.c
@@ -1381,15 +1381,18 @@ schema_list_attributes_callback(struct asyntaxinfo *asi, void *arg)
return ATTR_SYNTAX_ENUM_NEXT;
}
if (aew->flag && (asi->asi_flags & aew->flag)) {
- charray_add(&aew->attrs, slapi_ch_strdup(asi->asi_name));
+ /* skip unhashed password */
+ if (!is_type_forbidden(asi->asi_name)) {
+ charray_add(&aew->attrs, slapi_ch_strdup(asi->asi_name));
if (NULL != asi->asi_aliases) {
- int i;
+ int i;
- for ( i = 0; asi->asi_aliases[i] != NULL; ++i ) {
+ for ( i = 0; asi->asi_aliases[i] != NULL; ++i ) {
charray_add(&aew->attrs,
- slapi_ch_strdup(asi->asi_aliases[i]));
- }
- }
+ slapi_ch_strdup(asi->asi_aliases[i]));
+ }
+ }
+ }
}
return ATTR_SYNTAX_ENUM_NEXT;
}
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 75f8e8f..2f0afc7 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -331,6 +331,7 @@ int entry_next_deleted_attribute( const Slapi_Entry *e, Slapi_Attr **a);
/* entry.c */
int entry_apply_mods( Slapi_Entry *e, LDAPMod **mods );
int is_type_protected(const char *type);
+int is_type_forbidden(const char *type);
int slapi_entries_diff(Slapi_Entry **old_entries, Slapi_Entry **new_entries, int testall, const char *logging_prestr, const int force_update, void *plg_id);
commit 81a82a5aad746cf42d21a040852c1acbbb30821d
Author: Mark Reynolds <mareynol at redhat.com>
Date: Wed May 16 17:53:27 2012 -0400
Ticket 365 - passwords in clear text in the audit log
Bug Description: after changing a user password, an additional modify is added to the
mods: "unhashed#user#password: <clear text password>"
e.g. PSEUDO_ATTR_UNHASHEDUSERPASSWORD
Fix Description: Added new config param "nsslapd-audit-logging-hide-unhashed-pw".
The default is "off". When "on" that single modify op is skipped from
the audit logging.
https://fedorahosted.org/389/ticket/365
Reviewed by: Noriko (Thanks!)
(cherry picked from commit 43fb648fd4d7663c61c7ea7ff649ffddb9cbf006)
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 9c5ffad..81afe3e 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -55,6 +55,7 @@ char *attr_changetype = ATTR_CHANGETYPE;
char *attr_newrdn = ATTR_NEWRDN;
char *attr_deleteoldrdn = ATTR_DELETEOLDRDN;
char *attr_modifiersname = ATTR_MODIFIERSNAME;
+static int hide_unhashed_pw = 0;
/* Forward Declarations */
static void write_audit_file( int optype, const char *dn, void *change, int flag, time_t curtime );
@@ -156,6 +157,10 @@ write_audit_file(
for ( j = 0; mods[j] != NULL; j++ )
{
int operationtype= mods[j]->mod_op & ~LDAP_MOD_BVALUES;
+
+ if((strcmp(mods[j]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD) == 0) && hide_unhashed_pw){
+ continue;
+ }
switch ( operationtype )
{
case LDAP_MOD_ADD:
@@ -250,3 +255,15 @@ write_audit_file(
lenstr_free( &l );
}
+
+void
+auditlog_hide_unhashed_pw()
+{
+ hide_unhashed_pw = 1;
+}
+
+void
+auditlog_expose_unhashed_pw()
+{
+ hide_unhashed_pw = 0;
+}
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 6d0db36..2540e25 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -459,6 +459,9 @@ static struct config_get_and_set {
{CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE, NULL,
log_set_logging, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_logging_enabled, CONFIG_ON_OFF, NULL},
+ {CONFIG_AUDITLOG_LOGGING_HIDE_UNHASHED_PW, config_set_auditlog_unhashed_pw,
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.auditlog_logging_hide_unhashed_pw, CONFIG_ON_OFF, NULL},
{CONFIG_ACCESSLOG_BUFFERING_ATTRIBUTE, config_set_accesslogbuffering,
NULL, 0,
(void**)&global_slapdFrontendConfig.accesslogbuffering, CONFIG_ON_OFF, NULL},
