Merge ~sergiodj/ubuntu/+source/openldap:mre-2.5.12-JAMMY into ubuntu/+source/openldap:ubuntu/jammy-devel
- Git
- lp:~sergiodj/ubuntu/+source/openldap
- mre-2.5.12-JAMMY
- Merge into ubuntu/jammy-devel
Status: | Superseded |
---|---|
Proposed branch: | ~sergiodj/ubuntu/+source/openldap:mre-2.5.12-JAMMY |
Merge into: | ubuntu/+source/openldap:ubuntu/jammy-devel |
Diff against target: |
1976 lines (+489/-393) 36 files modified
CHANGES (+30/-0) build/dir.mk (+5/-5) build/version.var (+4/-4) contrib/slapd-modules/vc/vc.c (+2/-4) debian/changelog (+14/-0) debian/patches/series (+0/-1) dev/null (+0/-274) doc/guide/admin/guide.html (+1/-1) doc/man/man3/ldap_get_option.3 (+22/-1) doc/man/man5/slapd-config.5 (+2/-3) doc/man/man5/slapd.conf.5 (+2/-3) include/ldap_pvt.h (+2/-2) libraries/libldap/ldif.c (+5/-0) libraries/libldap/result.c (+10/-4) libraries/libldap/tls_o.c (+4/-0) servers/slapd/back-asyncmeta/add.c (+1/-0) servers/slapd/back-asyncmeta/config.c (+5/-3) servers/slapd/back-asyncmeta/meta_result.c (+11/-4) servers/slapd/back-asyncmeta/search.c (+1/-0) servers/slapd/back-ldap/config.c (+5/-3) servers/slapd/back-mdb/monitor.c (+2/-1) servers/slapd/back-meta/config.c (+17/-13) servers/slapd/back-sql/search.c (+105/-18) servers/slapd/bconfig.c (+24/-7) servers/slapd/connection.c (+10/-8) servers/slapd/daemon.c (+13/-1) servers/slapd/overlays/dynlist.c (+7/-4) servers/slapd/overlays/pcache.c (+3/-2) servers/slapd/overlays/ppolicy.c (+12/-8) servers/slapd/overlays/syncprov.c (+1/-0) servers/slapd/overlays/translucent.c (+23/-1) servers/slapd/proto-slap.h (+1/-0) servers/slapd/syncrepl.c (+122/-18) tests/data/dynlist.out (+4/-0) tests/scripts/test034-translucent (+8/-0) tests/scripts/test044-dynlist (+11/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Athos Ribeiro (community) | Approve | ||
Canonical Server | Pending | ||
Canonical Server packageset reviewers | Pending | ||
Review via email: mp+424341@code.launchpad.net |
This proposal has been superseded by a proposal from 2022-06-13.
Commit message
Description of the change
This is the (first) MRE for OpenLDAP 2.5.12 targeting Jammy.
Usually, what we do for our MREs (I'm thinking about the postgresql-* ones) is to grab the upstream tarball directly and just explode it on top of the existing source package, and then update d/changelog accordingly. For OpenLDAP, though, I had another option: I could merge directly from Debian, since they are already carrying 2.5.12 there. After thinking a bit about it and talking to Andreas on the channel, I decided to do the latter. This is why you will find entries for the Debian OpenLDAP 2.5.12 package in the changelog, for example.
Just as a reminder, upstream considers the 2.5.x series to be their LTS, so every minor release contains only bugfixes and no new features. This is perfect for MREs, of course.
You can take a look at upstream's CHANGES file if you'd like to check the bugs that have been fixed by this release:
https:/
It's always a somewhat subjective task to come up with good/important bugs to mention in the changelog entry for an MRE; I did my best here, but I'm open to suggestions, of course. Other than that, everything else is pretty much as you would expect from an MRE.
There is a bileto ticket where you can find a PPA with the built package plus all of the dep8 results for OpenLDAP's reverse deps:
https:/
Do note that currently the apache2 dep8 tests are always failing. I will open a bug to keep track of this issue, but it won't affect this MRE because migration-
I will post the dep8 test results for the OpenLDAP package as soon as I have them.
Sergio Durigan Junior (sergiodj) wrote : | # |
Sergio Durigan Junior (sergiodj) wrote : | # |
Something I forgot to mention: this merge was done against the pkg/import/
Athos Ribeiro (athos-ribeiro) wrote : | # |
This LGTM.
There is one space in line 2 of the changelog that would be nice to remove before uploading.
As for the changelog entries, I understand you put a lot of effort into filtering what should be added. Still, I believe we could come up with some algorithm for that. For instance, only including mentions to CVEs or bugs set to high in the upstream bug tracker. All the entries are in the upstream changelog anyway and it is being referenced in the package chagelog.
I also see you decided to pick debian's 2.5.12+dfsg-1 release instead of 2.5.12+dfsg-2 as a base for the merge.
It was nice of you to reduce the amount of changes introduced in the MRE. You also explained offline that this specific change was only needed in debian since Ubuntu already has a fix in debconf. However, the next steps here would be to move this changes from Ubuntu to Debian to consolidate them there before the next MRE to avoid complications in a possible following merge.
Finally, since this was a merge from a specific Debian commit, I was wondering why you decided not to include a remaining changes section. It should be fine not to have one since this is not a traditional merge, but an MRE. Still, it would be nice to document "how developers should do things" in the MRE documentation page.
Sergio Durigan Junior (sergiodj) wrote : | # |
> This LGTM.
Thanks for the review, Athos.
> There is one space in line 2 of the changelog that would be nice to remove before uploading.
Ops, indeed. Fixed.
> As for the changelog entries, I understand you put a lot of effort
> into filtering what should be added. Still, I believe we could come up
> with some algorithm for that. For instance, only including mentions to
> CVEs or bugs set to high in the upstream bug tracker. All the entries
> are in the upstream changelog anyway and it is being referenced in the
> package chagelog.
Yes, agreed. I thought about only mentioning the CVE issue, but that's
moot since it's already been addressed by the Security team in a
previous upload. I revisited the bugs fixed in this release and the
only one marked as high priority is this:
https:/
I don't know if upstream worries too much about setting bug priorities
or not, so maybe we can't rely on this parameter.
I don't have a good answer for how to approach this problem right now.
For that reason, I'm going to postpone uploading this package until next
week.
> I also see you decided to pick debian's 2.5.12+dfsg-1 release instead of 2.5.12+dfsg-2 as a base for the merge.
> It was nice of you to reduce the amount of changes introduced in the
> MRE. You also explained offline that this specific change was only
> needed in debian since Ubuntu already has a fix in debconf. However,
> the next steps here would be to move this changes from Ubuntu to
> Debian to consolidate them there before the next MRE to avoid
> complications in a possible following merge.
Absolutely.
Dave Jones is already taking care of that here:
https:/
https:/
> Finally, since this was a merge from a specific Debian commit, I was
> wondering why you decided not to include a remaining changes
> section. It should be fine not to have one since this is not a
> traditional merge, but an MRE. Still, it would be nice to document
> "how developers should do things" in the MRE documentation page.
Thanks for bringing this up. This prompted me into thinking more about
the changelog entry, and then I realized a misconception I was having
about the MRE.
Initially I thought that openldap was "special" because, aside from
doing the MRE the "standard way" (i.e., just grab the upstream tarball
and update the source package by hand with it), we could also merge the
package from Debian because they are also planning to stick with the
2.5.x series.
However, I noticed that openldap 2.5.x is actually just postgresql-14
right now: both packages get uploaded to Debian unstable as soon as
there's a new upstream microrelease. For postgresql-14, we do our MREs
*without* merging the Debian package. So I now believe that we should
do the same for openldap.
This would actually have a few benefits. The first is that the MRE is
much easier: we really just need to grab the tarball and explode it on
top of the current version of the source package, then update the
patches and write a changelog entry for it. The second benefit is that
we won't need...
Athos Ribeiro (athos-ribeiro) wrote : | # |
Ack!
Thanks for the thorough reply :)
- 8174743... by Sergio Durigan Junior
-
New upstream version 2.5.12+dfsg
- 7ec8d25... by Sergio Durigan Junior
-
d/p/CVE-
2022-29155. patch: Dropped patch; included in this new upstream version. - c185122... by Sergio Durigan Junior
-
changelog
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: sergiodj, athos-ribeiro
Uploaders: sergiodj, athos-ribeiro
MP auto-approved
Unmerged commits
- c185122... by Sergio Durigan Junior
-
changelog
- 7ec8d25... by Sergio Durigan Junior
-
d/p/CVE-
2022-29155. patch: Dropped patch; included in this new upstream version. - 8174743... by Sergio Durigan Junior
-
New upstream version 2.5.12+dfsg
Preview Diff
1 | diff --git a/CHANGES b/CHANGES |
2 | index c9ce92c..d8092be 100644 |
3 | --- a/CHANGES |
4 | +++ b/CHANGES |
5 | @@ -1,5 +1,35 @@ |
6 | OpenLDAP 2.5 Change Log |
7 | |
8 | +OpenLDAP 2.5.12 Release (2022/05/04) |
9 | + Fixed libldap to drop connection when non-LDAP data is received (ITS#9803) |
10 | + Fixed libldap to allow newlines at end of included file (ITS#9811) |
11 | + Fixed slapd slaptest conversion of olcLastBind (ITS#9808) |
12 | + Fixed slapd usage of thread local counters (ITS#9789) |
13 | + Fixed slapd to clear runqueue task correctly (ITS#9785) |
14 | + Fixed slapd idletimeout handling (ITS#9820) |
15 | + Fixed slapd bconfig locking for cn=config replication (ITS#9584) |
16 | + Fixed slapd syncrepl handling of new sessions (ITS#9584) |
17 | + Fixed slapd to clear connections on bind (ITS#9799) |
18 | + Fixed slapd to correctly advance connections index (ITS#9831) |
19 | + Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801) |
20 | + Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802) |
21 | + Fixed slapd-ldap memory leak in keepalive setting (ITS#9802) |
22 | + Fixed slapd-meta SEGV on config rewrite (ITS#9802) |
23 | + Fixed slapd-meta ordering on config rewrite (ITS#9802) |
24 | + Fixed slapd-meta memory leak in keepalive setting (ITS#9802) |
25 | + Fixed slapd-monitor SEGV on shutdown (ITS#9809) |
26 | + Fixed slapd-sql to properly escape filter value (ITS#9815) |
27 | + Fixed slapo-dynlist dynamic group regression (ITS#9825) |
28 | + Fixed slapo-pcache SEGV on shutdown (ITS#9809) |
29 | + Fixed slapo-ppolicy operation handling to be consistent (ITS#9794) |
30 | + Fixed slapo-translucent to correctly duplicate substring filters (ITS#9818) |
31 | + Build Environment |
32 | + Fix compilation with openssl exclusions (ITS#9791) |
33 | + Fix warnings from make jobserver (ITS#9788) |
34 | + Fix compiliation with certain versions of gcc (ITS#9790) |
