upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-01-25 08:12:54 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#6740 - Always enable rewrite

Browse source
This commit is contained in:
Quanah Gibson-Mount 2020-04-17 15:00:28 +00:00
parent 1f4d4c9536
commit bc9a92866a
16 changed files with 182 additions and 528 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
configure.in
View file

@ -268,7 +268,6 @@ OL_ARG_ENABLE(cleartext,[ --enable-cleartext enable cleartext passwords], y
OL_ARG_ENABLE(crypt,[ --enable-crypt enable crypt(3) passwords], no)dnl
OL_ARG_ENABLE(spasswd,[ --enable-spasswd enable (Cyrus) SASL password verification], no)dnl
OL_ARG_ENABLE(modules,[ --enable-modules enable dynamic module support], no)dnl
OL_ARG_ENABLE(rewrite,[ --enable-rewrite enable DN rewriting in back-ldap and rwm overlay], auto)dnl
OL_ARG_ENABLE(rlookups,[ --enable-rlookups enable reverse lookups of client hostnames], no)dnl
OL_ARG_ENABLE(slapi,[ --enable-slapi enable SLAPI support (experimental)], no)dnl
OL_ARG_ENABLE(slp,[ --enable-slp enable SLPv2 support], no)dnl
@ -439,9 +438,6 @@ if test $ol_enable_slapd = no ; then
if test $ol_enable_aci != no ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-aci argument])
fi
if test $ol_enable_rewrite = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-rewrite argument])
fi
dnl overlays
case "$ol_enable_overlays" in yes | mod)
AC_MSG_WARN([slapd disabled, ignoring --enable-overlays argument])
@ -465,8 +461,6 @@ if test $ol_enable_slapd = no ; then
ol_enable_aci=no
ol_enable_wrappers=no
ol_enable_rewrite=no
elif test $ol_enable_modules != yes &&
test $ol_enable_dnssrv = no &&
test $ol_enable_ldap = no &&
@ -524,7 +518,6 @@ SLAPD_LIBS=
BUILD_SLAPD=no
BUILD_REWRITE=no
BUILD_THREAD=no
BUILD_SLAPI=no
@ -2571,7 +2564,6 @@ fi
if test "$ol_enable_meta" != no ; then
BUILD_SLAPD=yes
BUILD_META=$ol_enable_meta
BUILD_REWRITE=yes
if test "$ol_enable_meta" = mod ; then
SLAPD_DYNAMIC_BACKENDS="$SLAPD_DYNAMIC_BACKENDS back-meta"
MFLAG=SLAPD_MOD_DYNAMIC
@ -2585,7 +2577,6 @@ fi
if test "$ol_enable_asyncmeta" != no ; then
BUILD_SLAPD=yes
BUILD_ASYNCMETA=$ol_enable_asyncmeta
BUILD_REWRITE=yes
if test "$ol_enable_asyncmeta" = mod ; then
SLAPD_DYNAMIC_BACKENDS="$SLAPD_DYNAMIC_BACKENDS back-asyncmeta"
MFLAG=SLAPD_MOD_DYNAMIC
@ -2889,7 +2880,6 @@ if test "$ol_enable_retcode" != no ; then
fi
if test "$ol_enable_rwm" != no ; then
BUILD_REWRITE=yes
BUILD_RWM=$ol_enable_rwm
if test "$ol_enable_rwm" = mod ; then
MFLAG=SLAPD_MOD_DYNAMIC
@ -2973,11 +2963,6 @@ if test "$ol_enable_valsort" != no ; then
AC_DEFINE_UNQUOTED(SLAPD_OVER_VALSORT,$MFLAG,[define for Value Sorting overlay])
fi
if test "$ol_enable_rewrite" != no ; then
AC_DEFINE(ENABLE_REWRITE,1,[define to enable rewriting in back-ldap and back-meta])
BUILD_REWRITE=yes
fi
if test "$ol_enable_slapi" != no ; then
AC_DEFINE(ENABLE_SLAPI,1,[define to enable slapi library])
BUILD_SLAPI=yes
@ -3004,7 +2989,6 @@ AC_SUBST(WITH_SASL)
AC_SUBST(WITH_TLS)
AC_SUBST(WITH_MODULES_ENABLED)
AC_SUBST(WITH_ACI_ENABLED)
AC_SUBST(BUILD_REWRITE)
AC_SUBST(BUILD_THREAD)
AC_SUBST(BUILD_LIBS_DYNAMIC)