@@ -1072,6 +1075,7 @@ FrontendConfig_init () {
cfg->auditlog_minfreespace = 5;
cfg->auditlog_exptime = 1;
cfg->auditlog_exptimeunit = slapi_ch_strdup("month");
+ cfg->auditlog_logging_hide_unhashed_pw = LDAP_OFF;
cfg->entryusn_global = LDAP_OFF;
cfg->entryusn_import_init = slapi_ch_strdup("0");
@@ -1171,6 +1175,21 @@ get_entry_point( int ep_name, caddr_t *ep_addr )
return rc;
}
+int
+config_set_auditlog_unhashed_pw(const char *attrname, char *value, char *errorbuf, int apply)
+{
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ int retVal = LDAP_SUCCESS;
+
+ retVal = config_set_onoff ( attrname, value, &(slapdFrontendConfig->auditlog_logging_hide_unhashed_pw),
+ errorbuf, apply);
+ if(strcasecmp(value,"on") == 0){
+ auditlog_hide_unhashed_pw();
+ } else {
+ auditlog_expose_unhashed_pw();
+ }
+ return retVal;
+}
/*
* Utility function called by many of the config_set_XXX() functions.
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index ea6f610..c3ebd79 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -387,6 +387,7 @@ int config_set_disk_threshold( const char *attrname, char *value, char *errorbuf
int config_set_disk_grace_period( const char *attrname, char *value, char *errorbuf, int apply );
int config_set_disk_preserve_logging( const char *attrname, char *value, char *errorbuf, int apply );
int config_set_disk_logging_critical( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_auditlog_unhashed_pw(const char *attrname, char *value, char *errorbuf, int apply);
#if !defined(_WIN32) && !defined(AIX)
int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply );
@@ -1190,6 +1191,8 @@ void factory_destroy_extension(int type,void *object,void *parent,void **extensi
*/
void write_audit_log_entry( Slapi_PBlock *pb);
+void auditlog_hide_unhashed_pw();
+void auditlog_expose_unhashed_pw();
/*
* eventq.c
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 7ca9a35..d0f2b33 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1877,6 +1877,7 @@ typedef struct _slapdEntryPoints {
#define CONFIG_ACCESSLOG_LOGGING_ENABLED_ATTRIBUTE "nsslapd-accesslog-logging-enabled"
#define CONFIG_ERRORLOG_LOGGING_ENABLED_ATTRIBUTE "nsslapd-errorlog-logging-enabled"
#define CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE "nsslapd-auditlog-logging-enabled"
+#define CONFIG_AUDITLOG_LOGGING_HIDE_UNHASHED_PW "nsslapd-auditlog-logging-hide-unhashed-pw"
#define CONFIG_ROOTDN_ATTRIBUTE "nsslapd-rootdn"
#define CONFIG_ROOTPW_ATTRIBUTE "nsslapd-rootpw"
#define CONFIG_ROOTPWSTORAGESCHEME_ATTRIBUTE "nsslapd-rootpwstoragescheme"
@@ -2166,6 +2167,7 @@ typedef struct _slapdFrontendConfig {
int auditlog_minfreespace;
int auditlog_exptime;
char *auditlog_exptimeunit;
+ int auditlog_logging_hide_unhashed_pw;
int return_exact_case; /* Return attribute names with the same case
* as they appear in at.conf */
commit 713bbeb6e18a8a5107f2069a25271a0f657033f1
Author: Rich Megginson <rmeggins at redhat.com>
Date: Mon Jun 18 17:57:15 2012 -0600
bump version to 1.2.11.5
diff --git a/VERSION.sh b/VERSION.sh
index a3ed29a..1fa17c4 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=2
-VERSION_MAINT=11.4
+VERSION_MAINT=11.5
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 8e67aac72ce0802bd9dc7285da340191b71dafc3
Author: Rich Megginson <rmeggins at redhat.com>
Date: Mon Jun 18 12:21:50 2012 -0600
Ticket #387 - managed entry sometimes doesn't delete the managed entry
https://fedorahosted.org/389/ticket/387
Resolves: Ticket #387
Bug Description: managed entry sometimes doesn't delete the managed entry
Reviewed by: ???