35 | + Documentation |
36 | + Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit documentation (ITS#9804) |
37 | + |
38 | OpenLDAP 2.5.11 Release (2022/01/20) |
39 | Fix broken build release variable |
40 | |
41 | diff --git a/build/dir.mk b/build/dir.mk |
42 | index a73c6b8..e42406b 100644 |
43 | --- a/build/dir.mk |
44 | +++ b/build/dir.mk |
45 | @@ -21,7 +21,7 @@ all-common: FORCE |
46 | @echo "Making all in `$(PWD)`" |
47 | @for i in $(SUBDIRS) $(ALLDIRS); do \ |
48 | echo " Entering subdirectory $$i"; \ |
49 | - ( cd $$i && $(MAKE) $(MFLAGS) all ); \ |
50 | + ( cd $$i && $(MAKE) all ); \ |
51 | if test $$? != 0 ; then exit 1; fi ; \ |
52 | echo " "; \ |
53 | done |
54 | @@ -30,7 +30,7 @@ install-common: FORCE |
55 | @echo "Making install in `$(PWD)`" |
56 | @for i in $(SUBDIRS) $(INSTALLDIRS); do \ |
57 | echo " Entering subdirectory $$i"; \ |
58 | - ( cd $$i && $(MAKE) $(MFLAGS) install ); \ |
59 | + ( cd $$i && $(MAKE) install ); \ |
60 | if test $$? != 0 ; then exit 1; fi ; \ |
61 | echo " "; \ |
62 | done |
63 | @@ -39,7 +39,7 @@ clean-common: FORCE |
64 | @echo "Making clean in `$(PWD)`" |
65 | @for i in $(SUBDIRS) $(CLEANDIRS); do \ |
66 | echo " Entering subdirectory $$i"; \ |
67 | - ( cd $$i && $(MAKE) $(MFLAGS) clean ); \ |
68 | + ( cd $$i && $(MAKE) clean ); \ |
69 | if test $$? != 0 ; then exit 1; fi ; \ |
70 | echo " "; \ |
71 | done |
72 | @@ -48,7 +48,7 @@ veryclean-common: FORCE |
73 | @echo "Making veryclean in `$(PWD)`" |
74 | @for i in $(SUBDIRS) $(CLEANDIRS); do \ |
75 | echo " Entering subdirectory $$i"; \ |
76 | - ( cd $$i && $(MAKE) $(MFLAGS) veryclean ); \ |
77 | + ( cd $$i && $(MAKE) veryclean ); \ |
78 | if test $$? != 0 ; then exit 1; fi ; \ |
79 | echo " "; \ |
80 | done |
81 | @@ -57,7 +57,7 @@ depend-common: FORCE |
82 | @echo "Making depend in `$(PWD)`" |
83 | @for i in $(SUBDIRS) $(DEPENDDIRS); do \ |
84 | echo " Entering subdirectory $$i"; \ |
85 | - ( cd $$i && $(MAKE) $(MFLAGS) depend ); \ |
86 | + ( cd $$i && $(MAKE) depend ); \ |
87 | if test $$? != 0 ; then exit 1; fi ; \ |
88 | echo " "; \ |
89 | done |
90 | diff --git a/build/version.var b/build/version.var |
91 | index e547d3d..df94973 100644 |
92 | --- a/build/version.var |
93 | +++ b/build/version.var |
94 | @@ -15,9 +15,9 @@ |
95 | ol_package=OpenLDAP |
96 | ol_major=2 |
97 | ol_minor=5 |
98 | -ol_patch=11 |
99 | -ol_api_inc=20511 |
100 | +ol_patch=12 |
101 | +ol_api_inc=20512 |
102 | ol_api_current=1 |
103 | -ol_api_revision=6 |
104 | +ol_api_revision=7 |
105 | ol_api_age=1 |
106 | -ol_release_date="2022/01/20" |
107 | +ol_release_date="2022/05/04" |
108 | diff --git a/contrib/slapd-modules/vc/vc.c b/contrib/slapd-modules/vc/vc.c |
109 | index 2039556..0760af2 100644 |
110 | --- a/contrib/slapd-modules/vc/vc.c |
111 | +++ b/contrib/slapd-modules/vc/vc.c |
112 | @@ -289,16 +289,14 @@ vc_exop( |
113 | goto done; |
114 | } |
115 | conn->refcnt++; |
116 | + operation_counter_init( conn->op, op->o_threadctx ); |
117 | ldap_pvt_thread_mutex_unlock( &vc_mutex ); |
118 | |
119 | } else { |
120 | - void *thrctx; |
121 | - |
122 | conn = (vc_conn_t *)SLAP_CALLOC( 1, sizeof( vc_conn_t ) ); |
123 | conn->refcnt = 1; |
124 | |
125 | - thrctx = ldap_pvt_thread_pool_context(); |
126 | - connection_fake_init2( &conn->connbuf, &conn->opbuf, thrctx, 0 ); |
127 | + connection_fake_init2( &conn->connbuf, &conn->opbuf, op->o_threadctx, 0 ); |
128 | conn->op = &conn->opbuf.ob_op; |
129 | snprintf( conn->op->o_log_prefix, sizeof( conn->op->o_log_prefix ), |
130 | "%s VERIFYCREDENTIALS", op->o_log_prefix ); |
131 | diff --git a/debian/changelog b/debian/changelog |
132 | index 8fc3770..4c4b66d 100644 |
133 | --- a/debian/changelog |
134 | +++ b/debian/changelog |
135 | @@ -1,3 +1,17 @@ |
136 | +openldap (2.5.12+dfsg-0ubuntu0.22.04.1) jammy; urgency=medium |
137 | + |
138 | + * New upstream version (LP: #1977627). |
139 | + - Fixed slapd syncrepl handling of new sessions (ITS#9584) |
140 | + - Fixed slapd-sql to properly escape filter value (ITS#9815) |
141 | + (CVE-2022-29155) |
142 | + [ Already included in 2.5.11+dfsg-1~exp1ubuntu3.1 ] |
143 | + - More details about this release can be found at: |
144 | + https://git.openldap.org/openldap/openldap/-/blob/2bda1fa98fbcedc6cd5995ea905427b8bef89f9d/CHANGES |
145 | + * d/p/CVE-2022-29155.patch: Dropped patch; included in this new upstream |
146 | + version. |
147 | + |
148 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 13 Jun 2022 13:19:52 -0400 |
149 | + |
150 | openldap (2.5.11+dfsg-1~exp1ubuntu3.1) jammy-security; urgency=medium |
151 | |
152 | * SECURITY UPDATE: SQL injection in experimental back-sql backend |
153 | diff --git a/debian/patches/CVE-2022-29155.patch b/debian/patches/CVE-2022-29155.patch |
154 | deleted file mode 100644 |
155 | index 5f81868..0000000 |
156 | --- a/debian/patches/CVE-2022-29155.patch |
157 | +++ /dev/null |
158 | @@ -1,274 +0,0 @@ |
159 | -From 40f3ae4f5c9a8baf75b237220f62c436a571d66e Mon Sep 17 00:00:00 2001 |
160 | -From: Howard Chu <hyc@openldap.org> |
161 | -Date: Wed, 23 Mar 2022 12:43:31 +0000 |
162 | -Subject: [PATCH] ITS#9815 slapd-sql: escape filter values |
163 | - |
164 | -Escape filter values to slapd-sql (CVE-2022-29155) |
165 | ---- |
166 | - servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++----- |
167 | - 1 file changed, 105 insertions(+), 18 deletions(-) |
168 | - |
169 | -diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c |
170 | -index 2168a1553b..d4177f6292 100644 |
171 | ---- a/servers/slapd/back-sql/search.c |
172 | -+++ b/servers/slapd/back-sql/search.c |
173 | -@@ -63,6 +63,38 @@ static void send_paged_response( |
174 | - ID *lastid ); |
175 | - #endif /* ! BACKSQL_ARBITRARY_KEY */ |
176 | - |
177 | -+/* Look for chars that need to be escaped, return count of them. |
178 | -+ * If out is non-NULL, copy escape'd val to it. |
179 | -+ */ |
180 | -+static int |
181 | -+backsql_val_escape( Operation *op, struct berval *in, struct berval *out ) |
182 | -+{ |
183 | -+ char *ptr, *end; |
184 | -+ int q = 0; |
185 | -+ |
186 | -+ ptr = in->bv_val; |
187 | -+ end = ptr + in->bv_len; |
188 | -+ while (ptr < end) { |
189 | -+ if ( *ptr == '\'' ) |
190 | -+ q++; |
191 | -+ ptr++; |
192 | -+ } |
193 | -+ if ( q && out ) { |
194 | -+ char *dst; |
195 | -+ out->bv_len = in->bv_len + q; |
196 | -+ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx ); |
197 | -+ ptr = in->bv_val; |
198 | -+ dst = out->bv_val; |
199 | -+ while (ptr < end ) { |
200 | -+ if ( *ptr == '\'' ) |
201 | -+ *dst++ = '\''; |
202 | -+ *dst++ = *ptr++; |
203 | -+ } |
204 | -+ *dst = '\0'; |
205 | -+ } |
206 | -+ return q; |
207 | -+} |
208 | -+ |
209 | - static int |
210 | - backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad ) |
211 | - { |
212 | -@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, |
213 | - backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private; |
214 | - int i; |
215 | - int casefold = 0; |
216 | -+ int escaped = 0; |
217 | -+ struct berval escval, *fvalue; |
218 | - |
219 | - if ( !f ) { |
220 | - return 0; |
221 | -@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, |
222 | - |
223 | - BER_BVZERO( &bv ); |
224 | - if ( f->f_sub_initial.bv_val ) { |
225 | -- bv.bv_len += f->f_sub_initial.bv_len; |
226 | -+ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL ); |
227 | - } |
228 | - if ( f->f_sub_any != NULL ) { |
229 | - for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) { |
230 | -- bv.bv_len += f->f_sub_any[ a ].bv_len; |
231 | -+ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL ); |
232 | - } |
233 | - } |
234 | - if ( f->f_sub_final.bv_val ) { |
235 | -- bv.bv_len += f->f_sub_final.bv_len; |
236 | -+ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL ); |
237 | - } |
238 | - bv.bv_len = 2 * bv.bv_len - 1; |
239 | - bv.bv_val = ch_malloc( bv.bv_len + 1 ); |
240 | - |
241 | - s = 0; |
242 | - if ( !BER_BVISNULL( &f->f_sub_initial ) ) { |
243 | -- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ]; |
244 | -- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) { |
245 | -+ fvalue = &f->f_sub_initial; |
246 | -+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
247 | -+ if ( escaped ) |
248 | -+ fvalue = &escval; |
249 | -+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; |
250 | -+ for ( i = 1; i < fvalue->bv_len; i++ ) { |
251 | - bv.bv_val[ s + 2 * i - 1 ] = '%'; |
252 | -- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ]; |
253 | -+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; |
254 | - } |
255 | - bv.bv_val[ s + 2 * i - 1 ] = '%'; |
256 | - s += 2 * i; |
257 | -+ if ( escaped ) |
258 | -+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
259 | - } |
260 | - |
261 | - if ( f->f_sub_any != NULL ) { |
262 | - for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) { |
263 | -- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ]; |
264 | -- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) { |
265 | -+ fvalue = &f->f_sub_any[ a ]; |
266 | -+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
267 | -+ if ( escaped ) |
268 | -+ fvalue = &escval; |
269 | -+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; |
270 | -+ for ( i = 1; i < fvalue->bv_len; i++ ) { |
271 | - bv.bv_val[ s + 2 * i - 1 ] = '%'; |
272 | -- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ]; |
273 | -+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; |
274 | - } |
275 | - bv.bv_val[ s + 2 * i - 1 ] = '%'; |
276 | - s += 2 * i; |
277 | -+ if ( escaped ) |
278 | -+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
279 | - } |
280 | - } |
281 | - |
282 | - if ( !BER_BVISNULL( &f->f_sub_final ) ) { |
283 | -- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ]; |
284 | -- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) { |
285 | -+ fvalue = &f->f_sub_final; |
286 | -+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
287 | -+ if ( escaped ) |
288 | -+ fvalue = &escval; |
289 | -+ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; |
290 | -+ for ( i = 1; i < fvalue->bv_len; i++ ) { |
291 | - bv.bv_val[ s + 2 * i - 1 ] = '%'; |
292 | -- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ]; |
293 | -+ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; |
294 | - } |
295 | -- bv.bv_val[ s + 2 * i - 1 ] = '%'; |
296 | -+ bv.bv_val[ s + 2 * i - 1 ] = '%'; |
297 | - s += 2 * i; |
298 | -+ if ( escaped ) |
299 | -+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
300 | - } |
301 | - |
302 | - bv.bv_val[ s - 1 ] = '\0'; |
303 | -@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, |
304 | - f->f_sub_initial.bv_val ); |
305 | - #endif /* BACKSQL_TRACE */ |
306 | - |
307 | -+ fvalue = &f->f_sub_initial; |
308 | -+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
309 | -+ if ( escaped ) |
310 | -+ fvalue = &escval; |
