This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.8
in repository 389-ds-base.
commit dae67ab02f12c72728df373bdc1ab68ac9e893fa
Author: Mark Reynolds <mreynolds@redhat.com>
Date: Mon Jun 4 12:34:10 2018 -0400
Ticket 49748 - Passthru plugin startTLS option not working
Description: While you can configure a connection to use StartTLS the
plugin code did not attempt to use StartTLS.
https://pagure.io/389-ds-base/issue/49748
Reviewed by: tbordaz & lkrispenz(Thanks!!)
(cherry picked from commit d870eb0d410b59b2624e0aabe5dbeeb0afe94235)
---
ldap/servers/plugins/passthru/passthru.h | 2 +-
ldap/servers/plugins/passthru/ptconfig.c | 2 +-
ldap/servers/plugins/passthru/ptconn.c | 45 +++++++++++++++++++++++++-------
3 files changed, 38 insertions(+), 11 deletions(-)
diff --git a/ldap/servers/plugins/passthru/passthru.h b/ldap/servers/plugins/passthru/passthru.h
index 8440008..d7dac4d 100644
--- a/ldap/servers/plugins/passthru/passthru.h
+++ b/ldap/servers/plugins/passthru/passthru.h
@@ -26,6 +26,7 @@
#include "portable.h"
#include "slapi-plugin.h"
#include <nspr.h>
+#include <errno.h>
/* Private API: to get slapd_pr_strerror() and SLAPI_COMPONENT_NAME_NSPR */
#include "slapi-private.h"
@@ -42,7 +43,6 @@
#define PASSTHRU_OP_NOT_HANDLED 0
#define PASSTHRU_OP_HANDLED 1
-
#define PASSTHRU_CONN_TRIES 2
/* #define PASSTHRU_VERBOSE_LOGGING */
diff --git a/ldap/servers/plugins/passthru/ptconfig.c b/ldap/servers/plugins/passthru/ptconfig.c
index feb9aef..86953a3 100644
--- a/ldap/servers/plugins/passthru/ptconfig.c
+++ b/ldap/servers/plugins/passthru/ptconfig.c
@@ -228,7 +228,7 @@ passthru_config(int argc, char **argv)
srvr->ptsrvr_port = ludp->lud_port;
srvr->ptsrvr_secure = secure;
if (starttls) {
- srvr->ptsrvr_secure = 2;
+ srvr->ptsrvr_secure = SLAPI_LDAP_INIT_FLAG_startTLS;
}
/*
diff --git a/ldap/servers/plugins/passthru/ptconn.c b/ldap/servers/plugins/passthru/ptconn.c
index fedb5af..49040f6 100644
--- a/ldap/servers/plugins/passthru/ptconn.c
+++ b/ldap/servers/plugins/passthru/ptconn.c
@@ -115,7 +115,7 @@ passthru_dn2server(PassThruConfig *cfg, const char *normdn, PassThruServer **srv
int
passthru_get_connection(PassThruServer *srvr, LDAP **ldp)
{
- int rc;
+ int rc = LDAP_SUCCESS; /* optimistic */
PassThruConnection *conn, *connprev;
LDAP *ld;
@@ -125,7 +125,6 @@ passthru_get_connection(PassThruServer *srvr, LDAP **ldp)
check_for_stale_connections(srvr);
slapi_lock_mutex(srvr->ptsrvr_connlist_mutex);
- rc = LDAP_SUCCESS; /* optimistic */
slapi_log_err(SLAPI_LOG_PLUGIN, PASSTHRU_PLUGIN_SUBSYSTEM,
"=> passthru_get_connection server %s:%d conns: %d maxconns: %d\n",
@@ -134,8 +133,8 @@ passthru_get_connection(PassThruServer *srvr, LDAP **ldp)
for (;;) {
/*
- * look for an available, already open connection
- */
+ * look for an available, already open connection
+ */
connprev = NULL;
for (conn = srvr->ptsrvr_connlist; conn != NULL;
conn = conn->ptconn_next) {
@@ -153,9 +152,9 @@ passthru_get_connection(PassThruServer *srvr, LDAP **ldp)
if (srvr->ptsrvr_connlist_count < srvr->ptsrvr_maxconnections) {
/*
- * we have not exceeded the maximum number of connections allowed,
- * so we initialize a new one and add it to the end of our list.
- */
+ * we have not exceeded the maximum number of connections allowed,
+ * so we initialize a new one and add it to the end of our list.
+ */
if ((ld = slapi_ldap_init(srvr->ptsrvr_hostname,
srvr->ptsrvr_port, srvr->ptsrvr_secure, 1)) == NULL) {
#ifdef PASSTHRU_VERBOSE_LOGGING
@@ -166,9 +165,37 @@ passthru_get_connection(PassThruServer *srvr, LDAP **ldp)
goto unlock_and_return;
}
+ if (srvr->ptsrvr_secure == SLAPI_LDAP_INIT_FLAG_startTLS) {
+ if (srvr->ptsrvr_ldapversion == LDAP_VERSION3 ) {
+ rc = ldap_start_tls_s(ld, NULL, NULL);
+ if (LDAP_SUCCESS != rc) {
+ if (errno != 0) {
+ /* Log the system errno */
+ slapi_log_err(SLAPI_LOG_ERR, PASSTHRU_PLUGIN_SUBSYSTEM, "passthru_get_connection - "
+ "Error: could not send startTLS request: error %d (%s) errno %d (%s)\n",
+ rc, ldap_err2string(rc), errno,
+ slapd_system_strerror(errno));
+ } else {
+ /* Only LDAP error, no system error */
+ slapi_log_err(SLAPI_LOG_ERR, PASSTHRU_PLUGIN_SUBSYSTEM, "passthru_get_connection - "
+ "Error: could not send startTLS request: error %d (%s)\n",
+ rc, ldap_err2string(rc));
+ }
+ goto unlock_and_return;
+ }
+ } else {
+ /* We only support StartTLS on LDAPv3 */
+ slapi_log_err(SLAPI_LOG_ERR, PASSTHRU_PLUGIN_SUBSYSTEM, "passthru_get_connection - "
+ "Error: configured to use StartTLS but ldap version (v%d) is not supported "
+ "(version 3 is required). Aborting connection...\n",srvr->ptsrvr_ldapversion);
+ rc = LDAP_UNWILLING_TO_PERFORM;
+ goto unlock_and_return;
+ }
+ }
+
/*
- * set protocol version to correct value for this server
- */
+ * set protocol version to correct value for this server
+ */
if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
&srvr->ptsrvr_ldapversion) != 0) {
slapi_ldap_unbind(ld);
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-commits@lists.fedoraproject.org/message/ZJGXHJWDPL7YCESXCSNXD2A4LZ33CAJ5/
No comments:
Post a Comment