13
servers/slapd/back-meta/back-meta.h
View file

@ -60,13 +60,7 @@ struct ldaprwmap {
/*
* DN rewriting
*/
#ifdef ENABLE_REWRITE
struct rewrite_info *rwm_rw;
#else /* !ENABLE_REWRITE */
/* some time the suffix massaging without librewrite
* will be disabled */
BerVarray rwm_suffix_massage;
#endif /* !ENABLE_REWRITE */
BerVarray rwm_bva_rewrite;
/*
@ -81,14 +75,9 @@ struct ldaprwmap {
typedef struct dncookie {
struct metatarget_t *target;
#ifdef ENABLE_REWRITE
Connection *conn;
char *ctx;
SlapReply *rs;
#else
int normalized;
int tofrom;
#endif
} dncookie;
int ldap_back_dn_massage(dncookie *dc, struct berval *dn,
@ -133,14 +122,12 @@ ldap_back_filter_map_rewrite(
void *memctx );
/* suffix massaging by means of librewrite */
#ifdef ENABLE_REWRITE
extern int
suffix_massage_config( struct rewrite_info *info,
struct berval *pvnc,
struct berval *nvnc,
struct berval *prnc,
struct berval *nrnc );
#endif /* ENABLE_REWRITE */
extern int
ldap_back_referral_result_rewrite(
dncookie *dc,

3
servers/slapd/back-meta/config.c
View file

@ -3200,7 +3200,6 @@ error_return:;
}
#ifdef ENABLE_REWRITE
static char *
suffix_massage_regexize( const char *s )
{
@ -3368,5 +3367,3 @@ suffix_massage_config(
return 0;
}
#endif /* ENABLE_REWRITE */

4
servers/slapd/back-meta/map.c
View file

@ -280,9 +280,7 @@ map_attr_value(
{
dncookie fdc = *dc;
#ifdef ENABLE_REWRITE
fdc.ctx = "searchFilterAttrDN";
#endif
switch ( ldap_back_dn_massage( &fdc, value, &vtmp ) ) {
case LDAP_SUCCESS:
@ -684,7 +682,6 @@ ldap_back_filter_map_rewrite(
rc = ldap_back_int_filter_map_rewrite( dc, f, fstr, remap, memctx );
#ifdef ENABLE_REWRITE
if ( rc != LDAP_SUCCESS ) {
return rc;
}
@ -741,7 +738,6 @@ ldap_back_filter_map_rewrite(
ch_free( fstr->bv_val );
*fstr = ftmp;
}
#endif /* ENABLE_REWRITE */
return rc;
}

5
servers/slapd/back-meta/search.c
View file

@ -1289,12 +1289,7 @@ really_bad:;
continue;
}
#ifdef ENABLE_REWRITE
dc.ctx = "referralDN";
#else /* ! ENABLE_REWRITE */
dc.tofrom = 0;
dc.normalized = 0;
#endif /* ! ENABLE_REWRITE */
/* FIXME: merge all and return at the end */

83
servers/slapd/back-meta/suffixmassage.c
View file

@ -58,7 +58,6 @@
#include "../back-ldap/back-ldap.h"
#include "back-meta.h"
#ifdef ENABLE_REWRITE
int
ldap_back_dn_massage(
dncookie *dc,
@ -109,85 +108,3 @@ ldap_back_dn_massage(
return rc;
}
#else
/*
* ldap_back_dn_massage
*
* Aliases the suffix; based on suffix_alias (servers/slapd/suffixalias.c).
*/
int
ldap_back_dn_massage(
dncookie *dc,
struct berval *odn,
struct berval *res
)
{
int i, src, dst;
struct berval pretty = {0,NULL}, *dn = odn;
assert( res != NULL );
if ( dn == NULL ) {
res->bv_val = NULL;
res->bv_len = 0;
return 0;
}
if ( dc->target->mt_rwmap.rwm_suffix_massage == NULL ) {
*res = *dn;
return 0;
}
if ( dc->tofrom ) {
src = 0 + dc->normalized;
dst = 2 + dc->normalized;
} else {
src = 2 + dc->normalized;
dst = 0 + dc->normalized;
/* DN from remote server may be in arbitrary form.
* Pretty it so we can parse reliably.
*/
dnPretty( NULL, dn, &pretty, NULL );
if (pretty.bv_val) dn = &pretty;
}
for ( i = 0;
dc->target->mt_rwmap.rwm_suffix_massage[i].bv_val != NULL;
i += 4 ) {
int aliasLength = dc->target->mt_rwmap.rwm_suffix_massage[i+src].bv_len;
int diff = dn->bv_len - aliasLength;
if ( diff < 0 ) {
/* alias is longer than dn */
continue;
} else if ( diff > 0 && ( !DN_SEPARATOR(dn->bv_val[diff-1]))) {
/* boundary is not at a DN separator */
continue;
/* At a DN Separator */
}
if ( !strcmp( dc->target->mt_rwmap.rwm_suffix_massage[i+src].bv_val, &dn->bv_val[diff] ) ) {
res->bv_len = diff + dc->target->mt_rwmap.rwm_suffix_massage[i+dst].bv_len;
res->bv_val = ch_malloc( res->bv_len + 1 );
strncpy( res->bv_val, dn->bv_val, diff );
strcpy( &res->bv_val[diff], dc->target->mt_rwmap.rwm_suffix_massage[i+dst].bv_val );
Debug( LDAP_DEBUG_ARGS,
"ldap_back_dn_massage:"
" converted \"%s\" to \"%s\"\n",
BER_BVISNULL( dn ) ? "" : dn->bv_val,
BER_BVISNULL( res ) ? "" : res->bv_val );
break;
}
}
if (pretty.bv_val) {
ch_free(pretty.bv_val);
dn = odn;
}
/* Nothing matched, just return the original DN */
if (res->bv_val == NULL) {
*res = *dn;
}
return 0;
}
#endif /* !ENABLE_REWRITE */

