dirsrvtests/tests
by Simon Pichugin
dirsrvtests/tests/tickets/ticket48497_test.py | 3 +--
dirsrvtests/tests/tickets/ticket48745_test.py | 3 +--
dirsrvtests/tests/tickets/ticket48746_test.py | 6 ++----
3 files changed, 4 insertions(+), 8 deletions(-)
New commits:
commit cf11faef091663b2cf52da1e04441d9cb735c42b
Author: Simon Pichugin <spichugi(a)redhat.com>
Date: Wed Nov 9 10:10:51 2016 +0100
Ticket 49024 - Fix the rest of the CI failures
Description: Change errors log paths to the ones from paths.py module.
The rest of the test cases, that failed on CI, passed for me on
the latest version of fedora 389-ds-base package built from master.
https://fedorahosted.org/389/ticket/49024
Reviewed by: mreynolds (Thanks!)
diff --git a/dirsrvtests/tests/tickets/ticket48497_test.py b/dirsrvtests/tests/tickets/ticket48497_test.py
index 3130fc4..d8141d5 100644
--- a/dirsrvtests/tests/tickets/ticket48497_test.py
+++ b/dirsrvtests/tests/tickets/ticket48497_test.py
@@ -135,8 +135,7 @@ def test_ticket48497_homeDirectory_index_run(topology):
topology.standalone.tasks.reindex(suffix=SUFFIX, attrname='homeDirectory', args=args)
log.info("Check indexing succeeded with a specified matching rule")
- file_path = os.path.join(topology.standalone.prefix, "var/log/dirsrv/slapd-%s/errors" % topology.standalone.serverid)
- file_obj = open(file_path, "r")
+ file_obj = open(topology.standalone.errlog, "r")
# Check if the MR configuration failure occurs
regex = re.compile("unknown or invalid matching rule")
diff --git a/dirsrvtests/tests/tickets/ticket48745_test.py b/dirsrvtests/tests/tickets/ticket48745_test.py
index 4c23d04..6a0c7f0 100644
--- a/dirsrvtests/tests/tickets/ticket48745_test.py
+++ b/dirsrvtests/tests/tickets/ticket48745_test.py
@@ -106,8 +106,7 @@ def test_ticket48745_homeDirectory_indexed_cis(topology):
topology.standalone.tasks.reindex(suffix=SUFFIX, attrname='homeDirectory', args=args)
log.info("Check indexing succeeded with a specified matching rule")
- file_path = os.path.join(topology.standalone.prefix, "var/log/dirsrv/slapd-%s/errors" % topology.standalone.serverid)
- file_obj = open(file_path, "r")
+ file_obj = open(topology.standalone.errlog, "r")
# Check if the MR configuration failure occurs
regex = re.compile("unknown or invalid matching rule")
diff --git a/dirsrvtests/tests/tickets/ticket48746_test.py b/dirsrvtests/tests/tickets/ticket48746_test.py
index 401b300..0a13998 100644
--- a/dirsrvtests/tests/tickets/ticket48746_test.py
+++ b/dirsrvtests/tests/tickets/ticket48746_test.py
@@ -104,8 +104,7 @@ def test_ticket48746_homeDirectory_indexed_cis(topology):
topology.standalone.tasks.reindex(suffix=SUFFIX, attrname='homeDirectory', args=args)
log.info("Check indexing succeeded with a specified matching rule")
- file_path = os.path.join(topology.standalone.prefix, "var/log/dirsrv/slapd-%s/errors" % topology.standalone.serverid)
- file_obj = open(file_path, "r")
+ file_obj = open(topology.standalone.errlog, "r")
# Check if the MR configuration failure occurs
regex = re.compile("unknown or invalid matching rule")
@@ -168,8 +167,7 @@ def test_ticket48746_homeDirectory_indexed_ces(topology):
topology.standalone.tasks.reindex(suffix=SUFFIX, attrname='homeDirectory', args=args)
log.info("Check indexing succeeded with a specified matching rule")
- file_path = os.path.join(topology.standalone.prefix, "var/log/dirsrv/slapd-%s/errors" % topology.standalone.serverid)
- file_obj = open(file_path, "r")
+ file_obj = open(topology.standalone.errlog, "r")
# Check if the MR configuration failure occurs
regex = re.compile("unknown or invalid matching rule")
7 years, 6 months
2 commits - ldap/servers
by William Brown
ldap/servers/slapd/back-ldbm/dblayer.c | 8 +++++++-
ldap/servers/slapd/back-ldbm/ldbm_attr.c | 4 ++++
ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 5 +++--
ldap/servers/slapd/main.c | 1 +
ldap/servers/slapd/slap.h | 5 +++++
5 files changed, 20 insertions(+), 3 deletions(-)
New commits:
commit 99176404bfe76ee9fcf48b8b28750ec3979ec020
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Sep 28 15:28:28 2016 -0700
Ticket #48987 - Heap use after free in dblayer_close_indexes
Description: Once an attribute info is deleted, its backpointer
dblayer_handle_ai_backpointer in the dblayer handle needs to be
set to NULL not to access the address again. We also need to set
this to null from within the dblayer_close_indexes because there
is no guarantee on the order that we free the handle or the
attrinfo.
https://fedorahosted.org/389/ticket/48987
Author: nhosoi, wibrown
Review: nhosoi (Thanks!)
diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c
index 4bcc4a2..56792c3 100644
--- a/ldap/servers/slapd/back-ldbm/dblayer.c
+++ b/ldap/servers/slapd/back-ldbm/dblayer.c
@@ -2493,7 +2493,13 @@ int dblayer_close_indexes(backend *be)
pDB = handle->dblayer_dbp;
return_value |= pDB->close(pDB,0);
next = handle->dblayer_handle_next;
- *((dblayer_handle **)handle->dblayer_handle_ai_backpointer) = NULL;
+ /* If the backpointer is still valid, NULL the attrinfos ref to us
+ * This is important as there is no ordering guarantee between if the
+ * handle or the attrinfo is freed first!
+ */
+ if (handle->dblayer_handle_ai_backpointer) {
+ *((dblayer_handle **)handle->dblayer_handle_ai_backpointer) = NULL;
+ }
slapi_ch_free((void**)&handle);
}
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attr.c b/ldap/servers/slapd/back-ldbm/ldbm_attr.c
index 30b0f2a..331554e 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_attr.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_attr.c
@@ -59,6 +59,10 @@ attrinfo_delete(struct attrinfo **pp)
slapi_ch_free((void**)&((*pp)->ai_attrcrypt));
attr_done(&((*pp)->ai_sattr));
attrinfo_delete_idlistinfo(&(*pp)->ai_idlistinfo);
+ if ((*pp)->ai_dblayer) {
+ /* attriinfo is deleted. Cleaning up the backpointer at the same time. */
+ ((dblayer_handle *)((*pp)->ai_dblayer))->dblayer_handle_ai_backpointer = NULL;
+ }
slapi_ch_free((void**)pp);
*pp= NULL;
}
commit beb217ed410738ba466c2d0cb015ab8c907617c0
Author: William Brown <firstyear(a)redhat.com>
Date: Tue Nov 8 16:30:01 2016 +1000
Ticket 48945 - Improve db2ldif error message.
Bug Description: When db2ldif fails, because the command is run as root it
confuses the admin when it gets permission denied.