Branch: master
Fix Description: A modify just replaces the old entry in the cache with
the new entry, and the modify code only does the cache_replace if the
database operations succeed, so we don't have to do any cache cleanup
in the txn retry loop. Also cleanup some other cache usage. If there
is an error and ec is in the cache, we still have to remove it and restore
the original e entry.
Platforms tested: RHEL6 x86_64, Fedora 17
Flag Day: no
Doc impact: no
(cherry picked from commit 65ec7c2f1f3989fe0ea7876909a9f882ecb2a1ec)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index 8bd75b2..6d2e6f6 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -187,6 +187,122 @@ error:
return retval;
}
+/**
+ Apply the mods to the ec entry. Check for syntax, schema problems.
+ Check for abandon.
+
+ Return code:
+ -1 - error - result code and message are set appropriately
+ 0 - successfully applied and checked
+ 1 - not an error - no mods to apply or op abandoned
+ */
+static int
+modify_apply_check_expand(
+ Slapi_PBlock *pb,
+ Slapi_Operation *operation,
+ LDAPMod **mods, /* list of mods to apply */
+ struct backentry *e, /* original "before" entry */
+ struct backentry *ec, /* "after" entry with mods applied */
+ Slapi_Entry **postentry,
+ int *ldap_result_code,
+ char **ldap_result_message
+)
+{
+ int rc = 0;
+ int i;
+ int repl_op;
+ int change_entry = 0;
+ Slapi_Mods smods = {0};
+ CSN *csn = operation_get_csn(operation);
+
+ slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);
+ slapi_mods_init_byref( &smods, mods );
+
+ if ( (change_entry = mods_have_effect (ec->ep_entry, &smods)) ) {
+ *ldap_result_code = entry_apply_mods_wsi(ec->ep_entry, &smods, csn,
+ operation_is_flag_set(operation, OP_FLAG_REPLICATED));
+ /*
+ * XXXmcs: it would be nice to get back an error message from
+ * the above call so we could pass it along to the client, e.g.,
+ * "duplicate value for attribute givenName."
+ */
+ } else {
+ Slapi_Entry *epostop = NULL;
+ /* If the entry was not actually changed, we still need to
+ * set the SLAPI_ENTRY_POST_OP field in the pblock (post-op
+ * plugins expect that field to be present for all modify
+ * operations that return LDAP_SUCCESS).
+ */
+ slapi_pblock_get ( pb, SLAPI_ENTRY_POST_OP, &epostop );
+ slapi_entry_free ( epostop ); /* free existing one, if any */
+ slapi_pblock_set ( pb, SLAPI_ENTRY_POST_OP, slapi_entry_dup( e->ep_entry ) );
+ *postentry = NULL; /* to avoid free in main error cleanup code */
+ }
+ if ( !change_entry || *ldap_result_code != 0 ) {
+ /* change_entry == 0 is not an error just a no-op */
+ rc = change_entry ? -1 : 1;
+ goto done;
+ }
+
+ /*
+ * If the objectClass attribute type was modified in any way, expand
+ * the objectClass values to reflect the inheritance hierarchy.