10
servers/slapd/bconfig.c
View file

@ -331,11 +331,7 @@ static ConfigTable config_back_cf_table[] = {
"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )",
NULL, NULL },
{ "authid-rewrite", "rewrite", 2, 0, STRLENOF( "authid-rewrite" ),
#ifdef SLAP_AUTH_REWRITE
ARG_MAGIC|CFG_REWRITE, &config_generic,
#else
ARG_IGNORED, NULL,
#endif
"( OLcfgGlAt:6 NAME 'olcAuthIDRewrite' "
"EQUALITY caseIgnoreMatch "
"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL },
@ -1396,11 +1392,9 @@ config_generic(ConfigArgs *c) {
if ( !c->rvalue_vals ) rc = 1;
break;
#endif
#ifdef SLAP_AUTH_REWRITE
case CFG_REWRITE:
rc = slap_sasl_rewrite_unparse( &c->rvalue_vals );
break;
#endif
default:
rc = 1;
}
@ -1473,11 +1467,9 @@ config_generic(ConfigArgs *c) {
rc = slap_sasl_regexp_delete( c->valx );
break;
#ifdef SLAP_AUTH_REWRITE
case CFG_REWRITE:
rc = slap_sasl_rewrite_delete( c->valx );
break;
#endif /* SLAP_AUTH_REWRITE */
case CFG_SALT:
ch_free( passwd_salt );
@ -2426,7 +2418,6 @@ sortval_reject:
break;
#endif
#ifdef SLAP_AUTH_REWRITE
case CFG_REWRITE: {
int rc;
@ -2441,7 +2432,6 @@ sortval_reject:
}
return rc;
}
#endif
default:

4
servers/slapd/overlays/rwm.h
View file

@ -24,10 +24,6 @@
#ifndef RWM_H
#define RWM_H
#ifndef ENABLE_REWRITE
#error "librewrite must be enabled!"
#endif /* ENABLE_REWRITE */
/* String rewrite library */
#include "rewrite.h"

2
servers/slapd/proto-slap.h
View file

@ -1719,7 +1719,6 @@ LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P((
LDAP_SLAPD_F (void) slap_sasl_regexp_unparse LDAP_P(( BerVarray *bva ));
LDAP_SLAPD_F (int) slap_sasl_setpolicy LDAP_P(( const char * ));
LDAP_SLAPD_F (const char *) slap_sasl_getpolicy LDAP_P(( void ));
#ifdef SLAP_AUTH_REWRITE
LDAP_SLAPD_F (int) slap_sasl_rewrite_config LDAP_P((
const char *fname,
int lineno,
@ -1728,7 +1727,6 @@ LDAP_SLAPD_F (int) slap_sasl_rewrite_config LDAP_P((
int valx ));
LDAP_SLAPD_F (int) slap_sasl_rewrite_delete LDAP_P(( int valx ));
LDAP_SLAPD_F (int) slap_sasl_rewrite_unparse LDAP_P(( BerVarray *bva ));
#endif /* SLAP_AUTH_REWRITE */
LDAP_SLAPD_F (void) slap_sasl_regexp_destroy LDAP_P(( void ));
LDAP_SLAPD_F (int) slap_sasl_regexp_delete LDAP_P(( int valx ));
LDAP_SLAPD_F (int) authzValidate LDAP_P((