Fix Description: Flag that we are running as the dirsrv user.
https://fedorahosted.org/389/ticket/48945
Author: wibrown
Review by: nhosoi (Thanks!)
diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
index f9de439..f8fed7c 100644
--- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
+++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
@@ -1259,8 +1259,9 @@ ldbm_back_ldbm2ldif( Slapi_PBlock *pb )
SLAPD_DEFAULT_FILE_MODE);
}
if (fd < 0) {
- slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_ldbm2ldif", "db2ldif: can't open %s: %d (%s)\n",
- fname, errno, dblayer_strerror(errno));
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_ldbm2ldif", "db2ldif: can't open %s: %d (%s) while running as user \"%s\"\n",
+ fname, errno, dblayer_strerror(errno), slapdFrontendConfig->localuserinfo->pw_name);
return_value = -1;
goto bye;
}
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index 7b7a5ed..158d49d 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -234,6 +234,7 @@ fix_ownership(void)
return;
}
+ /* Provided the dse.ldif was read, this should never happen .... */
if (slapdFrontendConfig->localuserinfo == NULL) {
pw = getpwnam( slapdFrontendConfig->localuser );
if ( NULL == pw ) {
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 674da83..f98c7b5 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -118,6 +118,11 @@ typedef struct symbol_t {
#include "csngen.h"
#include "uuid.h"
+/* Because we provide getFrontendConfig, and that contains localuserinfo, we
+ * need to provide pwd.h to allow resolution of the passwd struct.
+ */
+#include <pwd.h>
+
#ifdef ENABLE_NUNC_STANS
#include <nunc-stans/nunc-stans.h>
#endif
7 years, 6 months
dirsrvtests/tests ldap/admin
by Simon Pichugin
dirsrvtests/tests/tickets/ticket47669_test.py | 2 +-
ldap/admin/src/defaults.inf.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
New commits:
commit 4d448d3829d21f22d6363cac96a5e00850ee6942
Author: Simon Pichugin <spichugi(a)redhat.com>
Date: Mon Nov 7 21:01:56 2016 +0100
Ticket 49024 - Fix inst_dir parameter in defaults.inf
Description: The inst_dir parameter has wrong value that differs
from nsslapd-instancedir. Set inst_dir to @serverdir@ value.
Fix tests accordingly.
https://fedorahosted.org/389/ticket/49024
Reviewed by: wibrown (Thanks!)
diff --git a/dirsrvtests/tests/tickets/ticket47669_test.py b/dirsrvtests/tests/tickets/ticket47669_test.py
index fd5299c..021ec15 100644
--- a/dirsrvtests/tests/tickets/ticket47669_test.py
+++ b/dirsrvtests/tests/tickets/ticket47669_test.py
@@ -85,7 +85,7 @@ def test_ticket47669_init(topology):
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
try:
- changelogdir = os.path.join(topology.standalone.inst_dir, 'changelog')
+ changelogdir = os.path.join(os.path.dirname(topology.standalone.dbdir), 'changelog')
topology.standalone.add_s(Entry((CHANGELOG,
{'objectclass': 'top extensibleObject'.split(),
'nsslapd-changelogdir': changelogdir})))
diff --git a/ldap/admin/src/defaults.inf.in b/ldap/admin/src/defaults.inf.in
index 7729c06..31dbf2f 100644
--- a/ldap/admin/src/defaults.inf.in
+++ b/ldap/admin/src/defaults.inf.in
@@ -34,6 +34,7 @@ config_dir = @instconfigdir@/slapd-{instance_name}
local_state_dir = @localstatedir@
run_dir = @localstatedir@/run/dirsrv
pid_file = @localstatedir(a)/run/dirsrv/slapd-{instance_name}.pid
+inst_dir = @serverdir@
plugin_dir = @serverplugindir@
; These values can be altered in an installation of ds
@@ -49,7 +50,6 @@ log_dir = @localstatedir@/log/dirsrv/slapd-{instance_name}
access_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/access
audit_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/audit
error_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/errors
-inst_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}
db_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/db
backup_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/bak
ldif_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/ldif
7 years, 6 months
dirsrvtests/tests
by Simon Pichugin
dirsrvtests/tests/suites/dna_plugin/dna_test.py | 4 ++--
dirsrvtests/tests/tickets/ticket47669_test.py | 2 +-
dirsrvtests/tests/tickets/ticket47823_test.py | 15 ++++++++-------
dirsrvtests/tests/tickets/ticket48266_test.py | 13 ++++---------
dirsrvtests/tests/tickets/ticket48270_test.py | 3 +--
dirsrvtests/tests/tickets/ticket48383_test.py | 8 +++++---
dirsrvtests/tests/tickets/ticket48906_test.py | 2 +-
7 files changed, 22 insertions(+), 25 deletions(-)
New commits:
commit 2c80c5cfc20279b1a708cb484673f0485c3bc95f
Author: Simon Pichugin <spichugi(a)redhat.com>
Date: Fri Nov 4 17:35:32 2016 +0100
Ticket 49024 - Fix dbdir paths and adjust test cases
Description: Set db_dir properly in all test cases. Replace expected
exception ldap.SERVER_DOWN with subprocess.CalledProcessError when
server isn't able to start.
Set paths to logs properly.
https://fedorahosted.org/389/ticket/49024
Reviewed by: nhosoi, wibrown (Thanks!)
diff --git a/dirsrvtests/tests/suites/dna_plugin/dna_test.py b/dirsrvtests/tests/suites/dna_plugin/dna_test.py
index 18b871b..8830d5e 100644
--- a/dirsrvtests/tests/suites/dna_plugin/dna_test.py
+++ b/dirsrvtests/tests/suites/dna_plugin/dna_test.py
@@ -60,8 +60,8 @@ def topology(request):
# Delete each instance in the end
def fin():