311 | - start = bsi->bsi_flt_where.bb_val.bv_len; |
312 | - backsql_strfcat_x( &bsi->bsi_flt_where, |
313 | - bsi->bsi_op->o_tmpmemctx, |
314 | - "b", |
315 | -- &f->f_sub_initial ); |
316 | -+ fvalue ); |
317 | -+ if ( escaped ) |
318 | -+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
319 | - if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { |
320 | - ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); |
321 | - } |
322 | -@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, |
323 | - i, f->f_sub_any[ i ].bv_val ); |
324 | - #endif /* BACKSQL_TRACE */ |
325 | - |
326 | -+ fvalue = &f->f_sub_any[ i ]; |
327 | -+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
328 | -+ if ( escaped ) |
329 | -+ fvalue = &escval; |
330 | - start = bsi->bsi_flt_where.bb_val.bv_len; |
331 | - backsql_strfcat_x( &bsi->bsi_flt_where, |
332 | - bsi->bsi_op->o_tmpmemctx, |
333 | - "bc", |
334 | -- &f->f_sub_any[ i ], |
335 | -+ fvalue, |
336 | - '%' ); |
337 | -+ if ( escaped ) |
338 | -+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
339 | - if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { |
340 | - /* |
341 | - * Note: toupper('%') = '%' |
342 | -@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, |
343 | - f->f_sub_final.bv_val ); |
344 | - #endif /* BACKSQL_TRACE */ |
345 | - |
346 | -+ fvalue = &f->f_sub_final; |
347 | -+ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
348 | -+ if ( escaped ) |
349 | -+ fvalue = &escval; |
350 | - start = bsi->bsi_flt_where.bb_val.bv_len; |
351 | - backsql_strfcat_x( &bsi->bsi_flt_where, |
352 | - bsi->bsi_op->o_tmpmemctx, |
353 | - "b", |
354 | -- &f->f_sub_final ); |
355 | -+ fvalue ); |
356 | -+ if ( escaped ) |
357 | -+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
358 | - if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { |
359 | - ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); |
360 | - } |
361 | -@@ -1182,6 +1252,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r |
362 | - struct berval *filter_value = NULL; |
363 | - MatchingRule *matching_rule = NULL; |
364 | - struct berval ordering = BER_BVC("<="); |
365 | -+ struct berval escval; |
366 | -+ int escaped = 0; |
367 | - |
368 | - Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n", |
369 | - at->bam_ad->ad_cname.bv_val ); |
370 | -@@ -1236,6 +1308,10 @@ equality_match:; |
371 | - casefold = 1; |
372 | - } |
373 | - |
374 | -+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); |
375 | -+ if ( escaped ) |
376 | -+ filter_value = &escval; |
377 | -+ |
378 | - /* FIXME: directoryString filtering should use a similar |
379 | - * approach to deal with non-prettified values like |
380 | - * " A non prettified value ", by using a LIKE |
381 | -@@ -1316,6 +1392,10 @@ equality_match:; |
382 | - casefold = 1; |
383 | - } |
384 | - |
385 | -+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); |
386 | -+ if ( escaped ) |
387 | -+ filter_value = &escval; |
388 | -+ |
389 | - /* |
390 | - * FIXME: should we uppercase the operands? |
391 | - */ |
392 | -@@ -1349,7 +1429,7 @@ equality_match:; |
393 | - &at->bam_sel_expr, |
394 | - &ordering, |
395 | - '\'', |
396 | -- &f->f_av_value, |
397 | -+ filter_value, |
398 | - (ber_len_t)STRLENOF( /* (' */ "')" ), |
399 | - /* ( */ "')" ); |
400 | - } |
401 | -@@ -1373,13 +1453,17 @@ equality_match:; |
402 | - case LDAP_FILTER_APPROX: |
403 | - /* we do our best */ |
404 | - |
405 | -+ filter_value = &f->f_av_value; |
406 | -+ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); |
407 | -+ if ( escaped ) |
408 | -+ filter_value = &escval; |
409 | - /* |
410 | - * maybe we should check type of at->sel_expr here somehow, |
411 | - * to know whether upper_func is applicable, but for now |
412 | - * upper_func stuff is made for Oracle, where UPPER is |
413 | - * safely applicable to NUMBER etc. |
414 | - */ |
415 | -- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value ); |
416 | -+ (void)backsql_process_filter_like( bsi, at, 1, filter_value ); |
417 | - break; |
418 | - |
419 | - default: |
420 | -@@ -1393,6 +1477,9 @@ equality_match:; |
421 | - |
422 | - } |
423 | - |
424 | -+ if ( escaped ) |
425 | -+ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
426 | -+ |
427 | - Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n", |
428 | - at->bam_ad->ad_cname.bv_val ); |
429 | - |
430 | --- |
431 | -GitLab |
432 | - |
433 | diff --git a/debian/patches/series b/debian/patches/series |
434 | index 34a5f20..a8d57cb 100644 |
435 | --- a/debian/patches/series |
436 | +++ b/debian/patches/series |
437 | @@ -13,4 +13,3 @@ add-tlscacert-option-to-ldap-conf |
438 | fix-build-top-mk |
439 | switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff |
440 | set-maintainer-name |
441 | -CVE-2022-29155.patch |
442 | diff --git a/doc/guide/admin/guide.html b/doc/guide/admin/guide.html |
443 | index c256e1b..7415912 100644 |
444 | --- a/doc/guide/admin/guide.html |
445 | +++ b/doc/guide/admin/guide.html |
446 | @@ -23,7 +23,7 @@ |
447 | <DIV CLASS="title"> |
448 | <H1 CLASS="doc-title">OpenLDAP Software 2.5 Administrator's Guide</H1> |
449 | <ADDRESS CLASS="doc-author">The OpenLDAP Project <<A HREF="https://www.openldap.org/">https://www.openldap.org/</A>></ADDRESS> |
450 | -<ADDRESS CLASS="doc-modified">20 January 2022</ADDRESS> |
451 | +<ADDRESS CLASS="doc-modified">4 May 2022</ADDRESS> |
452 | <BR CLEAR="All"> |
453 | </DIV> |
454 | <DIV CLASS="contents"> |
455 | diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3 |
456 | index f08cd01..3477f02 100644 |
457 | --- a/doc/man/man3/ldap_get_option.3 |
458 | +++ b/doc/man/man3/ldap_get_option.3 |
459 | @@ -455,6 +455,12 @@ This option is OpenLDAP specific. |
460 | .B LDAP_OPT_TCP_USER_TIMEOUT |
461 | Allows to configure TCP_USER_TIMEOUT in milliseconds on the connection, overriding the operating system setting. |
462 | This option is OpenLDAP specific and supported only on Linux 2.6.37 or higher. |
463 | +.B invalue |
464 | +must be a |
465 | +.BR "const unsigned int *" ; |
466 | +.BR outvalue |
467 | +must be an |
468 | +.BR "unsigned int *" . |
469 | |
470 | .SH SASL OPTIONS |
471 | The SASL options are OpenLDAP specific. |
472 | @@ -587,6 +593,7 @@ must be a |
473 | .BR "char **" . |
474 | Its content needs to be freed by the caller using |
475 | .BR ldap_memfree (3). |
476 | +.TP |
477 | .B LDAP_OPT_X_SASL_CBINDING |
478 | Sets/gets the channel-binding type to use in SASL, |
479 | one of |
480 | @@ -602,7 +609,6 @@ must be |
481 | .BR outvalue |
482 | must be |
483 | .BR "int *" . |
484 | -.TP |
485 | .SH TCP OPTIONS |
486 | The TCP options are OpenLDAP specific. |
487 | Mainly intended for use with Linux, they may not be portable. |
488 | @@ -873,6 +879,21 @@ must be |
489 | .BR "char **" , |
490 | and its contents need to be freed by the caller using |
491 | .BR ldap_memfree (3). |
492 | +.TP |
493 | +.B LDAP_OPT_X_TLS_PEERKEY_HASH |
494 | +Sets the (public) key that the application expects the peer to be using. |
495 | +.B invalue |
496 | +must be |
497 | +.BR "const char *" |
498 | +containing the base64 encoding of the expected peer's key or in the format |
499 | +.B "<hashalg>:<peerkey hash base64 encoded>" |
500 | +where as a TLS session is established, the library will hash the peer's key |
501 | +with the provided hash algorithm and compare it with value provided and will |
502 | +only allow the session to continue if they match. This happens regardless of |
503 | +certificate checking strategy. The list of supported |
504 | +.B hashalg |
505 | +values depends on the crypto library used, check its documentation to get |
506 | +a list. |
507 | .SH ERRORS |
508 | On success, the functions return |
509 | .BR LDAP_OPT_SUCCESS , |
510 | diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 |
511 | index 9e40804..d402340 100644 |
512 | --- a/doc/man/man5/slapd-config.5 |
513 | +++ b/doc/man/man5/slapd-config.5 |
514 | @@ -1945,9 +1945,8 @@ The \fBsizelimit\fP and \fBtimelimit\fP only |
515 | accept "unlimited" and positive integers, and both default to "unlimited". |
516 | The \fBsizelimit\fP and \fBtimelimit\fP parameters define |
517 | a consumer requested limitation on the number of entries that can be returned |
518 | -by the LDAP Content Synchronization operation; as such, it is intended |
519 | -to implement partial replication based on the size of the replicated database |
520 | -and on the time required by the synchronization. |
521 | +by the LDAP Content Synchronization operation; these should be left unchanged |
522 | +from the default otherwise replication may never succeed. |
523 | Note, however, that any provider-side limits for the replication identity |
524 | will be enforced by the provider regardless of the limits requested |
525 | by the LDAP Content Synchronization operation, much like for any other |
526 | diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 |
527 | index 37ec52e..6ec19c5 100644 |
528 | --- a/doc/man/man5/slapd.conf.5 |
529 | +++ b/doc/man/man5/slapd.conf.5 |
530 | @@ -1877,9 +1877,8 @@ The \fBsizelimit\fP and \fBtimelimit\fP only |
531 | accept "unlimited" and positive integers, and both default to "unlimited". |
532 | The \fBsizelimit\fP and \fBtimelimit\fP parameters define |
533 | a consumer requested limitation on the number of entries that can be returned |
534 | -by the LDAP Content Synchronization operation; as such, it is intended |
535 | -to implement partial replication based on the size of the replicated database |
536 | -and on the time required by the synchronization. |
537 | +by the LDAP Content Synchronization operation; these should be left unchanged |
538 | +from the default otherwise replication may never succeed. |
539 | Note, however, that any provider-side limits for the replication identity |
540 | will be enforced by the provider regardless of the limits requested |
541 | by the LDAP Content Synchronization operation, much like for any other |
542 | diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h |
543 | index 27a5afd..ba6ec15 100644 |
544 | --- a/include/ldap_pvt.h |
545 | +++ b/include/ldap_pvt.h |
546 | @@ -185,11 +185,11 @@ ldap_pvt_get_hname LDAP_P(( |
547 | #define LDAP_IPADDRLEN sizeof("IP=255.255.255.255:65336") |
548 | #endif |
549 | |
550 | -typedef union Sockaddr Sockaddr; |
551 | +union Sockaddr; |
552 | |
553 | LDAP_F (void) |
554 | ldap_pvt_sockaddrstr LDAP_P(( |
555 | - Sockaddr *sa, |
556 | + union Sockaddr *sa, |
557 | struct berval * )); |
558 | |
559 | |
560 | diff --git a/libraries/libldap/ldif.c b/libraries/libldap/ldif.c |
561 | index 7ca5e32..900a979 100644 |
562 | --- a/libraries/libldap/ldif.c |
563 | +++ b/libraries/libldap/ldif.c |
564 | @@ -796,6 +796,7 @@ ldif_read_record( |
565 | * back to a previous file. (return from an include) |
566 | */ |
567 | while ( feof( lfp->fp )) { |
568 | +pop: |