7
servers/slapd/sasl.c
View file

@ -28,9 +28,7 @@
#include "slap.h"
#ifdef ENABLE_REWRITE
#include <rewrite.h>
#endif
#ifdef HAVE_CYRUS_SASL
# ifdef HAVE_SASL_SASL_H
@ -1012,8 +1010,6 @@ static int chk_sasl(
#endif /* HAVE_CYRUS_SASL */
#ifdef ENABLE_REWRITE
typedef struct slapd_map_data {
struct berval base;
struct berval filter;
@ -1234,7 +1230,6 @@ static const rewrite_mapper slapd_mapper = {
slapd_rw_apply,
slapd_rw_destroy
};
#endif
int slap_sasl_init( void )
{
@ -1247,9 +1242,7 @@ int slap_sasl_init( void )
};
#endif
#ifdef ENABLE_REWRITE
rewrite_mapper_register( &slapd_mapper );
#endif
#ifdef HAVE_CYRUS_SASL
#ifdef HAVE_SASL_VERSION

159
servers/slapd/saslauthz.c
View file

@ -70,21 +70,15 @@
typedef struct sasl_regexp {
char *sr_match; /* regexp match pattern */
char *sr_replace; /* regexp replace pattern */
#ifndef SLAP_AUTH_REWRITE
regex_t sr_workspace; /* workspace for regexp engine */
int sr_offset[SASLREGEX_REPLACE+2]; /* offsets of $1,$2... in *replace */
#endif
} SaslRegexp_t;
static int nSaslRegexp = 0;
static SaslRegexp_t *SaslRegexp = NULL;
#ifdef SLAP_AUTH_REWRITE
#include "rewrite.h"
struct rewrite_info *sasl_rwinfo = NULL;
#define AUTHID_CONTEXT "authid"
static BerVarray authz_rewrites = NULL;
#endif /* SLAP_AUTH_REWRITE */
/* What SASL proxy authorization policies are allowed? */
#define SASL_AUTHZ_NONE 0x00
@ -1246,43 +1240,6 @@ done:
return( rc );
}
#ifndef SLAP_AUTH_REWRITE
static int slap_sasl_rx_off(char *rep, int *off)
{
const char *c;
int n;
/* Precompile replace pattern. Find the $<n> placeholders */
off[0] = -2;
n = 1;
for ( c = rep; *c; c++ ) {
if ( *c == '\\' && c[1] ) {
c++;
continue;
}
if ( *c == '$' ) {
if ( n == SASLREGEX_REPLACE ) {
Debug( LDAP_DEBUG_ANY,
"SASL replace pattern %s has too many $n "
"placeholders (max %d)\n",
rep, SASLREGEX_REPLACE );
return( LDAP_OTHER );
}
off[n] = c - rep;
n++;
}
}
/* Final placeholder, after the last $n */
off[n] = c - rep;
n++;
off[n] = -1;
return( LDAP_SUCCESS );
}
#endif /* ! SLAP_AUTH_REWRITE */
#ifdef SLAP_AUTH_REWRITE
static int slap_sasl_rewrite_config_argv(
const char *fname,
int lineno,
@ -1530,7 +1487,6 @@ out:
return rc;
}
#endif /* SLAP_AUTH_REWRITE */
int slap_sasl_regexp_config( const char *match, const char *replace, int valx )
{
@ -1541,7 +1497,6 @@ int slap_sasl_regexp_config( const char *match, const char *replace, int valx )
if ( valx < 0 || valx > nSaslRegexp )
valx = nSaslRegexp;
#ifdef SLAP_AUTH_REWRITE
for ( i = 0; i < valx; i++) {
rc = slap_sasl_regexp_rewrite_config( &rw, "sasl-regexp", 0,
SaslRegexp[i].sr_match,
@ -1552,18 +1507,6 @@ int slap_sasl_regexp_config( const char *match, const char *replace, int valx )
rc = slap_sasl_regexp_rewrite_config( &rw, "sasl-regexp", 0,
match, replace, AUTHID_CONTEXT );
#else /* ! SLAP_AUTH_REWRITE */
/* Precompile matching pattern */
rc = regcomp( &sr.sr_workspace, match, REG_EXTENDED|REG_ICASE );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"SASL match pattern %s could not be compiled by regexp engine\n",
match );
return( LDAP_OTHER );
}
rc = slap_sasl_rx_off( replace, sr.sr_offset );
#endif /* ! SLAP_AUTH_REWRITE */
if ( rc == LDAP_SUCCESS ) {
SaslRegexp = (SaslRegexp_t *) ch_realloc( (char *) SaslRegexp,
@ -1579,7 +1522,6 @@ int slap_sasl_regexp_config( const char *match, const char *replace, int valx )
nSaslRegexp++;
#ifdef SLAP_AUTH_REWRITE
for ( i = valx + 1; i < nSaslRegexp; i++ ) {
rc = slap_sasl_regexp_rewrite_config( &rw, "sasl-regexp", 0,
SaslRegexp[i].sr_match,
@ -1592,7 +1534,6 @@ int slap_sasl_regexp_config( const char *match, const char *replace, int valx )
sasl_rwinfo = rw;
} else {
rewrite_info_delete( &rw );
#endif
}
return rc;
@ -1603,9 +1544,6 @@ slap_sasl_regexp_destroy_one( int n )
{