# This is useful for analysing the test env.
- standalone.db2ldif(bename=DEFAULT_BENAME, suffixes=[DEFAULT_SUFFIX], excludeSuffixes=[], encrypt=False, \
- repl_data=True, outputfile='%s/ldif/%s.ldif' % (standalone.dbdir,SERVERID_STANDALONE ))
+ standalone.db2ldif(bename=DEFAULT_BENAME, suffixes=[DEFAULT_SUFFIX], excludeSuffixes=[], encrypt=False,
+ repl_data=True, outputfile='{}/{}.ldif'.format(standalone.ldifdir, SERVERID_STANDALONE))
standalone.clearBackupFS()
standalone.backupFS()
standalone.delete()
diff --git a/dirsrvtests/tests/tickets/ticket47669_test.py b/dirsrvtests/tests/tickets/ticket47669_test.py
index 0f1a643..fd5299c 100644
--- a/dirsrvtests/tests/tickets/ticket47669_test.py
+++ b/dirsrvtests/tests/tickets/ticket47669_test.py
@@ -85,7 +85,7 @@ def test_ticket47669_init(topology):
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
try:
- changelogdir = "%s/changelog" % topology.standalone.dbdir
+ changelogdir = os.path.join(topology.standalone.inst_dir, 'changelog')
topology.standalone.add_s(Entry((CHANGELOG,
{'objectclass': 'top extensibleObject'.split(),
'nsslapd-changelogdir': changelogdir})))
diff --git a/dirsrvtests/tests/tickets/ticket47823_test.py b/dirsrvtests/tests/tickets/ticket47823_test.py
index 4d6058a..36bd19a 100644
--- a/dirsrvtests/tests/tickets/ticket47823_test.py
+++ b/dirsrvtests/tests/tickets/ticket47823_test.py
@@ -14,6 +14,7 @@ import logging
import pytest
import re
import shutil
+import subprocess
from lib389 import DirSrv, Entry, tools
from lib389.tools import DirSrvTools
from lib389._constants import *
@@ -639,7 +640,7 @@ def test_ticket47823_invalid_config_1(topology):
# be sure to restore a valid config before assert
_config_file(topology, action='restore')
assert not ent
- except ldap.SERVER_DOWN:
+ except subprocess.CalledProcessError:
pass
# Check the expected error message
@@ -690,7 +691,7 @@ def test_ticket47823_invalid_config_2(topology):
# be sure to restore a valid config before assert
_config_file(topology, action='restore')
assert not ent
- except ldap.SERVER_DOWN:
+ except subprocess.CalledProcessError:
pass
# Check the expected error message
@@ -743,7 +744,7 @@ def test_ticket47823_invalid_config_3(topology):
# be sure to restore a valid config before assert
_config_file(topology, action='restore')
assert not ent
- except ldap.SERVER_DOWN:
+ except subprocess.CalledProcessError:
pass
# Check the expected error message
@@ -795,7 +796,7 @@ def test_ticket47823_invalid_config_4(topology):
# be sure to restore a valid config before assert
_config_file(topology, action='restore')
assert not ent
- except ldap.SERVER_DOWN:
+ except subprocess.CalledProcessError:
pass
# Check the expected error message
@@ -846,7 +847,7 @@ def test_ticket47823_invalid_config_5(topology):
# be sure to restore a valid config before assert
_config_file(topology, action='restore')
assert not ent
- except ldap.SERVER_DOWN:
+ except subprocess.CalledProcessError:
pass
# Check the expected error message
@@ -897,7 +898,7 @@ def test_ticket47823_invalid_config_6(topology):
# be sure to restore a valid config before assert
_config_file(topology, action='restore')
assert not ent
- except ldap.SERVER_DOWN:
+ except subprocess.CalledProcessError:
pass
# Check the expected error message
@@ -948,7 +949,7 @@ def test_ticket47823_invalid_config_7(topology):
# be sure to restore a valid config before assert
_config_file(topology, action='restore')
assert not ent
- except ldap.SERVER_DOWN:
+ except subprocess.CalledProcessError:
pass
# Check the expected error message
diff --git a/dirsrvtests/tests/tickets/ticket48266_test.py b/dirsrvtests/tests/tickets/ticket48266_test.py
index 82571e9..18d1ba3 100644
--- a/dirsrvtests/tests/tickets/ticket48266_test.py
+++ b/dirsrvtests/tests/tickets/ticket48266_test.py
@@ -225,8 +225,7 @@ def _get_last_not_replicated_csn(topology):
# now retrieve the CSN of the operation we are looking for
csn = None
topology.master1.stop(timeout=10)
- file_path = os.path.join(topology.master1.prefix, "var/log/dirsrv/slapd-%s/access" % topology.master1.serverid)
- file_obj = open(file_path, "r")
+ file_obj = open(topology.master1.accesslog, "r")
# First the conn/op of the operation
regex = re.compile("MOD dn=\"%s\"" % name)
@@ -272,8 +271,7 @@ def _get_first_not_replicated_csn(topology):
# now retrieve the CSN of the operation we are looking for
csn = None
topology.master1.stop(timeout=10)
- file_path = os.path.join(topology.master1.prefix, "var/log/dirsrv/slapd-%s/access" % topology.master1.serverid)
- file_obj = open(file_path, "r")
+ file_obj = open(topology.master1.accesslog, "r")
# First the conn/op of the operation
regex = re.compile("MOD dn=\"%s\"" % name)
@@ -298,12 +296,10 @@ def _get_first_not_replicated_csn(topology):
def _count_full_session(topology):
- file_path = os.path.join(topology.master1.prefix, "var/log/dirsrv/slapd-%s/errors" % topology.master1.serverid)
-
#
# compute the number of 'No more updates'
#
- file_obj = open(file_path, "r")
+ file_obj = open(topology.master1.errlog, "r")
# pattern to find
pattern = ".*No more updates to send.*"
regex = re.compile(pattern)
@@ -392,8 +388,7 @@ def test_ticket48266_count_csn_evaluation(topology, entries):
# Now determine how many times we have skipped 'csn'
# no need to stop the server to check the error log
- file_path = os.path.join(topology.master1.prefix, "var/log/dirsrv/slapd-%s/errors" % topology.master1.serverid)
- file_obj = open(file_path, "r")
+ file_obj = open(topology.master1.errlog, "r")
# find where the last_csn operation was processed
pattern = ".*ruv_add_csn_inprogress: successfully inserted csn %s.*" % last_csn
diff --git a/dirsrvtests/tests/tickets/ticket48270_test.py b/dirsrvtests/tests/tickets/ticket48270_test.py
index 0eeeed4..6324ef3 100644
--- a/dirsrvtests/tests/tickets/ticket48270_test.py
+++ b/dirsrvtests/tests/tickets/ticket48270_test.py
@@ -96,8 +96,7 @@ def test_ticket48270_homeDirectory_indexed_cis(topology):
topology.standalone.tasks.reindex(suffix=SUFFIX, attrname='homeDirectory', args=args)
log.info("Check indexing succeeded with a specified matching rule")
- file_path = os.path.join(topology.standalone.prefix, "var/log/dirsrv/slapd-%s/errors" % topology.standalone.serverid)
- file_obj = open(file_path, "r")
+ file_obj = open(topology.standalone.errlog, "r")
# Check if the MR configuration failure occurs
regex = re.compile("unknown or invalid matching rule")
diff --git a/dirsrvtests/tests/tickets/ticket48383_test.py b/dirsrvtests/tests/tickets/ticket48383_test.py
index c6bebcd..e49c77f 100644
--- a/dirsrvtests/tests/tickets/ticket48383_test.py
+++ b/dirsrvtests/tests/tickets/ticket48383_test.py
@@ -115,10 +115,12 @@ def test_ticket48383(topology):
# stop the server
topology.standalone.stop(timeout=30)
# Now export and import the DB. It's easier than db2index ...
- topology.standalone.db2ldif(bename=DEFAULT_BENAME, suffixes=[DEFAULT_SUFFIX], excludeSuffixes=[], encrypt=False, \
- repl_data=True, outputfile='%s/ldif/%s.ldif' % (topology.standalone.dbdir,SERVERID_STANDALONE ))
+ topology.standalone.db2ldif(bename=DEFAULT_BENAME, suffixes=[DEFAULT_SUFFIX], excludeSuffixes=[],
+ encrypt=False, repl_data=True,
+ outputfile='{}/{}.ldif'.format(topology.standalone.ldifdir, SERVERID_STANDALONE))
- result = topology.standalone.ldif2db(DEFAULT_BENAME, None, None, False, '%s/ldif/%s.ldif' % (topology.standalone.dbdir,SERVERID_STANDALONE ))
+ result = topology.standalone.ldif2db(DEFAULT_BENAME, None, None, False,
+ '{}/{}.ldif'.format(topology.standalone.ldifdir, SERVERID_STANDALONE))
assert(result)
diff --git a/dirsrvtests/tests/tickets/ticket48906_test.py b/dirsrvtests/tests/tickets/ticket48906_test.py
index e046469..b532500 100644
--- a/dirsrvtests/tests/tickets/ticket48906_test.py
+++ b/dirsrvtests/tests/tickets/ticket48906_test.py
@@ -160,7 +160,7 @@ def _check_dse_ldif_value(topology, attr=DBLOCK_ATTR_CONFIG, expected_value=DBLO
assert(value)
def _check_guardian_value(topology, attr=DBLOCK_ATTR_CONFIG, expected_value=None):
- guardian_file = topology.standalone.dbdir + '/db/guardian'
+ guardian_file = os.path.join(topology.standalone.dbdir, 'guardian')
assert(os.path.exists(guardian_file))
guardian = open(guardian_file, "r")
7 years, 6 months
dirsrvtests/tests include/base ldap/ldif ldap/servers
by William Brown
dirsrvtests/tests/tickets/ticket48961_test.py | 189 ++++++
include/base/systems.h | 1
ldap/ldif/template-dse.ldif.in | 44 -
ldap/servers/slapd/configdse.c | 90 ++-
ldap/servers/slapd/libglobs.c | 754 +++++++++++---------------
ldap/servers/slapd/log.c | 94 +--
ldap/servers/slapd/main.c | 2
ldap/servers/slapd/proto-slap.h | 5
ldap/servers/slapd/slap.h | 202 ++++++
ldap/servers/slapd/ssl.c | 2
10 files changed, 809 insertions(+), 574 deletions(-)
New commits:
commit 54431ba9c3caa39c5ff93d9041add34814faa57a
Author: William Brown <firstyear(a)redhat.com>
Date: Mon Aug 22 15:04:06 2016 +1000
Ticket 48961 - Allow reset of configuration values to defaults.