569 | if ( lfp->prev ) { |
570 | LDIFFP *tmp = lfp->prev; |
571 | fclose( lfp->fp ); |
572 | @@ -808,6 +809,10 @@ ldif_read_record( |
573 | } |
574 | if ( !stop ) { |
575 | if ( fgets( line, sizeof( line ), lfp->fp ) == NULL ) { |
576 | + if ( !found_entry && !ferror( lfp->fp ) ) { |
577 | + /* ITS#9811 Reached the end looking for an entry, try again */ |
578 | + goto pop; |
579 | + } |
580 | stop = 1; |
581 | len = 0; |
582 | } else { |
583 | diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c |
584 | index c1b4a45..40ff1c1 100644 |
585 | --- a/libraries/libldap/result.c |
586 | +++ b/libraries/libldap/result.c |
587 | @@ -506,6 +506,16 @@ nextresp3: |
588 | lc->lconn_ber = NULL; |
589 | break; |
590 | |
591 | + default: |
592 | + /* |
593 | + * We read a BerElement that isn't LDAP or the stream has desync'd. |
594 | + * In either case, anything we read from now on is probably garbage, |
595 | + * just drop the connection. |
596 | + */ |
597 | + ber_free( ber, 1 ); |
598 | + lc->lconn_ber = NULL; |
599 | + /* FALLTHRU */ |
600 | + |
601 | case LBER_DEFAULT: |
602 | fail: |
603 | err = sock_errno(); |
604 | @@ -521,10 +531,6 @@ fail: |
605 | } |
606 | lc->lconn_status = 0; |
607 | return -1; |
608 | - |
609 | - default: |
610 | - ld->ld_errno = LDAP_LOCAL_ERROR; |
611 | - return -1; |
612 | } |
613 | |
614 | /* message id */ |
615 | diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c |
616 | index c31c657..834d986 100644 |
617 | --- a/libraries/libldap/tls_o.c |
618 | +++ b/libraries/libldap/tls_o.c |
619 | @@ -1026,8 +1026,12 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) |
620 | #ifndef OPENSSL_NO_MD2 |
621 | md == EVP_md2() || |
622 | #endif |
623 | +#ifndef OPENSSL_NO_MD4 |
624 | md == EVP_md4() || |
625 | +#endif |
626 | +#ifndef OPENSSL_NO_MD5 |
627 | md == EVP_md5() || |
628 | +#endif |
629 | md == EVP_sha1() ) |
630 | md = EVP_sha256(); |
631 | |
632 | diff --git a/servers/slapd/back-asyncmeta/add.c b/servers/slapd/back-asyncmeta/add.c |
633 | index d32415b..1f194ed 100644 |
634 | --- a/servers/slapd/back-asyncmeta/add.c |
635 | +++ b/servers/slapd/back-asyncmeta/add.c |
636 | @@ -51,6 +51,7 @@ asyncmeta_error_cleanup(Operation *op, |
637 | } |
638 | asyncmeta_drop_bc(mc, bc); |
639 | slap_sl_mem_setctx(op->o_threadctx, op->o_tmpmemctx); |
640 | + operation_counter_init( op, op->o_threadctx ); |
641 | ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex); |
642 | send_ldap_result(op, rs); |
643 | return LDAP_SUCCESS; |
644 | diff --git a/servers/slapd/back-asyncmeta/config.c b/servers/slapd/back-asyncmeta/config.c |
645 | index 866fb98..849ac01 100644 |
646 | --- a/servers/slapd/back-asyncmeta/config.c |
647 | +++ b/servers/slapd/back-asyncmeta/config.c |
648 | @@ -2405,9 +2405,11 @@ asyncmeta_back_cf_gen( ConfigArgs *c ) |
649 | break; |
650 | #endif /* SLAPD_META_CLIENT_PR */ |
651 | |
652 | - case LDAP_BACK_CFG_KEEPALIVE: |
653 | - slap_keepalive_parse( ber_bvstrdup(c->argv[1]), |
654 | - &mt->mt_tls.sb_keepalive, 0, 0, 0); |
655 | + case LDAP_BACK_CFG_KEEPALIVE: { |
656 | + struct berval bv; |
657 | + ber_str2bv( c->argv[1], 0, 1, &bv ); |
658 | + slap_keepalive_parse( &bv, &mt->mt_tls.sb_keepalive, 0, 0, 0 ); |
659 | + } |
660 | break; |
661 | |
662 | case LDAP_BACK_CFG_TCP_USER_TIMEOUT: |
663 | diff --git a/servers/slapd/back-asyncmeta/meta_result.c b/servers/slapd/back-asyncmeta/meta_result.c |
664 | index 07863bb..0ce279a 100644 |
665 | --- a/servers/slapd/back-asyncmeta/meta_result.c |
666 | +++ b/servers/slapd/back-asyncmeta/meta_result.c |
667 | @@ -650,6 +650,7 @@ asyncmeta_send_all_pending_ops(a_metaconn_t *mc, int candidate, void *ctx, int d |
668 | bc->op->o_threadctx = ctx; |
669 | bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx ); |
670 | slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx); |
671 | + operation_counter_init( bc->op, ctx ); |
672 | bc->bc_active++; |
673 | ret = asyncmeta_send_pending_op(bc, candidate); |
674 | if (ret != META_SEARCH_CANDIDATE) { |
675 | @@ -699,6 +700,7 @@ asyncmeta_return_bind_errors(a_metaconn_t *mc, int candidate, SlapReply *bind_re |
676 | bc->op->o_threadctx = ctx; |
677 | bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx ); |
678 | slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx); |
679 | + operation_counter_init( bc->op, ctx ); |
680 | bc->rs.sr_err = bind_result->sr_err; |
681 | bc->rs.sr_text = bind_result->sr_text; |
682 | mc->pending_ops--; |
683 | @@ -1422,6 +1424,7 @@ asyncmeta_op_read_error(a_metaconn_t *mc, int candidate, int error, void* ctx) |
684 | bc->op->o_threadctx = ctx; |
685 | bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx ); |
686 | slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx); |
687 | + operation_counter_init( bc->op, ctx ); |
688 | |
689 | op = bc->op; |
690 | rs = &bc->rs; |
691 | @@ -1569,6 +1572,7 @@ retry_bc: |
692 | bc->op->o_threadctx = ctx; |
693 | bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx ); |
694 | slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx); |
695 | + operation_counter_init( bc->op, ctx ); |
696 | if (bc->op->o_abandon) { |
697 | ldap_pvt_thread_mutex_lock( &mc->mc_om_mutex ); |
698 | asyncmeta_drop_bc( mc, bc); |
699 | @@ -1668,12 +1672,14 @@ void* asyncmeta_timeout_loop(void *ctx, void *arg) |
700 | } |
701 | |
702 | if (bc->op->o_abandon ) { |
703 | - /* set our memctx */ |
704 | - bc->op->o_threadctx = ctx; |
705 | - bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx ); |
706 | - slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx); |
707 | Operation *op = bc->op; |
708 | |
709 | + /* set our memctx */ |
710 | + op->o_threadctx = ctx; |
711 | + op->o_tid = ldap_pvt_thread_pool_tid( ctx ); |
712 | + slap_sl_mem_setctx(ctx, op->o_tmpmemctx); |
713 | + operation_counter_init( op, ctx ); |
714 | + |
715 | LDAP_STAILQ_REMOVE(&mc->mc_om_list, bc, bm_context_t, bc_next); |
716 | mc->pending_ops--; |
717 | for (j=0; j<mi->mi_ntargets; j++) { |
718 | @@ -1730,6 +1736,7 @@ void* asyncmeta_timeout_loop(void *ctx, void *arg) |
719 | bc->op->o_threadctx = ctx; |
720 | bc->op->o_tid = ldap_pvt_thread_pool_tid( ctx ); |
721 | slap_sl_mem_setctx(ctx, bc->op->o_tmpmemctx); |
722 | + operation_counter_init( bc->op, ctx ); |
723 | |
724 | if (bc->searchtime) { |
725 | timeout_err = LDAP_TIMELIMIT_EXCEEDED; |
726 | diff --git a/servers/slapd/back-asyncmeta/search.c b/servers/slapd/back-asyncmeta/search.c |
727 | index 5310ca1..0b0db82 100644 |
728 | --- a/servers/slapd/back-asyncmeta/search.c |
729 | +++ b/servers/slapd/back-asyncmeta/search.c |
730 | @@ -58,6 +58,7 @@ asyncmeta_handle_onerr_stop(Operation *op, |
731 | } |
732 | } |
733 | slap_sl_mem_setctx(op->o_threadctx, op->o_tmpmemctx); |
734 | + operation_counter_init( op, op->o_threadctx ); |
735 | ldap_pvt_thread_mutex_unlock( &mc->mc_om_mutex); |
736 | send_ldap_result(op, rs); |
737 | } |
738 | diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c |
739 | index 07fe8e9..fb97e8e 100644 |
740 | --- a/servers/slapd/back-ldap/config.c |
741 | +++ b/servers/slapd/back-ldap/config.c |
742 | @@ -2051,9 +2051,11 @@ done_url:; |
743 | } |
744 | break; |
745 | |
746 | - case LDAP_BACK_CFG_KEEPALIVE: |
747 | - slap_keepalive_parse( ber_bvstrdup(c->argv[1]), |
748 | - &li->li_tls.sb_keepalive, 0, 0, 0); |
749 | + case LDAP_BACK_CFG_KEEPALIVE: { |
750 | + struct berval bv; |
751 | + ber_str2bv( c->argv[1], 0, 1, &bv ); |
752 | + slap_keepalive_parse( &bv, &li->li_tls.sb_keepalive, 0, 0, 0 ); |
753 | + } |
754 | break; |
755 | |
756 | case LDAP_BACK_CFG_TCP_USER_TIMEOUT: |
757 | diff --git a/servers/slapd/back-mdb/monitor.c b/servers/slapd/back-mdb/monitor.c |
758 | index 7f26074..fc77bc6 100644 |
759 | --- a/servers/slapd/back-mdb/monitor.c |
760 | +++ b/servers/slapd/back-mdb/monitor.c |
761 | @@ -578,10 +578,11 @@ mdb_monitor_db_close( BackendDB *be ) |
762 | monitor_extra_t *mbe; |
763 | |
764 | if ( mi && mi->bi_extra ) { |
765 | + struct berval dummy = BER_BVNULL; |
766 | mbe = mi->bi_extra; |
767 | mbe->unregister_entry_callback( &mdb->mi_monitor.mdm_ndn, |
768 | (monitor_callback_t *)mdb->mi_monitor.mdm_cb, |
769 | - NULL, 0, NULL ); |
770 | + &dummy, 0, &dummy ); |
771 | } |
772 | |
773 | memset( &mdb->mi_monitor, 0, sizeof( mdb->mi_monitor ) ); |
774 | diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c |
775 | index 51d090f..6b1e607 100644 |
776 | --- a/servers/slapd/back-meta/config.c |
777 | +++ b/servers/slapd/back-meta/config.c |
778 | @@ -2662,7 +2662,6 @@ idassert-authzFrom "dn:<rootdn>" |
779 | c->fname, c->lineno, ca.argc, ca.argv ); |
780 | } |
781 | assert( rc == 0 ); |
782 | - ch_free( ca.argv ); |
783 | ch_free( ca.tline ); |
784 | } |
785 | } |
786 | @@ -2699,9 +2698,9 @@ idassert-authzFrom "dn:<rootdn>" |
787 | c->fname, c->lineno, ca.argc, argv ); |
788 | } |
789 | assert( rc == 0 ); |
790 | - ch_free( ca.argv ); |
791 | ch_free( ca.tline ); |
792 | } |
793 | + ch_free( ca.argv ); |
794 | } |
795 | |
796 | /* save the rule info */ |
797 | @@ -2718,7 +2717,7 @@ idassert-authzFrom "dn:<rootdn>" |
798 | /* move it to the right slot */ |
799 | if ( ix < cnt ) { |
800 | for ( i=cnt; i>ix; i-- ) |
801 | - mt->mt_rwmap.rwm_bva_rewrite[i+1] = mt->mt_rwmap.rwm_bva_rewrite[i]; |
802 | + mt->mt_rwmap.rwm_bva_rewrite[i] = mt->mt_rwmap.rwm_bva_rewrite[i-1]; |
803 | mt->mt_rwmap.rwm_bva_rewrite[i] = bv; |
804 | |
805 | /* destroy old rules */ |
806 | @@ -2730,7 +2729,7 @@ idassert-authzFrom "dn:<rootdn>" |
807 | case LDAP_BACK_CFG_MAP: { |
808 | /* objectclass/attribute mapping */ |
809 | ConfigArgs ca = { 0 }; |
810 | - char *argv[5]; |
811 | + char *argv[5], **argvp; |
812 | struct ldapmap rwm_oc; |
813 | struct ldapmap rwm_at; |
814 | int cnt = 0, ix = c->valx; |
815 | @@ -2763,7 +2762,8 @@ idassert-authzFrom "dn:<rootdn>" |
816 | argv[2] = ca.argv[1]; |
817 | argv[3] = ca.argv[2]; |
818 | argv[4] = ca.argv[3]; |
819 | - ch_free( ca.argv ); |
820 | + |
821 | + argvp = ca.argv; |
822 | ca.argv = argv; |
823 | ca.argc++; |
824 | rc = ldap_back_map_config( &ca, &mt->mt_rwmap.rwm_oc, |
825 | @@ -2771,7 +2771,7 @@ idassert-authzFrom "dn:<rootdn>" |
826 | |
827 | ch_free( ca.tline ); |
828 | ca.tline = NULL; |
829 | - ca.argv = NULL; |
830 | + ca.argv = argvp; |
831 | |
832 | /* in case of failure, restore |
833 | * the existing mapping */ |
834 | @@ -2788,7 +2788,7 @@ idassert-authzFrom "dn:<rootdn>" |
835 | } |
836 | |
837 | if ( ix < cnt ) { |
838 | - for ( ; i<cnt ; cnt++ ) { |
839 | + for ( ; i<cnt ; i++ ) { |
840 | ca.line = mt->mt_rwmap.rwm_bva_map[ i ].bv_val; |
841 | ca.argc = 0; |
842 | config_fp_parse_line( &ca ); |
843 | @@ -2798,7 +2798,7 @@ idassert-authzFrom "dn:<rootdn>" |
844 | argv[3] = ca.argv[2]; |
845 | argv[4] = ca.argv[3]; |
846 | |
847 | - ch_free( ca.argv ); |
848 | + argvp = ca.argv; |
849 | ca.argv = argv; |
850 | ca.argc++; |