ch_free( SaslRegexp[ n ].sr_match );
ch_free( SaslRegexp[ n ].sr_replace );
#ifndef SLAP_AUTH_REWRITE
regfree( &SaslRegexp[ n ].sr_workspace );
#endif /* ! SLAP_AUTH_REWRITE */
}
void
@ -1623,9 +1561,7 @@ slap_sasl_regexp_destroy( void )
nSaslRegexp = 0;
}
#ifdef SLAP_AUTH_REWRITE
slap_sasl_rewrite_destroy();
#endif /* SLAP_AUTH_REWRITE */
}
int slap_sasl_regexp_delete( int valx )
@ -1646,7 +1582,6 @@ int slap_sasl_regexp_delete( int valx )
SaslRegexp[ i ] = SaslRegexp[ i + 1 ];
}
#ifdef SLAP_AUTH_REWRITE
slap_sasl_rewrite_destroy();
for ( i = 0; i < nSaslRegexp; i++ ) {
rc = slap_sasl_regexp_rewrite_config( &sasl_rwinfo, "sasl-regexp", 0,
@ -1655,7 +1590,6 @@ int slap_sasl_regexp_delete( int valx )
AUTHID_CONTEXT );
assert( rc == 0 );
}
#endif /* SLAP_AUTH_REWRITE */
}
return rc;
@ -1689,60 +1623,6 @@ void slap_sasl_regexp_unparse( BerVarray *out )
*out = bva;
}
#ifndef SLAP_AUTH_REWRITE
/* Perform replacement on regexp matches */
static void slap_sasl_rx_exp(
const char *rep,
const int *off,
regmatch_t *str,
const char *saslname,
struct berval *out,
void *ctx )
{
int i, n, len, insert;
/* Get the total length of the final URI */
n=1;
len = 0;
while( off[n] >= 0 ) {
/* Len of next section from replacement string (x,y,z above) */
len += off[n] - off[n-1] - 2;
if( off[n+1] < 0)
break;
/* Len of string from saslname that matched next $i (b,d above) */
i = rep[ off[n] + 1 ] - '0';
len += str[i].rm_eo - str[i].rm_so;
n++;
}
out->bv_val = slap_sl_malloc( len + 1, ctx );
out->bv_len = len;
/* Fill in URI with replace string, replacing $i as we go */
n=1;
insert = 0;
while( off[n] >= 0) {
/* Paste in next section from replacement string (x,y,z above) */
len = off[n] - off[n-1] - 2;
strncpy( out->bv_val+insert, rep + off[n-1] + 2, len);
insert += len;
if( off[n+1] < 0)
break;
/* Paste in string from saslname that matched next $i (b,d above) */
i = rep[ off[n] + 1 ] - '0';
len = str[i].rm_eo - str[i].rm_so;
strncpy( out->bv_val+insert, saslname + str[i].rm_so, len );
insert += len;
n++;
}
out->bv_val[insert] = '\0';
}
#endif /* ! SLAP_AUTH_REWRITE */
/* Take the passed in SASL name and attempt to convert it into an
LDAP URI to find the matching LDAP entry, using the pattern matching
strings given in the saslregexp config file directive(s) */
@ -1750,7 +1630,6 @@ static void slap_sasl_rx_exp(
static int slap_authz_regexp( struct berval *in, struct berval *out,
int flags, void *ctx )
{
#ifdef SLAP_AUTH_REWRITE
const char *context = AUTHID_CONTEXT;
if ( sasl_rwinfo == NULL || BER_BVISNULL( in ) ) {
@ -1783,44 +1662,6 @@ static int slap_authz_regexp( struct berval *in, struct berval *out,
return 0;
}
#else /* ! SLAP_AUTH_REWRITE */
char *saslname = in->bv_val;
SaslRegexp_t *reg;
regmatch_t sr_strings[SASLREGEX_REPLACE]; /* strings matching $1,$2 ... */
int i;
memset( out, 0, sizeof( *out ) );
Debug( LDAP_DEBUG_TRACE, "slap_authz_regexp: converting SASL name %s\n",
saslname );
if (( saslname == NULL ) || ( nSaslRegexp == 0 )) {
return( 0 );
}
/* Match the normalized SASL name to the saslregexp patterns */
for( reg = SaslRegexp,i=0; i<nSaslRegexp; i++,reg++ ) {
if ( regexec( &reg->sr_workspace, saslname, SASLREGEX_REPLACE,
sr_strings, 0) == 0 )
break;
}
if( i >= nSaslRegexp ) return( 0 );
/*
* The match pattern may have been of the form "a(b.*)c(d.*)e" and the
* replace pattern of the form "x$1y$2z". The returned string needs
* to replace the $1,$2 with the strings that matched (b.*) and (d.*)
*/
slap_sasl_rx_exp( reg->sr_replace, reg->sr_offset,
sr_strings, saslname, out, ctx );
Debug( LDAP_DEBUG_TRACE,
"slap_authz_regexp: converted SASL name to %s\n",
BER_BVISEMPTY( out ) ? "" : out->bv_val );
return( 1 );
#endif /* ! SLAP_AUTH_REWRITE */
}
/* This callback actually does some work...*/