This ticket really has three parts, but they are hard to seperate out.
Bug Description:
- When the admin wants to revert from seperate audit and
auditfail logs, they were unable to because ldapmod would issue
unwilling_to_perform on the mod_delete of the nsslapd-auditfaillog attribute.
- A number of our defaults were inconsistently defined, had
values that did not match, or did not exist at all.
- Given that our defaults are all in the server, we should stop
hardcoding them in template.dse.ldif. The issue here is if we need to *change*
a value, because it's in the dse.ldif, we will always be overridden. Our
default upgrade process is useless now!
Fix Description:
- Add nsslapd-auditfaillog to the allowed delete attribute list.
Fix the defaults to be correctly set both in the struct, and the init functions.
Fix config_set to allow delete based on named value, instead of just attr.
- Move all configuration defaults to slap.h, in a single location.
Properly define the defaults with the int / string counterparts, and use them.
This way, when a config default is changed, we change it in "one" place, and
it "just works". Previously, we were not able to easily change defaults due
to the need to hunt for the values throughout the code.
- Remove most of the hardcoded values in dse.ldif. It turns out
some of the conflicted with the values in slap.h (slap.h now matches what was
in dse.ldif to not break expectations). Fix logging initialisation to use
the cfg, as it relied on there being values in dse.ldif else it wouldn't even
start the logging system.
https://fedorahosted.org/389/ticket/48961
Author: wibrown
Review by: nhosoi, mreynolds (Thanks!)
diff --git a/dirsrvtests/tests/tickets/ticket48961_test.py b/dirsrvtests/tests/tickets/ticket48961_test.py
new file mode 100644
index 0000000..ed5a137
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket48961_test.py
@@ -0,0 +1,189 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+DEBUGGING = False
+
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+
+class TopologyStandalone(object):
+ """The DS Topology Class"""
+ def __init__(self, standalone):
+ """Init"""
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ """Create DS Deployment"""
+
+ # Creating standalone instance ...
+ if DEBUGGING:
+ standalone = DirSrv(verbose=True)
+ else:
+ standalone = DirSrv(verbose=False)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ def fin():
+ """If we are debugging just stop the instances, otherwise remove them
+ """
+ if DEBUGGING:
+ standalone.stop()
+ else:
+ standalone.delete()
+ request.addfinalizer(fin)
+
+ return TopologyStandalone(standalone)
+
+
+def test_ticket48961_storagescheme(topology):
+ """
+ Test deleting of the storage scheme.
+ """
+
+ default = topology.standalone.config.get_attr_val('passwordStorageScheme')
+ # Change it
+ topology.standalone.config.set('passwordStorageScheme', 'CLEAR')
+ # Now delete it
+ topology.standalone.config.remove('passwordStorageScheme', None)
+ # Now check it's been reset.
+ assert(default == topology.standalone.config.get_attr_val('passwordStorageScheme'))
+ log.info(default)
+ log.info('Test PASSED')
+
+def _reset_config_value(inst, attrname):
+ # None to value here means remove all instances of the attr.
+ inst.config.remove(attrname, None)
+ newval = inst.config.get_attr_val(attrname)
+ log.info("Reset %s to %s" % (attrname, newval))
+
+def test_ticket48961_deleteall(topology):
+ """
+ Test that we can delete all valid attrs, and that a few are rejected.
+ """
+ attr_to_test = {
+ 'nsslapd-listenhost': 'localhost',
+ 'nsslapd-securelistenhost': 'localhost',
+ 'nsslapd-allowed-sasl-mechanisms': 'GSSAPI',
+ 'nsslapd-svrtab': 'Some bogus data', # This one could reset?
+ }
+ attr_to_fail = {
+ # These are the values that should always be dn dse.ldif too
+ 'nsslapd-localuser': 'dirsrv',
+ 'nsslapd-defaultnamingcontext': 'dc=example,dc=com', # Can't delete
+ 'nsslapd-accesslog': '/opt/dirsrv/var/log/dirsrv/slapd-standalone/access',
+ 'nsslapd-auditlog': '/opt/dirsrv/var/log/dirsrv/slapd-standalone/audit',
+ 'nsslapd-errorlog': '/opt/dirsrv/var/log/dirsrv/slapd-standalone/errors',
+ 'nsslapd-tmpdir': '/tmp',
+ 'nsslapd-rundir': '/opt/dirsrv/var/run/dirsrv',
+ 'nsslapd-bakdir': '/opt/dirsrv/var/lib/dirsrv/slapd-standalone/bak',
+ 'nsslapd-certdir': '/opt/dirsrv/etc/dirsrv/slapd-standalone',
+ 'nsslapd-instancedir': '/opt/dirsrv/lib/dirsrv/slapd-standalone',
+ 'nsslapd-ldifdir': '/opt/dirsrv/var/lib/dirsrv/slapd-standalone/ldif',
+ 'nsslapd-lockdir': '/opt/dirsrv/var/lock/dirsrv/slapd-standalone',
+ 'nsslapd-schemadir': '/opt/dirsrv/etc/dirsrv/slapd-standalone/schema',
+ 'nsslapd-workingdir': '/opt/dirsrv/var/log/dirsrv/slapd-standalone',
+ 'nsslapd-localhost': 'localhost.localdomain',
+ # These can't be reset, but might be in dse.ldif. Probably in libglobs.
+ 'nsslapd-certmap-basedn': 'cn=certmap,cn=config',
+ 'nsslapd-port': '38931', # Can't delete
+ 'nsslapd-secureport': '636', # Can't delete
+ 'nsslapd-conntablesize': '1048576',
+ 'nsslapd-rootpw': '{SSHA512}...',
+ # These are hardcoded server magic.
+ 'nsslapd-hash-filters': 'off', # Can't delete
+ 'nsslapd-requiresrestart': 'cn=config:nsslapd-port', # Can't change
+ 'nsslapd-plugin': 'cn=case ignore string syntax,cn=plugins,cn=config', # Can't change
+ 'nsslapd-privatenamespaces': 'cn=schema', # Can't change
+ 'nsslapd-allowed-to-delete-attrs': 'None', # Can't delete
+ 'nsslapd-accesslog-list': 'List!', # Can't delete
+ 'nsslapd-auditfaillog-list': 'List!',
+ 'nsslapd-auditlog-list': 'List!',
+ 'nsslapd-errorlog-list': 'List!',
+ 'nsslapd-config': 'cn=config',
+ 'nsslapd-versionstring': '389-Directory/1.3.6.0',
+ 'objectclass': '',
+ 'cn': '',
+ # These are the odd values
+ 'nsslapd-backendconfig': 'cn=config,cn=userRoot,cn=ldbm database,cn=plugins,cn=config', # Doesn't exist?
+ 'nsslapd-betype': 'ldbm database', # Doesn't exist?