851 | rc = ldap_back_map_config( &ca, &mt->mt_rwmap.rwm_oc, |
852 | @@ -2806,7 +2806,7 @@ idassert-authzFrom "dn:<rootdn>" |
853 | |
854 | ch_free( ca.tline ); |
855 | ca.tline = NULL; |
856 | - ca.argv = NULL; |
857 | + ca.argv = argvp; |
858 | |
859 | /* in case of failure, restore |
860 | * the existing mapping */ |
861 | @@ -2814,6 +2814,7 @@ idassert-authzFrom "dn:<rootdn>" |
862 | goto map_fail; |
863 | } |
864 | } |
865 | + ch_free( ca.argv ); |
866 | } |
867 | |
868 | /* save the map info */ |
869 | @@ -2825,7 +2826,7 @@ idassert-authzFrom "dn:<rootdn>" |
870 | /* move it to the right slot */ |
871 | if ( ix < cnt ) { |
872 | for ( i=cnt; i>ix; i-- ) |
873 | - mt->mt_rwmap.rwm_bva_map[i+1] = mt->mt_rwmap.rwm_bva_map[i]; |
874 | + mt->mt_rwmap.rwm_bva_map[i] = mt->mt_rwmap.rwm_bva_map[i-1]; |
875 | mt->mt_rwmap.rwm_bva_map[i] = bv; |
876 | |
877 | /* destroy old mapping */ |
878 | @@ -2841,6 +2842,7 @@ map_fail:; |
879 | meta_back_map_free( &mt->mt_rwmap.rwm_at ); |
880 | mt->mt_rwmap.rwm_oc = rwm_oc; |
881 | mt->mt_rwmap.rwm_at = rwm_at; |
882 | + ch_free( ca.argv ); |
883 | } |
884 | } break; |
885 | |
886 | @@ -2913,9 +2915,11 @@ map_fail:; |
887 | break; |
888 | #endif /* SLAPD_META_CLIENT_PR */ |
889 | |
890 | - case LDAP_BACK_CFG_KEEPALIVE: |
891 | - slap_keepalive_parse( ber_bvstrdup(c->argv[1]), |
892 | - &mt->mt_tls.sb_keepalive, 0, 0, 0); |
893 | + case LDAP_BACK_CFG_KEEPALIVE: { |
894 | + struct berval bv; |
895 | + ber_str2bv( c->argv[ 1 ], 0, 1, &bv ); |
896 | + slap_keepalive_parse( &bv, &mt->mt_tls.sb_keepalive, 0, 0, 0 ); |
897 | + } |
898 | break; |
899 | |
900 | case LDAP_BACK_CFG_TCP_USER_TIMEOUT: |
901 | diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c |
902 | index 2168a15..d4177f6 100644 |
903 | --- a/servers/slapd/back-sql/search.c |
904 | +++ b/servers/slapd/back-sql/search.c |
905 | @@ -63,6 +63,38 @@ static void send_paged_response( |
906 | ID *lastid ); |
907 | #endif /* ! BACKSQL_ARBITRARY_KEY */ |
908 | |
909 | +/* Look for chars that need to be escaped, return count of them. |
910 | + * If out is non-NULL, copy escape'd val to it. |
911 | + */ |
912 | +static int |
913 | +backsql_val_escape( Operation *op, struct berval *in, struct berval *out ) |
914 | +{ |
915 | + char *ptr, *end; |
916 | + int q = 0; |
917 | + |
918 | + ptr = in->bv_val; |
919 | + end = ptr + in->bv_len; |
920 | + while (ptr < end) { |
921 | + if ( *ptr == '\'' ) |
922 | + q++; |
923 | + ptr++; |
924 | + } |
925 | + if ( q && out ) { |
926 | + char *dst; |
927 | + out->bv_len = in->bv_len + q; |
928 | + out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx ); |
929 | + ptr = in->bv_val; |
930 | + dst = out->bv_val; |
931 | + while (ptr < end ) { |
932 | + if ( *ptr == '\'' ) |
933 | + *dst++ = '\''; |
934 | + *dst++ = *ptr++; |
935 | + } |
936 | + *dst = '\0'; |
937 | + } |
938 | + return q; |
939 | +} |
940 | + |
941 | static int |
942 | backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad ) |
943 | { |
944 | @@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, |
945 | backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private; |
946 | int i; |
947 | int casefold = 0; |
948 | + int escaped = 0; |
949 | + struct berval escval, *fvalue; |
950 | |
951 | if ( !f ) { |
952 | return 0; |
953 | @@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, |
954 | |
955 | BER_BVZERO( &bv ); |
956 | if ( f->f_sub_initial.bv_val ) { |
957 | - bv.bv_len += f->f_sub_initial.bv_len; |
958 | + bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL ); |
959 | } |
960 | if ( f->f_sub_any != NULL ) { |
961 | for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) { |
962 | - bv.bv_len += f->f_sub_any[ a ].bv_len; |
963 | + bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL ); |
964 | } |
965 | } |
966 | if ( f->f_sub_final.bv_val ) { |
967 | - bv.bv_len += f->f_sub_final.bv_len; |
968 | + bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL ); |
969 | } |
970 | bv.bv_len = 2 * bv.bv_len - 1; |
971 | bv.bv_val = ch_malloc( bv.bv_len + 1 ); |
972 | |
973 | s = 0; |
974 | if ( !BER_BVISNULL( &f->f_sub_initial ) ) { |
975 | - bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ]; |
976 | - for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) { |
977 | + fvalue = &f->f_sub_initial; |
978 | + escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
979 | + if ( escaped ) |
980 | + fvalue = &escval; |
981 | + bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; |
982 | + for ( i = 1; i < fvalue->bv_len; i++ ) { |
983 | bv.bv_val[ s + 2 * i - 1 ] = '%'; |
984 | - bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ]; |
985 | + bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; |
986 | } |
987 | bv.bv_val[ s + 2 * i - 1 ] = '%'; |
988 | s += 2 * i; |
989 | + if ( escaped ) |
990 | + bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
991 | } |
992 | |
993 | if ( f->f_sub_any != NULL ) { |
994 | for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) { |
995 | - bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ]; |
996 | - for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) { |
997 | + fvalue = &f->f_sub_any[ a ]; |
998 | + escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
999 | + if ( escaped ) |
1000 | + fvalue = &escval; |
1001 | + bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; |
1002 | + for ( i = 1; i < fvalue->bv_len; i++ ) { |
1003 | bv.bv_val[ s + 2 * i - 1 ] = '%'; |
1004 | - bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ]; |
1005 | + bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; |
1006 | } |
1007 | bv.bv_val[ s + 2 * i - 1 ] = '%'; |
1008 | s += 2 * i; |
1009 | + if ( escaped ) |
1010 | + bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
1011 | } |
1012 | } |
1013 | |
1014 | if ( !BER_BVISNULL( &f->f_sub_final ) ) { |
1015 | - bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ]; |
1016 | - for ( i = 1; i < f->f_sub_final.bv_len; i++ ) { |
1017 | + fvalue = &f->f_sub_final; |
1018 | + escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
1019 | + if ( escaped ) |
1020 | + fvalue = &escval; |
1021 | + bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; |
1022 | + for ( i = 1; i < fvalue->bv_len; i++ ) { |
1023 | bv.bv_val[ s + 2 * i - 1 ] = '%'; |
1024 | - bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ]; |
1025 | + bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; |
1026 | } |
1027 | - bv.bv_val[ s + 2 * i - 1 ] = '%'; |
1028 | + bv.bv_val[ s + 2 * i - 1 ] = '%'; |
1029 | s += 2 * i; |
1030 | + if ( escaped ) |
1031 | + bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
1032 | } |
1033 | |
1034 | bv.bv_val[ s - 1 ] = '\0'; |
1035 | @@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, |
1036 | f->f_sub_initial.bv_val ); |
1037 | #endif /* BACKSQL_TRACE */ |
1038 | |
1039 | + fvalue = &f->f_sub_initial; |
1040 | + escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
1041 | + if ( escaped ) |
1042 | + fvalue = &escval; |
1043 | start = bsi->bsi_flt_where.bb_val.bv_len; |
1044 | backsql_strfcat_x( &bsi->bsi_flt_where, |
1045 | bsi->bsi_op->o_tmpmemctx, |
1046 | "b", |
1047 | - &f->f_sub_initial ); |
1048 | + fvalue ); |
1049 | + if ( escaped ) |
1050 | + bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
1051 | if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { |
1052 | ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); |
1053 | } |
1054 | @@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, |
1055 | i, f->f_sub_any[ i ].bv_val ); |
1056 | #endif /* BACKSQL_TRACE */ |
1057 | |
1058 | + fvalue = &f->f_sub_any[ i ]; |
1059 | + escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
1060 | + if ( escaped ) |
1061 | + fvalue = &escval; |
1062 | start = bsi->bsi_flt_where.bb_val.bv_len; |
1063 | backsql_strfcat_x( &bsi->bsi_flt_where, |
1064 | bsi->bsi_op->o_tmpmemctx, |
1065 | "bc", |
1066 | - &f->f_sub_any[ i ], |
1067 | + fvalue, |
1068 | '%' ); |
1069 | + if ( escaped ) |
1070 | + bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
1071 | if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { |
1072 | /* |
1073 | * Note: toupper('%') = '%' |
1074 | @@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, |
1075 | f->f_sub_final.bv_val ); |
1076 | #endif /* BACKSQL_TRACE */ |
1077 | |
1078 | + fvalue = &f->f_sub_final; |
1079 | + escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); |
1080 | + if ( escaped ) |
1081 | + fvalue = &escval; |
1082 | start = bsi->bsi_flt_where.bb_val.bv_len; |
1083 | backsql_strfcat_x( &bsi->bsi_flt_where, |
1084 | bsi->bsi_op->o_tmpmemctx, |
1085 | "b", |
1086 | - &f->f_sub_final ); |
1087 | + fvalue ); |
1088 | + if ( escaped ) |
1089 | + bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
1090 | if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { |
1091 | ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); |
1092 | } |
1093 | @@ -1182,6 +1252,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r |
1094 | struct berval *filter_value = NULL; |
1095 | MatchingRule *matching_rule = NULL; |
1096 | struct berval ordering = BER_BVC("<="); |
1097 | + struct berval escval; |
1098 | + int escaped = 0; |
1099 | |
1100 | Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n", |
1101 | at->bam_ad->ad_cname.bv_val ); |
1102 | @@ -1236,6 +1308,10 @@ equality_match:; |
1103 | casefold = 1; |
1104 | } |
1105 | |
1106 | + escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); |
1107 | + if ( escaped ) |
1108 | + filter_value = &escval; |
1109 | + |
1110 | /* FIXME: directoryString filtering should use a similar |
1111 | * approach to deal with non-prettified values like |
1112 | * " A non prettified value ", by using a LIKE |
1113 | @@ -1316,6 +1392,10 @@ equality_match:; |
1114 | casefold = 1; |
1115 | } |
1116 | |
1117 | + escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); |
1118 | + if ( escaped ) |
1119 | + filter_value = &escval; |
1120 | + |
1121 | /* |
1122 | * FIXME: should we uppercase the operands? |
1123 | */ |
1124 | @@ -1349,7 +1429,7 @@ equality_match:; |
1125 | &at->bam_sel_expr, |
1126 | &ordering, |
1127 | '\'', |
1128 | - &f->f_av_value, |
1129 | + filter_value, |
1130 | (ber_len_t)STRLENOF( /* (' */ "')" ), |
1131 | /* ( */ "')" ); |
1132 | } |
1133 | @@ -1373,13 +1453,17 @@ equality_match:; |
1134 | case LDAP_FILTER_APPROX: |
1135 | /* we do our best */ |
1136 | |
1137 | + filter_value = &f->f_av_value; |
1138 | + escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); |
1139 | + if ( escaped ) |
1140 | + filter_value = &escval; |
1141 | /* |
1142 | * maybe we should check type of at->sel_expr here somehow, |
1143 | * to know whether upper_func is applicable, but for now |
1144 | * upper_func stuff is made for Oracle, where UPPER is |
1145 | * safely applicable to NUMBER etc. |
1146 | */ |