4
servers/slapd/slap.h
View file

@ -80,10 +80,6 @@ LDAP_BEGIN_DECL
#define SLAP_STATS_ETIME 1 /* microsecond op timing */
#endif
#ifdef ENABLE_REWRITE
#define SLAP_AUTH_REWRITE 1 /* use librewrite for sasl-regexp */
#endif
/*
* SLAPD Memory allocation macros
*

29
servers/slapd/syncrepl.c
View file

@ -31,10 +31,8 @@
#include "ldap_rq.h"
#ifdef ENABLE_REWRITE
#include "rewrite.h"
#define SUFFIXM_CTX "<suffix massage>"
#endif
#ifdef LDAP_CONTROL_X_DIRSYNC
#define MSAD_DIRSYNC 0x04
@ -143,10 +141,8 @@ typedef struct syncinfo_s {
LDAP *si_ld;
Connection *si_conn;
LDAP_LIST_HEAD(np, nonpresent_entry) si_nonpresentlist;
#ifdef ENABLE_REWRITE
struct rewrite_info *si_rewrite;
struct berval si_suffixm;
#endif
#ifdef LDAP_CONTROL_X_DIRSYNC
struct berval si_dirSyncCookie;
#endif
@ -1980,7 +1976,6 @@ deleted:
return NULL;
}
#ifdef ENABLE_REWRITE
static int
syncrepl_rewrite_dn(
syncinfo_t *si,
@ -2013,12 +2008,6 @@ syncrepl_rewrite_dn(
syncrepl_rewrite_dn(si, &bv, &bv2); \
rc = dnPrettyNormal( NULL, bv2.bv_val ? &bv2 : &bv, &dn, &ndn, op->o_tmpmemctx ); \
ch_free(bv2.bv_val)
#else
#define REWRITE_VAL(si, ad, bv, bv2) ber_dupbv(&bv2, &bv)
#define REWRITE_DN(si, bv, bv2, dn, ndn) \
rc = dnPrettyNormal( NULL, &bv, &dn, &ndn, op->o_tmpmemctx )
#endif
static slap_verbmasks modops[] = {
{ BER_BVC("add"), LDAP_REQ_ADD },
@ -3092,7 +3081,6 @@ syncrepl_message_to_entry(
mod->sml_nvalues = NULL;
mod->sml_numvals = 0; /* slap_mods_check will set this */
#ifdef ENABLE_REWRITE
if (si->si_rewrite) {
AttributeDescription *ad = NULL;
slap_bv2ad( &tmp.sml_type, &ad, &text );
@ -3111,7 +3099,6 @@ syncrepl_message_to_entry(
}
}
}
#endif
*modtail = mod;
modtail = &mod->sml_next;
}
@ -3260,7 +3247,6 @@ syncrepl_dirsync_message(
mod->sml_type = ad->ad_cname;
if (( ad->ad_flags & SLAP_DESC_TAG_RANGE ) && rangeMod == NULL)
rangeMod = mod;
#ifdef ENABLE_REWRITE
if (si->si_rewrite) {
if ( ad->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) {
int i;
@ -3273,7 +3259,6 @@ syncrepl_dirsync_message(
}
}
}
#endif
if ( mod->sml_desc == sy_ad_objectGUID ) {
ber_dupbv_x( &syncUUID[0], &tmp.sml_values[0], op->o_tmpmemctx );
/* syncUUID[0] is normalized UUID received over the wire
@ -3761,12 +3746,10 @@ syncrepl_entry(
op->ors_deref = LDAP_DEREF_NEVER;
/* get the entry for this UUID */
#ifdef ENABLE_REWRITE
if ( si->si_rewrite ) {
op->o_req_dn = si->si_suffixm;
op->o_req_ndn = si->si_suffixm;
} else
#endif
{
op->o_req_dn = si->si_base;
op->o_req_ndn = si->si_base;
@ -4283,12 +4266,10 @@ syncrepl_del_nonpresent(
struct berval pdn = BER_BVNULL;
struct berval csn;
#ifdef ENABLE_REWRITE
if ( si->si_rewrite ) {
op->o_req_dn = si->si_suffixm;
op->o_req_ndn = si->si_suffixm;
} else
#endif
{