+ 'nsslapd-connection-buffer': 1, # Has an ldap problem
+ 'nsslapd-malloc-mmap-threshold': '-10', # Defunct anyway
+ 'nsslapd-malloc-mxfast': '-10',
+ 'nsslapd-malloc-trim-threshold': '-10',
+ 'nsslapd-referralmode': '',
+ 'nsslapd-saslpath': '',
+ 'passwordadmindn': '',
+ }
+
+ config_entry = topology.standalone.config.raw_entry()
+
+ for attr in config_entry.getAttrs():
+ if attr.lower() in attr_to_fail:
+ # We know this will fail, so skip
+ pass
+ else:
+ log.info("Reseting %s" % (attr))
+ # Check if we have to do some override of this attr.
+ # Some attributes need specific syntax, so we override just these.
+ newval = topology.standalone.config.get_attr_vals(attr)
+ log.info(" --> %s" % newval)
+ if attr.lower() in attr_to_test:
+ newval = attr_to_test[attr]
+ log.info("override --> %s" % newval)
+ # We need to set the attr to its own value
+ # so that it's "written".
+ topology.standalone.config.set(attr, newval)
+ # Now we can really reset
+ _reset_config_value(topology.standalone, attr)
+
+ for attr in sorted(attr_to_fail):
+ log.info("Removing %s" % attr)
+ try:
+ _reset_config_value(topology.standalone, attr)
+ # Shouldn't reach here, the reset should fail!
+ assert(False)
+ except ldap.UNWILLING_TO_PERFORM:
+ log.info('Change was rejected')
+ except ldap.OPERATIONS_ERROR:
+ log.info('Change was rejected')
+ except ldap.OBJECT_CLASS_VIOLATION:
+ log.info('Change was rejected')
+ except ldap.NO_SUCH_ATTRIBUTE:
+ log.info("This attribute isn't part of cn=config, so is already default!")
+ pass
+
+
+ topology.standalone.restart()
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/include/base/systems.h b/include/base/systems.h
index 5f14969..fead5a0 100644
--- a/include/base/systems.h
+++ b/include/base/systems.h
@@ -156,6 +156,7 @@
#ifndef DAEMON_LISTEN_SIZE
#define DAEMON_LISTEN_SIZE 128
+#define DAEMON_LISTEN_SIZE_STR "128"
#endif /* !DAEMON_LISTEN_SIZE */
#ifndef SA_HANDLER_T
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 7e519f2..c78f3b9 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -11,59 +11,15 @@ nsslapd-ldifdir: %ldif_dir%
nsslapd-bakdir: %bak_dir%
nsslapd-rundir: %run_dir%
nsslapd-instancedir: %inst_dir%
-nsslapd-accesslog-logging-enabled: on
-nsslapd-accesslog-maxlogsperdir: 10
-nsslapd-accesslog-mode: 600
-nsslapd-accesslog-maxlogsize: 100
-nsslapd-accesslog-logrotationtime: 1
-nsslapd-accesslog-logrotationtimeunit: day
-nsslapd-accesslog-logrotationsync-enabled: off
-nsslapd-accesslog-logrotationsynchour: 0
-nsslapd-accesslog-logrotationsyncmin: 0
nsslapd-accesslog: %log_dir%/access
-nsslapd-enquote-sup-oc: off
nsslapd-localhost: %fqdn%
-nsslapd-schemacheck: on
-nsslapd-syntaxcheck: on
-nsslapd-dn-validate-strict: off
-nsslapd-rewrite-rfc1274: off
-nsslapd-return-exact-case: on
-nsslapd-ssl-check-hostname: on
-nsslapd-validate-cert: warn
-nsslapd-allow-unauthenticated-binds: off
-nsslapd-require-secure-binds: off
-nsslapd-allow-anonymous-access: on
-nsslapd-localssf: 71
-nsslapd-minssf: 0
nsslapd-port: %ds_port%
nsslapd-localuser: %ds_user%
-nsslapd-errorlog-logging-enabled: on
-nsslapd-errorlog-mode: 600
-nsslapd-errorlog-maxlogsperdir: 2
-nsslapd-errorlog-maxlogsize: 100
-nsslapd-errorlog-logrotationtime: 1
-nsslapd-errorlog-logrotationtimeunit: week
-nsslapd-errorlog-logrotationsync-enabled: off
-nsslapd-errorlog-logrotationsynchour: 0
-nsslapd-errorlog-logrotationsyncmin: 0
nsslapd-errorlog: %log_dir%/errors
nsslapd-auditlog: %log_dir%/audit
-nsslapd-auditlog-mode: 600
-nsslapd-auditlog-maxlogsize: 100
-nsslapd-auditlog-logrotationtime: 1
-nsslapd-auditlog-logrotationtimeunit: day
-nsslapd-auditlog-logging-enabled: off
nsslapd-auditfaillog: %log_dir%/audit
-nsslapd-auditfaillog-logging-enabled: off
nsslapd-rootdn: %rootdn%
nsslapd-rootpw: %ds_passwd%
-nsslapd-maxdescriptors: 1024
-nsslapd-max-filter-nest-level: 40
-nsslapd-ndn-cache-enabled: on
-nsslapd-sasl-mapping-fallback: off
-nsslapd-dynamic-plugins: off
-nsslapd-allow-hashed-passwords: off
-nsslapd-logging-backend: dirsrv-log
dn: cn=features,cn=config
objectclass: top
diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c
index 06e70af..78162c9 100644
--- a/ldap/servers/slapd/configdse.c
+++ b/ldap/servers/slapd/configdse.c
@@ -92,6 +92,34 @@ ignore_attr_type(const char *attr_type)
return 0;
}
+
+/* These trigger rejections for config modify! */
+/*
+ * So why does this function exist? Well, when we run modify_config_dse, this
+ * is about intercepting the change and reloading values live. It actually has
+ * nothing to do with the operation on the back-ldif, dse.ldif.
+ * When a change occurs to modify_config_dse, this happens *before* the write
+ * to dse.ldif. Sometimes, because of the extensibleObject, we can't really
+ * validate the schema. We need to protect certain attributes.
+ *
+ * Take CN. If we ignore_attr_type cn, we skip over it in modify_config_dse, but
+ * we still delete it from cn=config in dse.ldif. The server then explodes!
+ * So this is a barrier to *reject* changes that would trash your server, rather
+ * than allowing them to propogate into dse.ldif.
+ *
+ * SUMMARY: If it's an attribute that is structurally important to cn=config,
+ * and IS NOT a configuration in libglobs.c, PUT IT HERE.
+ */
+
+static int
+reject_attr_type(const char *attr_type)
+{
+ if ( !attr_type || (strcasecmp (attr_type, "cn") == 0)) {
+ return 1;
+ }
+ return 0;
+}
+
int
read_config_dse (Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, int *returncode, char *returntext, void *arg)
{
@@ -362,10 +390,24 @@ modify_config_dse(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, in
for (i = 0; mods && (mods[i] && (LDAP_SUCCESS == rc)); i++) {
/* send all aci modifications to the backend */
config_attr = (char *)mods[i]->mod_type;
- if (ignore_attr_type(config_attr))
- continue;
-
- if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) {
+
+ /*
+ * See comments with function reject_attr_type for the important
+ * difference between "reject" and "ignore".
+ *
+ * Here it is important that REJECT is FIRST!!!!