1147 | - (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value ); |
1148 | + (void)backsql_process_filter_like( bsi, at, 1, filter_value ); |
1149 | break; |
1150 | |
1151 | default: |
1152 | @@ -1393,6 +1477,9 @@ equality_match:; |
1153 | |
1154 | } |
1155 | |
1156 | + if ( escaped ) |
1157 | + bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); |
1158 | + |
1159 | Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n", |
1160 | at->bam_ad->ad_cname.bv_val ); |
1161 | |
1162 | diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c |
1163 | index 3e6136f..c5c69ba 100644 |
1164 | --- a/servers/slapd/bconfig.c |
1165 | +++ b/servers/slapd/bconfig.c |
1166 | @@ -75,6 +75,7 @@ typedef struct { |
1167 | BackendDB cb_db; /* underlying database */ |
1168 | int cb_got_ldif; |
1169 | int cb_use_ldif; |
1170 | + ldap_pvt_thread_rdwr_t cb_rwlock; |
1171 | } CfBackInfo; |
1172 | |
1173 | static CfBackInfo cfBackInfo; |
1174 | @@ -1363,7 +1364,7 @@ config_generic(ConfigArgs *c) { |
1175 | c->value_int = (SLAP_NOLASTMOD(c->be) == 0); |
1176 | break; |
1177 | case CFG_LASTBIND: |
1178 | - c->value_int = (SLAP_NOLASTMOD(c->be) == 0); |
1179 | + c->value_int = (SLAP_LASTBIND(c->be) != 0); |
1180 | break; |
1181 | case CFG_SYNC_SUBENTRY: |
1182 | c->value_int = (SLAP_SYNC_SUBENTRY(c->be) != 0); |
1183 | @@ -5959,6 +5960,8 @@ config_back_add( Operation *op, SlapReply *rs ) |
1184 | if ( slap_pause_server() < 0 ) |
1185 | dopause = 0; |
1186 | |
1187 | + ldap_pvt_thread_rdwr_wlock( &cfb->cb_rwlock ); |
1188 | + |
1189 | /* Strategy: |
1190 | * 1) check for existence of entry |
1191 | * 2) check for sibling renumbering |
1192 | @@ -6007,6 +6010,7 @@ config_back_add( Operation *op, SlapReply *rs ) |
1193 | } |
1194 | |
1195 | out2:; |
1196 | + ldap_pvt_thread_rdwr_wunlock( &cfb->cb_rwlock ); |
1197 | if ( dopause ) |
1198 | slap_unpause_server(); |
1199 | |
1200 | @@ -6493,6 +6497,7 @@ config_back_modify( Operation *op, SlapReply *rs ) |
1201 | if ( slap_pause_server() < 0 ) |
1202 | do_pause = 0; |
1203 | } |
1204 | + ldap_pvt_thread_rdwr_wlock( &cfb->cb_rwlock ); |
1205 | |
1206 | /* Strategy: |
1207 | * 1) perform the Modify on the cached Entry. |
1208 | @@ -6524,6 +6529,7 @@ config_back_modify( Operation *op, SlapReply *rs ) |
1209 | op->o_ndn = ndn; |
1210 | } |
1211 | |
1212 | + ldap_pvt_thread_rdwr_wunlock( &cfb->cb_rwlock ); |
1213 | if ( do_pause ) |
1214 | slap_unpause_server(); |
1215 | out: |
1216 | @@ -6663,6 +6669,8 @@ config_back_modrdn( Operation *op, SlapReply *rs ) |
1217 | if ( slap_pause_server() < 0 ) |
1218 | dopause = 0; |
1219 | |
1220 | + ldap_pvt_thread_rdwr_wlock( &cfb->cb_rwlock ); |
1221 | + |
1222 | if ( ce->ce_type == Cft_Schema ) { |
1223 | req_modrdn_s modr = op->oq_modrdn; |
1224 | struct berval rdn; |
1225 | @@ -6727,6 +6735,8 @@ config_back_modrdn( Operation *op, SlapReply *rs ) |
1226 | op->oq_modrdn = modr; |
1227 | } |
1228 | |
1229 | + ldap_pvt_thread_rdwr_wunlock( &cfb->cb_rwlock ); |
1230 | + |
1231 | if ( dopause ) |
1232 | slap_unpause_server(); |
1233 | out: |
1234 | @@ -6762,6 +6772,8 @@ config_back_delete( Operation *op, SlapReply *rs ) |
1235 | if ( slap_pause_server() < 0 ) |
1236 | dopause = 0; |
1237 | |
1238 | + ldap_pvt_thread_rdwr_wlock( &cfb->cb_rwlock ); |
1239 | + |
1240 | if ( ce->ce_type == Cft_Overlay ){ |
1241 | overlay_remove( ce->ce_be, (slap_overinst *)ce->ce_bi, op ); |
1242 | } else if ( ce->ce_type == Cft_Misc ) { |
1243 | @@ -6780,8 +6792,7 @@ config_back_delete( Operation *op, SlapReply *rs ) |
1244 | if ( !oc_at ) { |
1245 | rs->sr_err = LDAP_OTHER; |
1246 | rs->sr_text = "objectclass not found"; |
1247 | - if ( dopause ) slap_unpause_server(); |
1248 | - goto out; |
1249 | + goto out2; |
1250 | } |
1251 | for ( i=0; !BER_BVISNULL(&oc_at->a_nvals[i]); i++ ) { |
1252 | co.co_name = &oc_at->a_nvals[i]; |
1253 | @@ -6798,8 +6809,7 @@ config_back_delete( Operation *op, SlapReply *rs ) |
1254 | /* FIXME: We should return a helpful error message |
1255 | * here */ |
1256 | } |
1257 | - if ( dopause ) slap_unpause_server(); |
1258 | - goto out; |
1259 | + goto out2; |
1260 | } |
1261 | break; |
1262 | } |
1263 | @@ -6807,8 +6817,7 @@ config_back_delete( Operation *op, SlapReply *rs ) |
1264 | if ( ce->ce_be == frontendDB || ce->ce_be == op->o_bd ){ |
1265 | rs->sr_err = LDAP_UNWILLING_TO_PERFORM; |
1266 | rs->sr_text = "Cannot delete config or frontend database"; |
1267 | - if ( dopause ) slap_unpause_server(); |
1268 | - goto out; |
1269 | + goto out2; |
1270 | } |
1271 | if ( ce->ce_be->bd_info->bi_db_close ) { |
1272 | ce->ce_be->bd_info->bi_db_close( ce->ce_be, NULL ); |
1273 | @@ -6869,6 +6878,8 @@ config_back_delete( Operation *op, SlapReply *rs ) |
1274 | ce->ce_entry->e_private=NULL; |
1275 | entry_free(ce->ce_entry); |
1276 | ch_free(ce); |
1277 | +out2: |
1278 | + ldap_pvt_thread_rdwr_wunlock( &cfb->cb_rwlock ); |
1279 | if ( dopause ) slap_unpause_server(); |
1280 | } else { |
1281 | rs->sr_err = LDAP_UNWILLING_TO_PERFORM; |
1282 | @@ -6890,6 +6901,7 @@ config_back_search( Operation *op, SlapReply *rs ) |
1283 | |
1284 | cfb = (CfBackInfo *)op->o_bd->be_private; |
1285 | |
1286 | + ldap_pvt_thread_rdwr_rlock( &cfb->cb_rwlock ); |
1287 | ce = config_find_base( cfb->cb_root, &op->o_req_ndn, &last ); |
1288 | if ( !ce ) { |
1289 | if ( last ) |
1290 | @@ -6924,6 +6936,7 @@ config_back_search( Operation *op, SlapReply *rs ) |
1291 | } |
1292 | |
1293 | out: |
1294 | + ldap_pvt_thread_rdwr_runlock( &cfb->cb_rwlock ); |
1295 | send_ldap_result( op, rs ); |
1296 | return rs->sr_err; |
1297 | } |
1298 | @@ -7659,6 +7672,8 @@ config_back_db_destroy( BackendDB *be, ConfigReply *cr ) |
1299 | |
1300 | ch_free( cfdir.bv_val ); |
1301 | |
1302 | + ldap_pvt_thread_rdwr_destroy( &cfb->cb_rwlock ); |
1303 | + |
1304 | ldap_avl_free( CfOcTree, NULL ); |
1305 | |
1306 | if ( cfb->cb_db.bd_info ) { |
1307 | @@ -7693,6 +7708,8 @@ config_back_db_init( BackendDB *be, ConfigReply* cr ) |
1308 | ber_dupbv( &dn, &be->be_rootdn ); |
1309 | ber_bvarray_add( &be->be_nsuffix, &dn ); |
1310 | |
1311 | + ldap_pvt_thread_rdwr_init( &cfb->cb_rwlock ); |
1312 | + |
1313 | /* Hide from namingContexts */ |
1314 | SLAP_BFLAGS(be) |= SLAP_BFLAG_CONFIG; |
1315 | |
1316 | diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c |
1317 | index 324c3b0..b8ea92a 100644 |
1318 | --- a/servers/slapd/connection.c |
1319 | +++ b/servers/slapd/connection.c |
1320 | @@ -212,7 +212,7 @@ int connections_timeout_idle(time_t now) |
1321 | /* Don't timeout a slow-running request or a persistent |
1322 | * outbound connection. |
1323 | */ |
1324 | - if((( c->c_n_ops_executing || c->c_n_ops_async ) && !c->c_writewaiter) |
1325 | + if( c->c_n_ops_executing || c->c_n_ops_async |
1326 | || c->c_conn_state == SLAP_C_CLIENT ) { |
1327 | continue; |
1328 | } |
1329 | @@ -244,7 +244,7 @@ void connections_drop() |
1330 | /* Don't close a slow-running request or a persistent |
1331 | * outbound connection. |
1332 | */ |
1333 | - if((( c->c_n_ops_executing || c->c_n_ops_async ) && !c->c_writewaiter) |
1334 | + if( c->c_n_ops_executing || c->c_n_ops_async |
1335 | || c->c_conn_state == SLAP_C_CLIENT ) { |
1336 | continue; |
1337 | } |
1338 | @@ -734,6 +734,7 @@ static void connection_abandon( Connection *c ) |
1339 | LDAP_STAILQ_NEXT(o, o_next) = NULL; |
1340 | slap_op_free( o, NULL ); |
1341 | } |
1342 | + c->c_n_ops_pending = 0; |
1343 | } |
1344 | |
1345 | static void |
1346 | @@ -870,13 +871,14 @@ Connection* connection_next( Connection *c, ber_socket_t *index ) |
1347 | |
1348 | for(; *index < dtblsize; (*index)++) { |
1349 | if( connections[*index].c_sb ) { |
1350 | - c = &connections[(*index)++]; |
1351 | + c = &connections[*index]; |
1352 | ldap_pvt_thread_mutex_lock( &c->c_mutex ); |
1353 | if ( c->c_conn_state == SLAP_C_INVALID ) { |
1354 | ldap_pvt_thread_mutex_unlock( &c->c_mutex ); |
1355 | c = NULL; |
1356 | continue; |
1357 | } |
1358 | + (*index)++; |
1359 | break; |
1360 | } |
1361 | } |
1362 | @@ -963,18 +965,18 @@ conn_counter_destroy( void *key, void *data ) |
1363 | ldap_pvt_thread_mutex_unlock( &slap_counters.sc_mutex ); |
1364 | } |
1365 | |
1366 | -static void |
1367 | -conn_counter_init( Operation *op, void *ctx ) |
1368 | +void |
1369 | +operation_counter_init( Operation *op, void *ctx ) |
1370 | { |
1371 | slap_counters_t *sc; |
1372 | void *vsc = NULL; |
1373 | |
1374 | if ( ldap_pvt_thread_pool_getkey( |
1375 | - ctx, (void *)conn_counter_init, &vsc, NULL ) || !vsc ) { |
1376 | + ctx, (void *)operation_counter_init, &vsc, NULL ) || !vsc ) { |
1377 | vsc = ch_malloc( sizeof( slap_counters_t )); |
1378 | sc = vsc; |
1379 | slap_counters_init( sc ); |
1380 | - ldap_pvt_thread_pool_setkey( ctx, (void*)conn_counter_init, vsc, |
1381 | + ldap_pvt_thread_pool_setkey( ctx, (void*)operation_counter_init, vsc, |
1382 | conn_counter_destroy, NULL, NULL ); |
1383 | |
1384 | ldap_pvt_thread_mutex_lock( &slap_counters.sc_mutex ); |
1385 | @@ -1030,7 +1032,7 @@ connection_operation( void *ctx, void *arg_v ) |
1386 | op->o_qtime.tv_sec--; |
1387 | } |
1388 | op->o_qtime.tv_sec -= op->o_time; |
1389 | - conn_counter_init( op, ctx ); |
1390 | + operation_counter_init( op, ctx ); |
1391 | ldap_pvt_thread_mutex_lock( &op->o_counters->sc_mutex ); |
1392 | /* FIXME: returns 0 in case of failure */ |
1393 | ldap_pvt_mp_add_ulong(op->o_counters->sc_ops_initiated, 1); |
1394 | diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c |
1395 | index c982cc9..2f78b77 100644 |
1396 | --- a/servers/slapd/daemon.c |
1397 | +++ b/servers/slapd/daemon.c |
1398 | @@ -2413,6 +2413,18 @@ slap_listener_activate( |
1399 | } |
1400 | |
1401 | static void * |
1402 | +slapd_rtask_trampoline( |
1403 | + void *ctx, |
1404 | + void *arg ) |
1405 | +{ |
1406 | + struct re_s *rtask = arg; |
1407 | + |
1408 | + /* invalidate pool_cookie */ |
1409 | + rtask->pool_cookie = NULL; |
1410 | + return rtask->routine( ctx, arg ); |
1411 | +} |
1412 | + |
1413 | +static void * |
1414 | slapd_daemon_task( |
1415 | void *ptr ) |
1416 | { |
1417 | @@ -2775,7 +2787,7 @@ loop: |
1418 | ldap_pvt_runqueue_resched( &slapd_rq, rtask, 0 ); |
1419 | ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex ); |
1420 | ldap_pvt_thread_pool_submit2( &connection_pool, |
1421 | - rtask->routine, (void *) rtask, &rtask->pool_cookie ); |
1422 | + slapd_rtask_trampoline, (void *) rtask, &rtask->pool_cookie ); |
1423 | ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex ); |
1424 | } |
1425 | rtask = ldap_pvt_runqueue_next_sched( &slapd_rq, &cat ); |
1426 | diff --git a/servers/slapd/overlays/dynlist.c b/servers/slapd/overlays/dynlist.c |
1427 | index b04f65c..3490cfb 100644 |
1428 | --- a/servers/slapd/overlays/dynlist.c |
1429 | +++ b/servers/slapd/overlays/dynlist.c |
1430 | @@ -1208,13 +1208,16 @@ dynlist_filter_stgroup( Operation *op, Filter *n, Attribute *a ) |