op->o_req_dn = si->si_base;
op->o_req_ndn = si->si_base;
@ -5601,18 +5582,15 @@ syncinfo_free( syncinfo_t *sie, int free_all )
ch_free( sie->si_cookieState );
}
}
#ifdef ENABLE_REWRITE
if ( sie->si_rewrite )
rewrite_info_delete( &sie->si_rewrite );
if ( sie->si_suffixm.bv_val )
ch_free( sie->si_suffixm.bv_val );
#endif
ch_free( sie );
sie = si_next;
} while ( free_all && si_next );
}
#ifdef ENABLE_REWRITE
static int
config_suffixm( ConfigArgs *c, syncinfo_t *si )
{
@ -5649,7 +5627,6 @@ config_suffixm( ConfigArgs *c, syncinfo_t *si )
ch_free( rnc );
return rc;
}
#endif
/* NOTE: used & documented in slapd.conf(5) */
#define IDSTR "rid"
@ -5896,7 +5873,6 @@ parse_syncrepl_line(
return -1;
}
si->si_got |= GOT_SEARCHBASE;
#ifdef ENABLE_REWRITE
} else if ( !strncasecmp( c->argv[ i ], SUFFIXMSTR "=",
STRLENOF( SUFFIXMSTR "=" ) ) )
{
@ -5926,7 +5902,6 @@ parse_syncrepl_line(
return -1;
}
si->si_got |= GOT_SUFFIXM;
#endif
} else if ( !strncasecmp( c->argv[ i ], LOGBASESTR "=",
STRLENOF( LOGBASESTR "=" ) ) )
{
@ -6231,7 +6206,6 @@ parse_syncrepl_line(
return -1;
}
#ifdef ENABLE_REWRITE
if ( si->si_got & GOT_SUFFIXM ) {
if (config_suffixm( c, si )) {
ch_free( si->si_suffixm.bv_val );
@ -6242,7 +6216,6 @@ parse_syncrepl_line(
return -1;
}
}
#endif
if ( !( si->si_got & GOT_RETRY ) ) {
Debug( LDAP_DEBUG_ANY, "syncrepl %s " SEARCHBASESTR "=\"%s\": no retry defined, using default\n",
@ -6480,14 +6453,12 @@ syncrepl_unparse( syncinfo_t *si, struct berval *bv )
ptr = lutil_strcopy( ptr, si->si_base.bv_val );
*ptr++ = '"';
}
#ifdef ENABLE_REWRITE
if ( !BER_BVISNULL( &si->si_suffixm ) ) {
if ( WHATSLEFT <= STRLENOF( " " SUFFIXMSTR "=\"" "\"" ) + si->si_suffixm.bv_len ) return;
ptr = lutil_strcopy( ptr, " " SUFFIXMSTR "=\"" );
ptr = lutil_strcopy( ptr, si->si_suffixm.bv_val );
*ptr++ = '"';
}
#endif
if ( !BER_BVISEMPTY( &si->si_logfilterstr ) ) {
if ( WHATSLEFT <= STRLENOF( " " LOGFILTERSTR "=\"" "\"" ) + si->si_logfilterstr.bv_len ) return;
ptr = lutil_strcopy( ptr, " " LOGFILTERSTR "=\"" );

3
tests/run.in
View file

@ -59,7 +59,6 @@ AC_WITH_TLS=@WITH_TLS@
AC_TLS_TYPE=@WITH_TLS_TYPE@
AC_WITH_MODULES_ENABLED=@WITH_MODULES_ENABLED@
AC_ACI_ENABLED=aci@WITH_ACI_ENABLED@
AC_REWRITE=@BUILD_REWRITE@
AC_THREADS=threads@BUILD_THREAD@
AC_LIBS_DYNAMIC=lib@BUILD_LIBS_DYNAMIC@
@ -78,7 +77,7 @@ export AC_ldap AC_mdb AC_meta AC_asyncmeta AC_monitor AC_null AC_relay AC_sql \
AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
AC_valsort \
AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \
AC_REWRITE AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE
AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE
if test ! -x ../servers/slapd/slapd ; then
echo "Could not locate slapd(8)"