+ */
+
+ if (reject_attr_type(config_attr)) {
+ slapi_log_err(SLAPI_LOG_WARNING, "modify_config_dse",
+ "Modification of attribute \"%s\" is not allowed, REJECTING!\n",
+ config_attr);
+ rc = LDAP_UNWILLING_TO_PERFORM;
+ } else if (ignore_attr_type(config_attr)) {
+ slapi_log_err(SLAPI_LOG_WARNING, "modify_config_dse",
+ "Modification of attribute \"%s\" is not allowed, ignoring!\n",
+ config_attr);
+ } else if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) {
if (apply_mods) { /* log warning once */
slapi_log_err(SLAPI_LOG_WARNING, "modify_config_dse",
"Adding configuration attribute \"%s\"\n",
@@ -380,26 +422,30 @@ modify_config_dse(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, in
rc = LDAP_UNWILLING_TO_PERFORM;
}
} else if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) {
- /* Need to allow deleting some configuration attrs */
- if (config_allowed_to_delete_attrs(config_attr)) {
- rc = config_set(config_attr, mods[i]->mod_bvalues,
- returntext, apply_mods);
- if (apply_mods) { /* log warning once */
- slapi_log_err(SLAPI_LOG_WARNING, "modify_config_dse",
- "Deleting configuration attribute \"%s\"\n",
- config_attr);
+ /*
+ * Check if this delete is followed by an add of the same attribute, as some
+ * clients do a replace by deleting and adding the attribute.
+ * In the future when we fix https://fedorahosted.org/389/ticket/49019
+ * This will be an important distinction as it will allow a reset to null
+ * rather than to a value.
+ */
+ if(is_delete_a_replace(mods, i)){
+ /* Just do it and allow the null (well, in the future allow null. For
+ * now this is still going to fail :(
+ */
+ rc = config_set(config_attr, mods[i]->mod_bvalues, returntext, apply_mods);
+ if (rc != LDAP_SUCCESS && apply_mods) {
+ rc = LDAP_UNWILLING_TO_PERFORM;
+ slapi_log_err(SLAPI_LOG_WARNING, "modify_config_dse", "Deleting configuration attribute \"%s\"\n", config_attr);
+ PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "Deleting attributes is not allowed");
}
} else {
- /*
- * Check if this delete is followed by an add of the same attribute, as some
- * clients do a replace by deleting and adding the attribute.
- */
- if(is_delete_a_replace(mods, i)){
- rc = config_set(config_attr, mods[i]->mod_bvalues, returntext, apply_mods);
- } else {
- rc= LDAP_UNWILLING_TO_PERFORM;
- PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
- "Deleting attributes is not allowed");
+ /* Nope, this is really a delete. Let the value be reset! */
+ rc = config_set(config_attr, mods[i]->mod_bvalues, returntext, apply_mods);
+ if (rc != LDAP_SUCCESS && apply_mods) {
+ rc = LDAP_UNWILLING_TO_PERFORM;
+ slapi_log_err(SLAPI_LOG_WARNING, "modify_config_dse", "Deleting configuration attribute \"%s\"\n", config_attr);
+ PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "Deleting attributes is not allowed");
}
}
} else if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op)) {
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 6e29b82..b168506 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -12,13 +12,95 @@
#endif
/*
- *
* libglobs.c -- SLAPD library global variables
+ *
+ * !!!!!!!!!!!!!!!!!!!!!!!!!!!! IMPORTANT !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ *
+ * Process for adding new configuration items to libglobs.c
+ *
+ * To understand the process of adding a new configuration item, you need to
+ * know how values here are used, and their lifecycle.
+ *
+ * First, the *initial* values are set from main.c when it calls
+ * FrontendConfig_init(). This creates the global frontendConfig struct.
+ *
+ * Logging is then initiated in g_log_init(), which sets a number of defaults.
+ *
+ * During the startup, dse.ldif is read. Any value from dse.ldif now overrides
+ * the value in cfg. These call the appropriate config_set_<type> function
+ * so the checking and locking is performed.
+ *
+ * The server is now running. Values from the cfg are read through the code
+ * with config_get_<type>. For cn=config, these are read from configdse.c
+ * and presented to the search.
+ *
+ * When a value is modified, the appropriate config_set_<type> function is
+ * simply called.
+ *
+ * When a value is deleted, two things can happen. First, is that the value
+ * does not define an initvalue, so the deletion is rejected will
+ * LDAP_UNWILLING_TO_PERFORM. Second is that the value does have an initvalue
+ * so the mod_delete actually acts as config_set_<type>(initvalue). Null is
+ * never seen by the cfg struct. This is important as it prevents races!
+ *
+ * A key note is if the value is in dse.ldif, it *always* overrides the value
+ * that DS is providing. If the value is only in libglobs.c as a default, if
+ * the default changes, any instance that does NOT define the config in dse.ldif
+ * will automatically gain the new default.
+ *
+ * ===== ADDING A NEW VALUE =====
+ *
+ * With this in mind, you are here to add a new value.
+ *
+ * First, add the appropriate type for the cfg struct in slap.h
+ * struct _slapdFrontendConfig { }
+ * Now, you *must* provide defaults for the type. In slap.h there is a section
+ * of SLAPD_DEFAULT_* options. You want to add your option here. If it's an int
+ * type you *must* provided
+ * #define SLAPD_DEFAULT_OPTION <int>
+ * #define SLAPD_DEFAULT_OPTION_STR "<int>"
+ *
+ * Now the default is populated in libglobs.c. Add a line like:
+ * cfg->option = SLAPD_DEFAULT_OPTION
+ *
+ * Next you need to add the config_get_and_set struct. It is defined below
+ * but important to note is:
+ * {CONFIG_ACCESSLOG_LOGEXPIRATIONTIME_ATTRIBUTE, NULL,
+ * log_set_expirationtime, SLAPD_ACCESS_LOG,
+ * (void**)&global_slapdFrontendConfig.accesslog_exptime,
+ * CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR},
+ * {CONFIG_LOCALUSER_ATTRIBUTE, config_set_localuser,
+ * NULL, 0,
+ * (void**)&global_slapdFrontendConfig.localuser,
+ * CONFIG_STRING, NULL, NULL // deletion is not allowed
+ * },
+ *
+ * The first struct takes an int. So here, you would use SLAPD_DEFAULT_OPTION_STR
+ * for your initvalue. This allows the config item to be reset.
+ * The second struct *does not* allow a reset, and it's initvalue is set to NULL.
+ *
+ * You may now optionally add the config_get_<type> / config_set_<type>
+ * functions. If you do not define these, ldap will not be able to modify the
+ * value live or from dse.ldif. So you probably want these ;)
+ *
+ * DO NOT add your new config type to template.dse.ldif.in. You will BREAK
+ * transparent upgrades of the value.
+ *
+ * Key notes:
+ * - A value that does not allow reset, can still be modified. It just cannot
+ * have a mod_delete performed on it.
+ * - Logging defaults must go in libglobs.c, slap.h, and log.c (g_log_init())
+ * - To allow a reset to "blank", init value of "" for a char * type is used.
+ * - For int and onoff types, you must provide a int or a bool for reset to work.
+ * - Int types must have a matching _STR define for the initvalue to allow reset
+ * - define your values in pairs in slap.h. This way it's easy to spot mistakes.
+ * - DO NOT add your new values to dse.ldif. ONLY in slap.h/libglobs.c. This
+ * allows default upgrading!
+ *
+ * Happy configuring
+ * -- wibrown, 2016.