+ */
+ for ( i = 0; mods[i] != NULL && !repl_op; ++i ) {
+ if ( 0 == strcasecmp( SLAPI_ATTR_OBJECTCLASS, mods[i]->mod_type )) {
+ slapi_schema_expand_objectclasses( ec->ep_entry );
+ break;
+ }
+ }
+
+ /*
+ * We are about to pass the last abandon test, so from now on we are
+ * committed to finish this operation. Set status to "will complete"
+ * before we make our last abandon check to avoid race conditions in
+ * the code that processes abandon operations.
+ */
+ operation->o_status = SLAPI_OP_STATUS_WILL_COMPLETE;
+ if ( slapi_op_abandoned( pb ) ) {
+ rc = 1;
+ goto done;
+ }
+
+ /* if this is a replicated op, we don't need to perform these checks */
+ if(!repl_op){
+ /* check that the entry still obeys the schema */
+ if ((operation_is_flag_set(operation,OP_FLAG_ACTION_SCHEMA_CHECK)) &&
+ slapi_entry_schema_check( pb, ec->ep_entry ) != 0 ) {
+ *ldap_result_code = LDAP_OBJECT_CLASS_VIOLATION;
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, ldap_result_message);
+ rc = -1;
+ goto done;
+ }
+
+ /* check attribute syntax for the new values */
+ if (slapi_mods_syntax_check(pb, mods, 0) != 0) {
+ *ldap_result_code = LDAP_INVALID_SYNTAX;
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, ldap_result_message);
+ rc = -1;
+ goto done;
+ }
+
+ /*
+ * make sure the entry contains all values in the RDN.
+ * if not, the modification must have removed them.
+ */
+ if ( ! slapi_entry_rdn_values_present( ec->ep_entry ) ) {
+ *ldap_result_code= LDAP_NOT_ALLOWED_ON_RDN;
+ rc = -1;
+ goto done;
+ }
+ }
+
+done:
+ slapi_mods_done( &smods );
+
+ return rc;
+}
+
int
ldbm_back_modify( Slapi_PBlock *pb )
{
@@ -213,14 +329,13 @@ ldbm_back_modify( Slapi_PBlock *pb )
Slapi_Operation *operation;
int dblock_acquired= 0;
entry_address *addr;
- int change_entry = 0;
int ec_in_cache = 0;
int is_fixup_operation= 0;
int is_ruv = 0; /* True if the current entry is RUV */
CSN *opcsn = NULL;
int repl_op;
- int i = 0;
int opreturn = 0;
+ int mod_count = 0;
slapi_pblock_get( pb, SLAPI_BACKEND, &be);
slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &li );
@@ -342,82 +457,14 @@ ldbm_back_modify( Slapi_PBlock *pb )
/* The Plugin may have messed about with some of the PBlock parameters... ie. mods */
slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods );
slapi_mods_init_byref(&smods,mods);
+ mod_count = slapi_mods_get_num_mods(&smods);
- {
- CSN *csn = operation_get_csn(operation);
- if ( (change_entry = mods_have_effect (ec->ep_entry, &smods)) ) {
- ldap_result_code = entry_apply_mods_wsi(ec->ep_entry, &smods, csn, operation_is_flag_set(operation,OP_FLAG_REPLICATED));
- /*
- * XXXmcs: it would be nice to get back an error message from
- * the above call so we could pass it along to the client, e.g.,
- * "duplicate value for attribute givenName."
- */
- } else {
- /* If the entry was not actually changed, we still need to
- * set the SLAPI_ENTRY_POST_OP field in the pblock (post-op
- * plugins expect that field to be present for all modify
- * operations that return LDAP_SUCCESS).
- */
- postentry = slapi_entry_dup( e->ep_entry );
- slapi_pblock_set ( pb, SLAPI_ENTRY_POST_OP, postentry );
- postentry = NULL; /* avoid removal/free in error_return code */
- }
- if ( !change_entry || ldap_result_code != 0 ) {
- /* change_entry == 0 is not an error, but we need to free lock etc */
- goto error_return;
- }
- }
-
- /*
- * If the objectClass attribute type was modified in any way, expand
- * the objectClass values to reflect the inheritance hierarchy.