1431 | Filter *dnf, *orf = NULL; |
1432 | int i; |
1433 | |
1434 | - if ( a->a_numvals == 1 ) { |
1435 | + if ( a->a_numvals == 1 && n->f_choice == SLAPD_FILTER_COMPUTED ) { |
1436 | dnf = n; |
1437 | } else { |
1438 | orf = n; |
1439 | - orf->f_choice = LDAP_FILTER_OR; |
1440 | + if ( n->f_choice != LDAP_FILTER_OR ) { |
1441 | + orf->f_choice = LDAP_FILTER_OR; |
1442 | + orf->f_list = NULL; |
1443 | + } |
1444 | dnf = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx ); |
1445 | - dnf->f_next = NULL; |
1446 | + dnf->f_next = orf->f_list; |
1447 | orf->f_list = dnf; |
1448 | } |
1449 | |
1450 | @@ -1298,9 +1301,9 @@ dynlist_filter_dup( Operation *op, Filter *f, AttributeDescription *ad, dynlist_ |
1451 | break; |
1452 | |
1453 | case LDAP_FILTER_EQUALITY: |
1454 | - n->f_choice = SLAPD_FILTER_COMPUTED; |
1455 | if ( f->f_av_desc == ad ) { |
1456 | dynlist_name_t *dyn = ldap_tavl_find( ds->ds_names, &f->f_av_value, dynlist_avl_cmp ); |
1457 | + n->f_choice = SLAPD_FILTER_COMPUTED; |
1458 | if ( dyn && !dynlist_filter_group( op, dyn, n, ds )) |
1459 | break; |
1460 | } |
1461 | diff --git a/servers/slapd/overlays/pcache.c b/servers/slapd/overlays/pcache.c |
1462 | index fa70d5d..fcf29c6 100644 |
1463 | --- a/servers/slapd/overlays/pcache.c |
1464 | +++ b/servers/slapd/overlays/pcache.c |
1465 | @@ -5660,15 +5660,16 @@ pcache_monitor_db_close( BackendDB *be ) |
1466 | slap_overinst *on = (slap_overinst *)be->bd_info; |
1467 | cache_manager *cm = on->on_bi.bi_private; |
1468 | |
1469 | - if ( cm->monitor_cb != NULL ) { |
1470 | + if ( !BER_BVISNULL( &cm->monitor_ndn )) { |
1471 | BackendInfo *mi = backend_info( "monitor" ); |
1472 | monitor_extra_t *mbe; |
1473 | |
1474 | if ( mi && mi->bi_extra ) { |
1475 | + struct berval dummy = BER_BVNULL; |
1476 | mbe = mi->bi_extra; |
1477 | mbe->unregister_entry_callback( &cm->monitor_ndn, |
1478 | (monitor_callback_t *)cm->monitor_cb, |
1479 | - NULL, 0, NULL ); |
1480 | + &dummy, 0, &dummy ); |
1481 | } |
1482 | } |
1483 | |
1484 | diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c |
1485 | index abde6d2..a2c86f6 100644 |
1486 | --- a/servers/slapd/overlays/ppolicy.c |
1487 | +++ b/servers/slapd/overlays/ppolicy.c |
1488 | @@ -2215,6 +2215,7 @@ ppolicy_add( |
1489 | PassPolicy pp; |
1490 | Attribute *pa; |
1491 | const char *txt; |
1492 | + int is_pwdadmin = 0; |
1493 | |
1494 | if ( ppolicy_restrict( op, rs ) != SLAP_CB_CONTINUE ) |
1495 | return rs->sr_err; |
1496 | @@ -2223,10 +2224,14 @@ ppolicy_add( |
1497 | if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ) |
1498 | return SLAP_CB_CONTINUE; |
1499 | |
1500 | + ppolicy_get( op, op->ora_e, &pp ); |
1501 | + |
1502 | + if ( access_allowed( op, op->ora_e, pp.ad, NULL, ACL_MANAGE, NULL ) ) { |
1503 | + is_pwdadmin = 1; |
1504 | + } |
1505 | + |
1506 | /* Check for password in entry */ |
1507 | - if ((pa = attr_find( op->oq_add.rs_e->e_attrs, |
1508 | - slap_schema.si_ad_userPassword ))) |
1509 | - { |
1510 | + if ( (pa = attr_find( op->oq_add.rs_e->e_attrs, pp.ad )) ) { |
1511 | assert( pa->a_vals != NULL ); |
1512 | assert( !BER_BVISNULL( &pa->a_vals[ 0 ] ) ); |
1513 | |
1514 | @@ -2235,15 +2240,13 @@ ppolicy_add( |
1515 | return rs->sr_err; |
1516 | } |
1517 | |
1518 | - ppolicy_get( op, op->ora_e, &pp ); |
1519 | - |
1520 | /* |
1521 | - * new entry contains a password - if we're not the root user |
1522 | + * new entry contains a password - if we're not the password admin |
1523 | * then we need to check that the password fits in with the |
1524 | * security policy for the new entry. |
1525 | */ |
1526 | |
1527 | - if (pp.pwdCheckQuality > 0 && !be_isroot( op )) { |
1528 | + if ( pp.pwdCheckQuality > 0 && !is_pwdadmin ) { |
1529 | struct berval *bv = &(pa->a_vals[0]); |
1530 | int rc, send_ctrl = 0; |
1531 | LDAPPasswordPolicyError pErr = PP_noError; |
1532 | @@ -2305,7 +2308,8 @@ ppolicy_add( |
1533 | } |
1534 | |
1535 | /* If password aging is in effect, set the pwdChangedTime */ |
1536 | - if ( pp.pwdMaxAge || pp.pwdMinAge ) { |
1537 | + if ( ( pp.pwdMaxAge || pp.pwdMinAge ) && |
1538 | + !attr_find( op->ora_e->e_attrs, ad_pwdChangedTime ) ) { |
1539 | struct berval timestamp; |
1540 | char timebuf[ LDAP_LUTIL_GENTIME_BUFSIZE ]; |
1541 | time_t now = slap_get_time(); |
1542 | diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c |
1543 | index 364ee8a..36978d6 100644 |
1544 | --- a/servers/slapd/overlays/syncprov.c |
1545 | +++ b/servers/slapd/overlays/syncprov.c |
1546 | @@ -1075,6 +1075,7 @@ syncprov_qtask( void *ctx, void *arg ) |
1547 | op->o_tmpmemctx = slap_sl_mem_create(SLAP_SLAB_SIZE, SLAP_SLAB_STACK, ctx, 1); |
1548 | op->o_tmpmfuncs = &slap_sl_mfuncs; |
1549 | op->o_threadctx = ctx; |
1550 | + operation_counter_init( op, ctx ); |
1551 | |
1552 | /* syncprov_qplay expects a fake db */ |
1553 | be = *so->s_op->o_bd; |
1554 | diff --git a/servers/slapd/overlays/translucent.c b/servers/slapd/overlays/translucent.c |
1555 | index 1e4e338..a034a58 100644 |
1556 | --- a/servers/slapd/overlays/translucent.c |
1557 | +++ b/servers/slapd/overlays/translucent.c |
1558 | @@ -999,7 +999,6 @@ trans_filter_dup(Operation *op, Filter *f, AttributeName *an) |
1559 | case LDAP_FILTER_GE: |
1560 | case LDAP_FILTER_LE: |
1561 | case LDAP_FILTER_APPROX: |
1562 | - case LDAP_FILTER_SUBSTRINGS: |
1563 | case LDAP_FILTER_EXT: |
1564 | if ( !f->f_av_desc || ad_inlist( f->f_av_desc, an )) { |
1565 | AttributeAssertion *nava; |
1566 | @@ -1016,6 +1015,29 @@ trans_filter_dup(Operation *op, Filter *f, AttributeName *an) |
1567 | } |
1568 | break; |
1569 | |
1570 | + case LDAP_FILTER_SUBSTRINGS: |
1571 | + if ( !f->f_av_desc || ad_inlist( f->f_av_desc, an )) { |
1572 | + SubstringsAssertion *nsub; |
1573 | + |
1574 | + n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx ); |
1575 | + n->f_choice = f->f_choice; |
1576 | + |
1577 | + nsub = op->o_tmpalloc( sizeof(SubstringsAssertion), op->o_tmpmemctx ); |
1578 | + *nsub = *f->f_sub; |
1579 | + n->f_sub = nsub; |
1580 | + |
1581 | + if ( !BER_BVISNULL( &f->f_sub_initial )) |
1582 | + ber_dupbv_x( &n->f_sub_initial, &f->f_sub_initial, op->o_tmpmemctx ); |
1583 | + |
1584 | + ber_bvarray_dup_x( &n->f_sub_any, f->f_sub_any, op->o_tmpmemctx ); |
1585 | + |
1586 | + if ( !BER_BVISNULL( &f->f_sub_final )) |
1587 | + ber_dupbv_x( &n->f_sub_final, &f->f_sub_final, op->o_tmpmemctx ); |
1588 | + |
1589 | + n->f_next = NULL; |
1590 | + } |
1591 | + break; |
1592 | + |
1593 | case LDAP_FILTER_AND: |
1594 | case LDAP_FILTER_OR: |
1595 | case LDAP_FILTER_NOT: { |
1596 | diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h |
1597 | index a9a6f4c..d7073d7 100644 |
1598 | --- a/servers/slapd/proto-slap.h |
1599 | +++ b/servers/slapd/proto-slap.h |
1600 | @@ -800,6 +800,7 @@ LDAP_SLAPD_F (Connection *) connection_init LDAP_P(( |
1601 | struct berval *id |
1602 | LDAP_PF_LOCAL_SENDMSG_ARG(struct berval *peerbv))); |
1603 | |
1604 | +LDAP_SLAPD_F (void) operation_counter_init LDAP_P(( Operation *op, void *threadctx )); |
1605 | LDAP_SLAPD_F (void) connection_closing LDAP_P(( |
1606 | Connection *c, const char *why )); |
1607 | LDAP_SLAPD_F (int) connection_is_active LDAP_P(( ber_socket_t s )); |
1608 | diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c |
1609 | index bccef38..6ed5580 100644 |
1610 | --- a/servers/slapd/syncrepl.c |
1611 | +++ b/servers/slapd/syncrepl.c |
1612 | @@ -58,6 +58,8 @@ static AttributeDescription *sy_ad_dseeLastChange; |
1613 | |
1614 | #define UUIDLEN 16 |
1615 | |
1616 | +struct syncinfo_s; |
1617 | + |
1618 | struct nonpresent_entry { |
1619 | struct berval *npe_name; |
1620 | struct berval *npe_nname; |
1621 | @@ -85,8 +87,19 @@ typedef struct cookie_state { |
1622 | struct berval *cs_pvals; |
1623 | int *cs_psids; |
1624 | int cs_pnum; |
1625 | + |
1626 | + /* serialize multi-consumer refreshes */ |
1627 | + ldap_pvt_thread_mutex_t cs_refresh_mutex; |
1628 | + struct syncinfo_s *cs_refreshing; |
1629 | } cookie_state; |
1630 | |
1631 | +#define SYNC_TIMEOUT 0 |
1632 | +#define SYNC_SHUTDOWN -100 |
1633 | +#define SYNC_ERROR -101 |
1634 | +#define SYNC_REPOLL -102 |
1635 | +#define SYNC_PAUSED -103 |
1636 | +#define SYNC_BUSY -104 |
1637 | + |
1638 | #define SYNCDATA_DEFAULT 0 /* entries are plain LDAP entries */ |
1639 | #define SYNCDATA_ACCESSLOG 1 /* entries are accesslog format */ |
1640 | #define SYNCDATA_CHANGELOG 2 /* entries are changelog format */ |
1641 | @@ -139,6 +152,7 @@ typedef struct syncinfo_s { |
1642 | int si_refreshDelete; |
1643 | int si_refreshPresent; |
1644 | int si_refreshDone; |
1645 | + int si_paused; |
1646 | int si_syncdata; |
1647 | int si_logstate; |
1648 | int si_lazyCommit; |
1649 | @@ -488,6 +502,64 @@ init_syncrepl(syncinfo_t *si) |
1650 | si->si_exattrs = exattrs; |
1651 | } |
1652 | |
1653 | +static int |
1654 | +start_refresh(syncinfo_t *si) |
1655 | +{ |
1656 | + ldap_pvt_thread_mutex_lock( &si->si_cookieState->cs_refresh_mutex ); |
1657 | + if ( si->si_cookieState->cs_refreshing ) { |
1658 | + struct re_s* rtask = si->si_re; |
1659 | + |
1660 | + ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex ); |
1661 | + ldap_pvt_runqueue_stoptask( &slapd_rq, rtask ); |
1662 | + ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex ); |
1663 | + |
1664 | + si->si_paused = 1; |
1665 | + Debug( LDAP_DEBUG_SYNC, "start_refresh: %s " |
1666 | + "a refresh on %s in progress, pausing\n", |
1667 | + si->si_ridtxt, si->si_cookieState->cs_refreshing->si_ridtxt ); |
1668 | + ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_refresh_mutex ); |
1669 | + return SYNC_BUSY; |
1670 | + } |
1671 | + si->si_cookieState->cs_refreshing = si; |
1672 | + ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_refresh_mutex ); |
1673 | + |
1674 | + return LDAP_SUCCESS; |
1675 | +} |
1676 | + |
1677 | +static int |
1678 | +refresh_finished(syncinfo_t *si) |
1679 | +{ |
1680 | + syncinfo_t *sie; |
1681 | + int removed = 0; |
1682 | + |
1683 | + ldap_pvt_thread_mutex_lock( &si->si_cookieState->cs_refresh_mutex ); |
1684 | + if ( si->si_cookieState->cs_refreshing == si ) { |
1685 | + si->si_cookieState->cs_refreshing = NULL; |
1686 | + removed = 1; |
1687 | + } |
1688 | + |
1689 | + if ( removed ) { |
1690 | + for ( sie = si->si_be->be_syncinfo; sie; sie = sie->si_next ) { |
1691 | + if ( sie->si_paused ) { |
1692 | + struct re_s* rtask = sie->si_re; |
1693 | + |
1694 | + Debug( LDAP_DEBUG_SYNC, "refresh_finished: %s " |
1695 | + "rescheduling refresh on %s\n", |
1696 | + si->si_ridtxt, sie->si_ridtxt ); |
1697 | + sie->si_paused = 0; |
1698 | + ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex ); |
1699 | + rtask->interval.tv_sec = 0; |
1700 | + ldap_pvt_runqueue_resched( &slapd_rq, rtask, 0 ); |
1701 | + rtask->interval.tv_sec = si->si_interval; |
1702 | + ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex ); |