1
tests/scripts/defines.sh
View file

@ -51,7 +51,6 @@ WITH_TLS=${AC_WITH_TLS-no}
WITH_TLS_TYPE=${AC_TLS_TYPE-no}
ACI=${AC_ACI_ENABLED-acino}
REWRITE=${AC_REWRITE-no}
THREADS=${AC_THREADS-threadsno}
SLEEP0=${SLEEP0-1}
SLEEP1=${SLEEP1-7}

367
tests/scripts/test076-authid-rewrite
View file

@ -368,180 +368,179 @@ fi
echo
if test $REWRITE = yes; then
echo "Initializing olcAuthIDRewrite engine..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
echo "Initializing olcAuthIDRewrite engine..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
dn: cn=config
changetype: modify
add: olcAuthIDRewrite
olcAuthIDRewrite: rewriteEngine ON
olcAuthIDRewrite: rewriteContext authid
EOF
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo
echo
echo "Adding olcAuthIDRewrite rule for static mapping..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
echo "Adding olcAuthIDRewrite rule for static mapping..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
dn: cn=config
changetype: modify
add: olcAuthIDRewrite
olcAuthIDRewrite: rewriteRule uid=manager,cn=[^,]+,cn=auth $MANAGERDN :
EOF
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=Manager
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=Manager
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo
echo
echo "Adding olcAuthIDRewrite rule to search by uid..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
echo "Adding olcAuthIDRewrite rule to search by uid..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
dn: cn=config
changetype: modify
add: olcAuthIDRewrite
olcAuthIDRewrite: rewriteRule uid=([^,]+),cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=\$1) :
EOF
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=Manager
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=Manager
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=bjensen
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=bjensen
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo
echo
echo "Inserting olcAuthIDRewrite rule before the last..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
echo "Inserting olcAuthIDRewrite rule before the last..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
dn: cn=config
changetype: modify
add: olcAuthIDRewrite
olcAuthIDRewrite: {3}rewriteRule uid=babs,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjensen) :
EOF
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=Manager
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=Manager
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=babs
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=babs
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=bjensen
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=bjensen
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo
echo
echo "Deleting the first olcAuthIDRewrite rule..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
echo "Deleting the first olcAuthIDRewrite rule..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
dn: cn=config
changetype: modify
delete: olcAuthIDRewrite
olcAuthIDRewrite: {2}
EOF
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=Manager
echo "Testing ldapwhoami as $ID (should fail)..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
RC=$?
if test $RC != 49; then
echo "ldapwhoami unexpected result ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=Manager
echo "Testing ldapwhoami as $ID (should fail)..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $PASSWD
RC=$?
if test $RC != 49; then
echo "ldapwhoami unexpected result ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=babs
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=babs
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=bjensen
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=bjensen
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo
echo
echo "Updating an olcAuthIDRewrite rule in place..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
echo "Updating an olcAuthIDRewrite rule in place..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
dn: cn=config
changetype: modify
delete: olcAuthIDRewrite
@ -550,74 +549,70 @@ olcAuthIDRewrite: {2}
add: olcAuthIDRewrite
olcAuthIDRewrite: {2}rewriteRule uid=biff,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjorn) :
EOF
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=babs
echo "Testing ldapwhoami as $ID (should fail)..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
RC=$?
if test $RC != 49; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=babs
echo "Testing ldapwhoami as $ID (should fail)..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjensen
RC=$?
if test $RC != 49; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=biff
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjorn
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=biff
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w bjorn
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=bjensen
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=bjensen
echo "Testing ldapwhoami as $ID..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
RC=$?
if test $RC != 0; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo
echo
echo "Deleting all olcAuthIDRewrite rules..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
echo "Deleting all olcAuthIDRewrite rules..."
$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1
dn: cn=config
changetype: modify
delete: olcAuthIDRewrite
EOF
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=bjensen
echo "Testing ldapwhoami as $ID (should fail)..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
RC=$?
if test $RC != 49; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo
else
echo "librewrite not enabled, skipping olcAuthIDRewrite tests"
RC=$?
if test $RC != 0; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
ID=bjensen
echo "Testing ldapwhoami as $ID (should fail)..."
$LDAPSASLWHOAMI -H $URI1 -Y $MECH -U $ID -w $ID
RC=$?
if test $RC != 49; then
echo "ldapwhoami failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo
test $KILLSERVERS != no && kill -HUP $KILLPIDS
echo ">>>>> Test succeeded"