- */
- for ( i = 0; mods[i] != NULL && !repl_op; ++i ) {
- if ( 0 == strcasecmp( SLAPI_ATTR_OBJECTCLASS, mods[i]->mod_type )) {
- slapi_schema_expand_objectclasses( ec->ep_entry );
- break;
- }
- }
-
- /*
- * We are about to pass the last abandon test, so from now on we are
- * committed to finish this operation. Set status to "will complete"
- * before we make our last abandon check to avoid race conditions in
- * the code that processes abandon operations.
- */
- operation->o_status = SLAPI_OP_STATUS_WILL_COMPLETE;
- if ( slapi_op_abandoned( pb ) ) {
+ /* apply the mods, check for syntax, schema problems, etc. */
+ if (modify_apply_check_expand(pb, operation, mods, e, ec, &postentry,
+ &ldap_result_code, &ldap_result_message)) {
goto error_return;
}
- /* if this is a replicated op, we don't need to perform these checks */
- if(!repl_op){
- /* check that the entry still obeys the schema */
- if ((operation_is_flag_set(operation,OP_FLAG_ACTION_SCHEMA_CHECK)) &&
- slapi_entry_schema_check( pb, ec->ep_entry ) != 0 ) {
- ldap_result_code= LDAP_OBJECT_CLASS_VIOLATION;
- slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
- goto error_return;
- }
-
- /* check attribute syntax for the new values */
- if (slapi_mods_syntax_check(pb, mods, 0) != 0)
- {
- ldap_result_code = LDAP_INVALID_SYNTAX;
- slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
- goto error_return;
- }
-
- /*
- * make sure the entry contains all values in the RDN.
- * if not, the modification must have removed them.
- */
- if ( ! slapi_entry_rdn_values_present( ec->ep_entry ) ) {
- ldap_result_code= LDAP_NOT_ALLOWED_ON_RDN;
- goto error_return;
- }
- }
-
if (!is_ruv && !is_fixup_operation) {
ruv_c_init = ldbm_txn_ruv_modify_context( pb, &ruv_c );
if (-1 == ruv_c_init) {
@@ -437,7 +484,7 @@ ldbm_back_modify( Slapi_PBlock *pb )
* their original state;
*/
mods_original = copy_mods(mods);
- if ( (original_entry = backentry_dup( e )) == NULL ) {
+ if ( (original_entry = backentry_dup( ec )) == NULL ) {
ldap_result_code= LDAP_OPERATIONS_ERROR;
goto error_return;
}
@@ -445,6 +492,7 @@ ldbm_back_modify( Slapi_PBlock *pb )
txn.back_txn_txn = NULL; /* ready to create the child transaction */
for (retry_count = 0; retry_count < RETRY_TIMES; retry_count++) {
int cache_rc = 0;
+ int new_mod_count = 0;
if (txn.back_txn_txn && (txn.back_txn_txn != parent_txn)) {
dblayer_txn_abort(li,&txn);
slapi_pblock_set(pb, SLAPI_TXN, parent_txn);
@@ -453,6 +501,7 @@ ldbm_back_modify( Slapi_PBlock *pb )
* We need to grab the current mods, free them, and restore the
* originals. Same thing for the entry.