1703 | + break; |
1704 | + } |
1705 | + } |
1706 | + } |
1707 | + ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_refresh_mutex ); |
1708 | + return removed; |
1709 | +} |
1710 | + |
1711 | static struct berval generic_filterstr = BER_BVC("(objectclass=*)"); |
1712 | |
1713 | static int |
1714 | @@ -511,6 +583,8 @@ ldap_sync_search( |
1715 | ber_init2( ber, NULL, LBER_USE_DER ); |
1716 | ber_set_option( ber, LBER_OPT_BER_MEMCTX, &ctx ); |
1717 | |
1718 | + si->si_msgid = 0; |
1719 | + |
1720 | /* If we're using a log but we have no state, then fallback to |
1721 | * normal mode for a full refresh. |
1722 | */ |
1723 | @@ -519,6 +593,11 @@ ldap_sync_search( |
1724 | LDAPMessage *res, *msg; |
1725 | unsigned long first = 0, last = 0; |
1726 | int gotfirst = 0, gotlast = 0; |
1727 | + |
1728 | + if ( (rc = start_refresh( si )) ) { |
1729 | + return rc; |
1730 | + } |
1731 | + |
1732 | /* See if we're new enough for the remote server */ |
1733 | lattrs[0] = "firstchangenumber"; |
1734 | lattrs[1] = "lastchangenumber"; |
1735 | @@ -597,6 +676,10 @@ ldap_sync_search( |
1736 | attrs = lattrs; |
1737 | attrsonly = 0; |
1738 | } else { |
1739 | + if ( (rc = start_refresh( si )) ) { |
1740 | + return rc; |
1741 | + } |
1742 | + |
1743 | rhint = 1; |
1744 | base = si->si_base.bv_val; |
1745 | filter = si->si_filterstr.bv_val; |
1746 | @@ -680,6 +763,10 @@ ldap_sync_search( |
1747 | } |
1748 | } |
1749 | |
1750 | + si->si_refreshDone = 0; |
1751 | + si->si_refreshPresent = 0; |
1752 | + si->si_refreshDelete = 0; |
1753 | + |
1754 | rc = ldap_search_ext( si->si_ld, base, scope, filter, attrs, attrsonly, |
1755 | ctrls, NULL, NULL, si->si_slimit, &si->si_msgid ); |
1756 | ber_free_buf( ber ); |
1757 | @@ -929,7 +1016,6 @@ do_syncrep1( |
1758 | #endif |
1759 | |
1760 | si->si_lastconnect = slap_get_time(); |
1761 | - si->si_refreshDone = 0; |
1762 | rc = slap_client_connect( &si->si_ld, &si->si_bindconf ); |
1763 | if ( rc != LDAP_SUCCESS ) { |
1764 | goto done; |
1765 | @@ -1095,7 +1181,10 @@ do_syncrep1( |
1766 | |
1767 | rc = ldap_sync_search( si, op->o_tmpmemctx ); |
1768 | |
1769 | - if( rc != LDAP_SUCCESS ) { |
1770 | + if ( rc == SYNC_BUSY ) { |
1771 | + return rc; |
1772 | + } else if ( rc != LDAP_SUCCESS ) { |
1773 | + refresh_finished( si ); |
1774 | Debug( LDAP_DEBUG_ANY, "do_syncrep1: %s " |
1775 | "ldap_search_ext: %s (%d)\n", |
1776 | si->si_ridtxt, ldap_err2string( rc ), rc ); |
1777 | @@ -1187,12 +1276,6 @@ check_csn_age( |
1778 | return rc; |
1779 | } |
1780 | |
1781 | -#define SYNC_TIMEOUT 0 |
1782 | -#define SYNC_SHUTDOWN -100 |
1783 | -#define SYNC_ERROR -101 |
1784 | -#define SYNC_REPOLL -102 |
1785 | -#define SYNC_PAUSED -103 |
1786 | - |
1787 | static int |
1788 | get_pmutex( |
1789 | syncinfo_t *si |
1790 | @@ -1236,6 +1319,8 @@ do_syncrep2( |
1791 | struct timeval tout = { 0, 0 }; |
1792 | |
1793 | int refreshDeletes = 0; |
1794 | + int refreshing = !si->si_refreshDone && |
1795 | + !( si->si_syncdata && si->si_logstate == SYNCLOG_LOGGING ); |
1796 | char empty[6] = "empty"; |
1797 | |
1798 | if ( slapd_shutdown ) { |
1799 | @@ -1291,6 +1376,7 @@ do_syncrep2( |
1800 | break; |
1801 | } |
1802 | #endif |
1803 | + punlock = -1; |
1804 | ldap_get_entry_controls( si->si_ld, msg, &rctrls ); |
1805 | ldap_get_dn_ber( si->si_ld, msg, NULL, &bdn ); |
1806 | if (!bdn.bv_len) { |
1807 | @@ -1307,8 +1393,6 @@ do_syncrep2( |
1808 | /* The notification control is only sent during persist phase */ |
1809 | rctrlp = ldap_control_find( LDAP_CONTROL_PERSIST_ENTRY_CHANGE_NOTICE, rctrls, &next ); |
1810 | if ( rctrlp ) { |
1811 | - if ( !si->si_refreshDone ) |
1812 | - si->si_refreshDone = 1; |
1813 | if ( si->si_refreshDone ) |
1814 | syncrepl_dsee_update( si, op ); |
1815 | } |
1816 | @@ -1380,7 +1464,6 @@ do_syncrep2( |
1817 | rc = -1; |
1818 | goto done; |
1819 | } |
1820 | - punlock = -1; |
1821 | if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SYNC_COOKIE ) { |
1822 | if ( ber_scanf( ber, /*"{"*/ "m}", &cookie ) != LBER_ERROR ) { |
1823 | |
1824 | @@ -1716,6 +1799,14 @@ logerr: |
1825 | "LDAP_RES_INTERMEDIATE", |
1826 | si_tag == LDAP_TAG_SYNC_REFRESH_PRESENT ? |
1827 | "REFRESH_PRESENT" : "REFRESH_DELETE" ); |
1828 | + if ( si->si_refreshDone ) { |
1829 | + Debug( LDAP_DEBUG_ANY, "do_syncrep2: %s " |
1830 | + "server sent multiple refreshDone " |
1831 | + "messages? Ending session\n", |
1832 | + si->si_ridtxt ); |
1833 | + rc = LDAP_PROTOCOL_ERROR; |
1834 | + goto done; |
1835 | + } |
1836 | if ( si_tag == LDAP_TAG_SYNC_REFRESH_DELETE ) { |
1837 | si->si_refreshDelete = 1; |
1838 | } else { |
1839 | @@ -1754,9 +1845,9 @@ logerr: |
1840 | si->si_refreshDone = 1; |
1841 | } |
1842 | ber_scanf( ber, /*"{"*/ "}" ); |
1843 | - if ( si->si_refreshDone ) { |
1844 | - Debug( LDAP_DEBUG_SYNC, "do_syncrep1: %s finished refresh\n", |
1845 | - si->si_ridtxt ); |
1846 | + if ( refreshing && si->si_refreshDone ) { |
1847 | + refresh_finished( si ); |
1848 | + refreshing = 0; |
1849 | } |
1850 | break; |
1851 | case LDAP_TAG_SYNC_ID_SET: |
1852 | @@ -1903,6 +1994,9 @@ done: |
1853 | "do_syncrep2: %s (%d) %s\n", |
1854 | si->si_ridtxt, err, ldap_err2string( err ) ); |
1855 | } |
1856 | + if ( refreshing && ( rc || si->si_refreshDone ) ) { |
1857 | + refresh_finished( si ); |
1858 | + } |
1859 | |
1860 | slap_sync_cookie_free( &syncCookie, 0 ); |
1861 | slap_sync_cookie_free( &syncCookie_req, 0 ); |
1862 | @@ -2041,9 +2135,6 @@ do_syncrepl( |
1863 | |
1864 | /* Establish session, do search */ |
1865 | if ( !si->si_ld ) { |
1866 | - si->si_refreshDelete = 0; |
1867 | - si->si_refreshPresent = 0; |
1868 | - |
1869 | if ( si->si_presentlist ) { |
1870 | presentlist_free( si->si_presentlist ); |
1871 | si->si_presentlist = NULL; |
1872 | @@ -2054,6 +2145,13 @@ do_syncrepl( |
1873 | op->o_dn = op->o_bd->be_rootdn; |
1874 | op->o_ndn = op->o_bd->be_rootndn; |
1875 | rc = do_syncrep1( op, si ); |
1876 | + } else if ( !si->si_msgid ) { |
1877 | + /* We got a SYNC_BUSY, now told to resume */ |
1878 | + rc = ldap_sync_search( si, op->o_tmpmemctx ); |
1879 | + } |
1880 | + if ( rc == SYNC_BUSY ) { |
1881 | + ldap_pvt_thread_mutex_unlock( &si->si_mutex ); |
1882 | + return NULL; |
1883 | } |
1884 | |
1885 | reload: |
1886 | @@ -6007,6 +6105,9 @@ syncinfo_free( syncinfo_t *sie, int free_all ) |
1887 | ch_free( npe ); |
1888 | } |
1889 | if ( sie->si_cookieState ) { |
1890 | + /* Could be called from do_syncrepl (server unpaused) */ |
1891 | + refresh_finished( sie ); |
1892 | + |
1893 | sie->si_cookieState->cs_ref--; |
1894 | if ( !sie->si_cookieState->cs_ref ) { |
1895 | ch_free( sie->si_cookieState->cs_sids ); |
1896 | @@ -6016,6 +6117,8 @@ syncinfo_free( syncinfo_t *sie, int free_all ) |
1897 | ch_free( sie->si_cookieState->cs_psids ); |
1898 | ber_bvarray_free( sie->si_cookieState->cs_pvals ); |
1899 | ldap_pvt_thread_mutex_destroy( &sie->si_cookieState->cs_pmutex ); |
1900 | + ldap_pvt_thread_mutex_destroy( &sie->si_cookieState->cs_refresh_mutex ); |
1901 | + assert( sie->si_cookieState->cs_refreshing == NULL ); |
1902 | ch_free( sie->si_cookieState ); |
1903 | } |
1904 | } |
1905 | @@ -7231,6 +7334,7 @@ add_syncrepl( |
1906 | si->si_cookieState = ch_calloc( 1, sizeof( cookie_state )); |
1907 | ldap_pvt_thread_mutex_init( &si->si_cookieState->cs_mutex ); |
1908 | ldap_pvt_thread_mutex_init( &si->si_cookieState->cs_pmutex ); |
1909 | + ldap_pvt_thread_mutex_init( &si->si_cookieState->cs_refresh_mutex ); |
1910 | ldap_pvt_thread_cond_init( &si->si_cookieState->cs_cond ); |
1911 | |
1912 | c->be->be_syncinfo = si; |
1913 | @@ -7489,7 +7593,7 @@ syncrepl_config( ConfigArgs *c ) |
1914 | ldap_pvt_runqueue_stoptask( &slapd_rq, re ); |
1915 | isrunning = 1; |
1916 | } |
1917 | - if ( ldap_pvt_thread_pool_retract( re->pool_cookie ) > 0 ) |
1918 | + if ( !re->pool_cookie || ldap_pvt_thread_pool_retract( re->pool_cookie ) > 0 ) |
1919 | isrunning = 0; |
1920 | |
1921 | ldap_pvt_runqueue_remove( &slapd_rq, re ); |
1922 | diff --git a/tests/data/dynlist.out b/tests/data/dynlist.out |
1923 | index 0e9e479..926e830 100644 |
1924 | --- a/tests/data/dynlist.out |
1925 | +++ b/tests/data/dynlist.out |
1926 | @@ -679,6 +679,10 @@ memberOf: cn=bonus group,ou=groups,dc=example,dc=com |
1927 | memberOf: cn=alumni assoc staff,ou=groups,dc=example,dc=com |
1928 | memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com |
1929 | |
1930 | +dn: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=example |
1931 | + ,dc=com |
1932 | +uid: jjones |
1933 | + |
1934 | # Testing negated filtered memberOf functionality... |
1935 | dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example, |
1936 | dc=com |
1937 | diff --git a/tests/scripts/test034-translucent b/tests/scripts/test034-translucent |
1938 | index 511ebed..8b834d9 100755 |
1939 | --- a/tests/scripts/test034-translucent |
1940 | +++ b/tests/scripts/test034-translucent |
1941 | @@ -755,6 +755,14 @@ if test -z "$ATTR" ; then |
1942 | exit 1 |
1943 | fi |
1944 | |
1945 | +$LDAPSEARCH -H $URI2 -b "o=translucent" "(employeeType=consult*)" > $SEARCHOUT 2>&1 |
1946 | +ATTR=`grep dn: $SEARCHOUT` > $NOWHERE 2>&1 |
1947 | +if test -z "$ATTR" ; then |
1948 | + echo "got no result, should have found entry" |
1949 | + test $KILLSERVERS != no && kill -HUP $KILLPIDS |
1950 | + exit 1 |
1951 | +fi |
1952 | + |
1953 | echo "Testing search: unconfigured remote filter..." |
1954 | $LDAPSEARCH -H $URI2 -b "o=translucent" "(|(employeeType=foo)(carlicense=right))" > $SEARCHOUT 2>&1 |
1955 | |
1956 | diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist |
1957 | index 52960ea..b7a6b20 100755 |
1958 | --- a/tests/scripts/test044-dynlist |
1959 | +++ b/tests/scripts/test044-dynlist |
1960 | @@ -1049,6 +1049,17 @@ if test $RC != 0 ; then |
1961 | exit $RC |
1962 | fi |
1963 | |
1964 | +$LDAPSEARCH -S "" -b "$BASEDN" -H $URI1 \ |
1965 | + -D "$BABSDN" -w bjensen \ |
1966 | + "(&(uid=jjones)(memberOf=cn=jjs,ou=groups,$BASEDN))" 'uid' \ |
1967 | + >> $SEARCHOUT 2>&1 |
1968 | +RC=$? |
1969 | +if test $RC != 0 ; then |
1970 | + echo "ldapsearch failed ($RC)!" |
1971 | + test $KILLSERVERS != no && kill -HUP $KILLPIDS |
1972 | + exit $RC |
1973 | +fi |
1974 | + |
1975 | echo "Testing negated filtered memberOf functionality..." |
1976 | echo "# Testing negated filtered memberOf functionality..." >> $SEARCHOUT |
1977 |
The dep8 tests have finished on Bileto.
- As expected, apache2 is failing. That's OK, as I explained above.
- cyrus-imapd is failing on ppc64el, but that's because the package was never published on Jammy due to a FTBFS.
- sudo is failing on armhf, but that's also something that was happening before and its migration- reference/ 0 also fails.
- kopanocore is failing on s390x. Likewise, its migration- reference/ 0 is also failing.
Other than that, everything else has passed. This is good for review/upload.