*/
+
slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
ldap_mods_free(mods, 1);
slapi_pblock_set(pb, SLAPI_MODIFY_MODS, copy_mods(mods_original));
@@ -461,10 +510,11 @@ ldbm_back_modify( Slapi_PBlock *pb )
backentry_free(&ec);
slapi_pblock_set( pb, SLAPI_MODIFY_EXISTING_ENTRY, original_entry->ep_entry );
ec = original_entry;
- if ( (original_entry = backentry_dup( e )) == NULL ) {
+ if ( (original_entry = backentry_dup( ec )) == NULL ) {
ldap_result_code= LDAP_OPERATIONS_ERROR;
goto error_return;
}
+
LDAPDebug0Args(LDAP_DEBUG_BACKLDBM,
"Modify Retrying Transaction\n");
#ifndef LDBM_NO_BACKOFF_DELAY
@@ -503,6 +553,25 @@ ldbm_back_modify( Slapi_PBlock *pb )
/* the mods might have been changed, so get the latest */
slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &mods );
+ /* make sure the betxnpreop did not alter any of the mods that
+ had already previously been applied */
+ slapi_mods_done(&smods);
+ slapi_mods_init_byref(&smods,mods);
+ new_mod_count = slapi_mods_get_num_mods(&smods);
+ if (new_mod_count < mod_count) {
+ LDAPDebug2Args( LDAP_DEBUG_ANY, "Error: BE_TXN_PRE_MODIFY plugin has removed "
+ "mods from the original list - mod count was [%d] now [%d] "
+ "mods will not be applied - mods list changes must be done "
+ "in the BE_PRE_MODIFY plugin, not the BE_TXN_PRE_MODIFY\n",
+ mod_count, new_mod_count );
+ } else if (new_mod_count > mod_count) { /* apply the new betxnpremod mods */
+ /* apply the mods, check for syntax, schema problems, etc. */
+ if (modify_apply_check_expand(pb, operation, &mods[mod_count], e, ec, &postentry,
+ &ldap_result_code, &ldap_result_message)) {
+ goto error_return;
+ }
+ } /* else if new_mod_count == mod_count then betxnpremod plugin did nothing */
+
/*
* Update the ID to Entry index.
* Note that id2entry_add replaces the entry, so the Entry ID
commit f2818827cf38046a16f9b7f39779ae5ab53338bd
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Jun 13 21:03:37 2012 -0600
Ticket #387 - managed entry sometimes doesn't delete the managed entry
https://fedorahosted.org/389/ticket/387
Resolves: Ticket #387
Bug Description: managed entry sometimes doesn't delete the managed entry
Reviewed by: ???
Branch: master
Fix Description: A modify just replaces the old entry in the cache with
the new entry, and the modify code only does the cache_replace if the
database operations succeed, so we don't have to do any cache cleanup
in the txn retry loop. Also cleanup some other cache usage.
Platforms tested: RHEL6 x86_64, Fedora 17
Flag Day: no
Doc impact: no
(cherry picked from commit 2e9756be7d0e755ede0ff04f273311d98fa03aff)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index f7520c6..8bd75b2 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -456,15 +456,9 @@ ldbm_back_modify( Slapi_PBlock *pb )
slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
ldap_mods_free(mods, 1);
slapi_pblock_set(pb, SLAPI_MODIFY_MODS, copy_mods(mods_original));
- if (ec_in_cache) {
- /* New entry 'ec' is in the entry cache.
- * Remove it from the cache once. */
- CACHE_REMOVE(&inst->inst_cache, ec);
- CACHE_RETURN(&inst->inst_cache, &ec);
- } else {
- backentry_free(&ec);
- }
- ec_in_cache = 0; /* added to cache by id2entry - have to remove to try again */
+ /* ec is not really added to the cache until cache_replace, so we
+ don't have to worry about the cache here */
+ backentry_free(&ec);
slapi_pblock_set( pb, SLAPI_MODIFY_EXISTING_ENTRY, original_entry->ep_entry );
ec = original_entry;
if ( (original_entry = backentry_dup( e )) == NULL ) {
@@ -527,14 +521,6 @@ ldbm_back_modify( Slapi_PBlock *pb )
MOD_SET_ERROR(ldap_result_code, LDAP_OPERATIONS_ERROR, retry_count);
More information about the Pkg-fedora-ds-maintainers
mailing list