+ *
*/
-/* for windows only
- we define slapd_ldap_debug here, so we don't want to declare
- it in any header file which might conflict with our definition
-*/
#include "ldap.h"
#include <sslproto.h>
@@ -87,87 +169,7 @@ static int config_set_schemareplace ( const char *attrname, char *value,
static void remove_commas(char *str);
static int invalid_sasl_mech(char *str);
-/* Keeping the initial values */
-/* CONFIG_INT/CONFIG_LONG */
-#define DEFAULT_LOG_ROTATIONSYNCHOUR "0"
-#define DEFAULT_LOG_ROTATIONSYNCMIN "0"
-#define DEFAULT_LOG_ROTATIONTIME "1"
-#define DEFAULT_LOG_ACCESS_MAXNUMLOGS "10"
-#define DEFAULT_LOG_MAXNUMLOGS "1"
-#define DEFAULT_LOG_EXPTIME "1"
-#define DEFAULT_LOG_ACCESS_MAXDISKSPACE "500"
-#define DEFAULT_LOG_MAXDISKSPACE "100"
-#define DEFAULT_LOG_MAXLOGSIZE "100"
-#define DEFAULT_LOG_MINFREESPACE "5"
-#define DEFAULT_ACCESSLOGLEVEL "256"
-#define DEFAULT_SIZELIMIT "2000"
-#define DEFAULT_TIMELIMIT "3600"
-#define DEFAULT_PAGEDSIZELIMIT "0"
-#define DEFAULT_IDLE_TIMEOUT "0"
-#define DEFAULT_MAXDESCRIPTORS "1024"
-#define DEFAULT_RESERVE_FDS "64"
-#define DEFAULT_MAX_BERSIZE "0"
-#define DEFAULT_MAX_THREADS "30"
-#define DEFAULT_MAX_THREADS_PER_CONN "5"
-#define DEFAULT_IOBLOCK_TIMEOUT "1800000"
-#define DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT "300000"
-#define DEFAULT_MAX_FILTER_NEST_LEVEL "40"
-#define DEFAULT_GROUPEVALNESTLEVEL "0"
-#define DEFAULT_SNMP_INDEX "0"
-#define DEFAULT_MAX_SASLIO_SIZE "2097152"
-#define DEFAULT_DISK_THRESHOLD "2097152"
-#define DEFAULT_DISK_GRACE_PERIOD "60"
-#define DEFAULT_LOCAL_SSF "71"
-#define DEFAULT_MIN_SSF "0"
-#define DEFAULT_PW_INHISTORY "6"
-#define DEFAULT_PW_GRACELIMIT "0"
-#define DEFAULT_PW_MINLENGTH "0"
-#define DEFAULT_PW_MINDIGITS "0"
-#define DEFAULT_PW_MINALPHAS "0"
-#define DEFAULT_PW_MINUPPERS "0"
-#define DEFAULT_PW_MINLOWERS "0"
-#define DEFAULT_PW_MINSPECIALS "0"
-#define DEFAULT_PW_MIN8BIT "0"
-#define DEFAULT_PW_MAXREPEATS "0"
-#define DEFAULT_PW_MINCATEGORIES "3"
-#define DEFAULT_PW_MINTOKENLENGTH "3"
-#define DEFAULT_PW_MAXAGE "8640000"
-#define DEFAULT_PW_MINAGE "0"
-#define DEFAULT_PW_WARNING "86400"
-#define DEFAULT_PW_MAXFAILURE "3"
-#define DEFAULT_PW_RESETFAILURECOUNT "600"
-#define DEFAULT_PW_LOCKDURATION "3600"
-#define DEFAULT_NDN_SIZE "20971520"
-#define DEFAULT_MAXBERSIZE 2097152
-#define DEFAULT_SASL_MAXBUFSIZE "2097152"
-#define SLAPD_DEFAULT_SASL_MAXBUFSIZE 2097152
-#define DEFAULT_MAXSIMPLEPAGED_PER_CONN (-1)
-#define DEFAULT_MAXSIMPLEPAGED_PER_CONN_STR "-1"
-#ifdef MEMPOOL_EXPERIMENTAL
-#define DEFAULT_MEMPOOL_MAXFREELIST "1024"
-#endif
-/* CONFIG_STRING... */
-#define INIT_ACCESSLOG_MODE "600"
-#define INIT_ERRORLOG_MODE "600"
-#define INIT_AUDITLOG_MODE "600"
-#define INIT_AUDITFAILLOG_MODE "600"
-#define INIT_ACCESSLOG_ROTATIONUNIT "day"
-#define INIT_ERRORLOG_ROTATIONUNIT "week"
-#define INIT_AUDITLOG_ROTATIONUNIT "week"
-#define INIT_AUDITFAILLOG_ROTATIONUNIT "week"
-#define INIT_ACCESSLOG_EXPTIMEUNIT "month"
-#define INIT_ERRORLOG_EXPTIMEUNIT "month"
-#define INIT_AUDITLOG_EXPTIMEUNIT "month"
-#define INIT_AUDITFAILLOG_EXPTIMEUNIT "month"
-#define DEFAULT_DIRECTORY_MANAGER "cn=Directory Manager"
-#define DEFAULT_UIDNUM_TYPE "uidNumber"
-#define DEFAULT_GIDNUM_TYPE "gidNumber"
-#define DEFAULT_LDAPI_SEARCH_BASE "dc=example,dc=com"
-#define DEFAULT_LDAPI_AUTO_DN "cn=peercred,cn=external,cn=auth"
-#define ENTRYUSN_IMPORT_INIT "0"
-#define DEFAULT_ALLOWED_TO_DELETE_ATTRS "nsslapd-listenhost nsslapd-securelistenhost nsslapd-defaultnamingcontext nsslapd-snmp-index"
-#define INIT_LOGGING_BACKEND_INTERNAL "dirsrv-log"
/* CONFIG_ON_OFF */
slapi_onoff_t init_accesslog_rotationsync_enabled;
@@ -235,7 +237,6 @@ slapi_onoff_t init_enable_turbo_mode;
slapi_onoff_t init_connection_nocanon;
slapi_onoff_t init_plugin_logging;
slapi_int_t init_connection_buffer;
-slapi_int_t init_listen_backlog_size;
slapi_onoff_t init_ignore_time_skew;
slapi_onoff_t init_dynamic_plugins;
slapi_onoff_t init_cn_uses_dn_syntax_in_dns;
@@ -252,11 +253,7 @@ slapi_int_t init_malloc_mmap_threshold;
slapi_onoff_t init_mempool_switch;
#endif
slapi_onoff_t init_extract_pem;
-
-#define DEFAULT_SSLCLIENTAPTH "off"
-#define DEFAULT_ALLOW_ANON_ACCESS "on"
-#define DEFAULT_VALIDATE_CERT "warn"
-#define DEFAULT_UNHASHED_PW_SWITCH "on"
+slapi_onoff_t init_ignore_vattrs;
static int
isInt(ConfigVarType type)
@@ -283,7 +280,7 @@ static struct config_get_and_set {
{CONFIG_AUDITLOG_MODE_ATTRIBUTE, NULL,
log_set_mode, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_mode,
- CONFIG_STRING, NULL, INIT_AUDITLOG_MODE},
+ CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE},
{CONFIG_AUDITLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,
log_set_rotationsync_enabled, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_rotationsync_enabled,
@@ -291,27 +288,27 @@ static struct config_get_and_set {
{CONFIG_AUDITLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE, NULL,
log_set_rotationsynchour, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_rotationsynchour,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONSYNCHOUR},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR},
{CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL,
log_set_rotationsyncmin, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_rotationsyncmin,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONSYNCMIN},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR},
{CONFIG_AUDITLOG_LOGROTATIONTIME_ATTRIBUTE, NULL,
log_set_rotationtime, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_rotationtime,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONTIME},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR},
{CONFIG_ACCESSLOG_MODE_ATTRIBUTE, NULL,
log_set_mode, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_mode,
- CONFIG_STRING, NULL, INIT_ACCESSLOG_MODE},
+ CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE},
{CONFIG_ACCESSLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL,
log_set_numlogsperdir, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_maxnumlogs,
- CONFIG_INT, NULL, DEFAULT_LOG_ACCESS_MAXNUMLOGS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ACCESS_MAXNUMLOGS_STR},
{CONFIG_LOGLEVEL_ATTRIBUTE, config_set_errorlog_level,
NULL, 0,
(void**)&global_slapdFrontendConfig.errorloglevel,
- CONFIG_SPECIAL_ERRORLOGLEVEL, NULL, NULL},
+ CONFIG_SPECIAL_ERRORLOGLEVEL, NULL, SLAPD_DEFAULT_ERRORLOG_LEVEL_STR},
{CONFIG_ERRORLOG_LOGGING_ENABLED_ATTRIBUTE, NULL,
log_set_logging, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_logging_enabled,
@@ -319,11 +316,11 @@ static struct config_get_and_set {
{CONFIG_ERRORLOG_MODE_ATTRIBUTE, NULL,
log_set_mode, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_mode,
- CONFIG_STRING, NULL, INIT_ERRORLOG_MODE},
+ CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE},
{CONFIG_ERRORLOG_LOGEXPIRATIONTIME_ATTRIBUTE, NULL,
log_set_expirationtime, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_exptime,
- CONFIG_INT, NULL, DEFAULT_LOG_EXPTIME},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR},
{CONFIG_ACCESSLOG_LOGGING_ENABLED_ATTRIBUTE, NULL,
log_set_logging, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_logging_enabled,
@@ -331,7 +328,7 @@ static struct config_get_and_set {
{CONFIG_PORT_ATTRIBUTE, config_set_port,
NULL, 0,
(void**)&global_slapdFrontendConfig.port,
- CONFIG_INT, NULL, NULL/* deletion is not allowed */},
+ CONFIG_INT, NULL, NULL},
{CONFIG_WORKINGDIR_ATTRIBUTE, config_set_workingdir,
NULL, 0,
(void**)&global_slapdFrontendConfig.workingdir,
@@ -339,11 +336,11 @@ static struct config_get_and_set {
{CONFIG_MAXTHREADSPERCONN_ATTRIBUTE, config_set_maxthreadsperconn,
NULL, 0,
(void**)&global_slapdFrontendConfig.maxthreadsperconn,
- CONFIG_INT, NULL, DEFAULT_MAX_THREADS_PER_CONN},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_THREADS_PER_CONN_STR},
{CONFIG_ACCESSLOG_LOGEXPIRATIONTIME_ATTRIBUTE, NULL,
log_set_expirationtime, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_exptime,
- CONFIG_INT, NULL, DEFAULT_LOG_EXPTIME},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR},
{CONFIG_LOCALUSER_ATTRIBUTE, config_set_localuser,
NULL, 0,
(void**)&global_slapdFrontendConfig.localuser,
@@ -355,19 +352,19 @@ static struct config_get_and_set {
{CONFIG_ERRORLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE, NULL,
log_set_rotationsynchour, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_rotationsynchour,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONSYNCHOUR},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR},
{CONFIG_ERRORLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL,
log_set_rotationsyncmin, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_rotationsyncmin,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONSYNCMIN},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR},
{CONFIG_ERRORLOG_LOGROTATIONTIME_ATTRIBUTE, NULL,
log_set_rotationtime, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_rotationtime,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONTIME},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR},
{CONFIG_PW_INHISTORY_ATTRIBUTE, config_set_pw_inhistory,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_inhistory,
- CONFIG_INT, NULL, DEFAULT_PW_INHISTORY},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_INHISTORY_STR},
{CONFIG_PW_STORAGESCHEME_ATTRIBUTE, config_set_pw_storagescheme,
NULL, 0, NULL,
CONFIG_STRING, (ConfigGetFunc)config_get_pw_storagescheme,
@@ -379,7 +376,7 @@ static struct config_get_and_set {
{CONFIG_PW_GRACELIMIT_ATTRIBUTE, config_set_pw_gracelimit,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_gracelimit,
- CONFIG_INT, NULL, DEFAULT_PW_GRACELIMIT},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_GRACELIMIT_STR},
{CONFIG_PW_ADMIN_DN_ATTRIBUTE, config_set_pw_admin_dn,
NULL, 0,
NULL,
@@ -391,15 +388,15 @@ static struct config_get_and_set {
{CONFIG_ACCESSLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE, NULL,
log_set_rotationsynchour, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_rotationsynchour,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONSYNCHOUR},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR},
{CONFIG_ACCESSLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL,
log_set_rotationsyncmin, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_rotationsyncmin,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONSYNCMIN},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR},
{CONFIG_ACCESSLOG_LOGROTATIONTIME_ATTRIBUTE, NULL,
log_set_rotationtime, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_rotationtime,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONTIME},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR},
{CONFIG_PW_MUSTCHANGE_ATTRIBUTE, config_set_pw_must_change,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_must_change,
@@ -415,19 +412,19 @@ static struct config_get_and_set {
{CONFIG_AUDITLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,
log_set_maxdiskspace, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_maxdiskspace,
- CONFIG_INT, NULL, DEFAULT_LOG_MAXDISKSPACE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXDISKSPACE_STR},
{CONFIG_SIZELIMIT_ATTRIBUTE, config_set_sizelimit,
NULL, 0,
(void**)&global_slapdFrontendConfig.sizelimit,
- CONFIG_INT, NULL, DEFAULT_SIZELIMIT},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_SIZELIMIT_STR},
{CONFIG_AUDITLOG_MAXLOGSIZE_ATTRIBUTE, NULL,
log_set_logsize, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_maxlogsize,
- CONFIG_INT, NULL, DEFAULT_LOG_MAXLOGSIZE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR},
{CONFIG_PW_WARNING_ATTRIBUTE, config_set_pw_warning,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_warning,
- CONFIG_LONG, NULL, DEFAULT_PW_WARNING},
+ CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_WARNING_STR},
{CONFIG_READONLY_ATTRIBUTE, config_set_readonly,
NULL, 0,
(void**)&global_slapdFrontendConfig.readonly,
@@ -440,7 +437,7 @@ static struct config_get_and_set {
{CONFIG_THREADNUMBER_ATTRIBUTE, config_set_threadnumber,
NULL, 0,
(void**)&global_slapdFrontendConfig.threadnumber,
- CONFIG_INT, NULL, DEFAULT_MAX_THREADS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_THREADS_STR},
{CONFIG_PW_LOCKOUT_ATTRIBUTE, config_set_pw_lockout,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_lockout,
@@ -456,55 +453,55 @@ static struct config_get_and_set {
{CONFIG_IOBLOCKTIMEOUT_ATTRIBUTE, config_set_ioblocktimeout,
NULL, 0,
(void**)&global_slapdFrontendConfig.ioblocktimeout,
- CONFIG_INT, NULL, DEFAULT_IOBLOCK_TIMEOUT},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_IOBLOCK_TIMEOUT_STR},
{CONFIG_MAX_FILTER_NEST_LEVEL_ATTRIBUTE, config_set_max_filter_nest_level,
NULL, 0,
(void**)&global_slapdFrontendConfig.max_filter_nest_level,
- CONFIG_INT, NULL, DEFAULT_MAX_FILTER_NEST_LEVEL},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL_STR},
{CONFIG_ERRORLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,
log_set_maxdiskspace, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_maxdiskspace,
- CONFIG_INT, NULL, DEFAULT_LOG_MAXDISKSPACE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXDISKSPACE_STR},
{CONFIG_PW_MINLENGTH_ATTRIBUTE, config_set_pw_minlength,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_minlength,
- CONFIG_INT, NULL, DEFAULT_PW_MINLENGTH},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINLENGTH_STR},
{CONFIG_PW_MINDIGITS_ATTRIBUTE, config_set_pw_mindigits,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_mindigits,
- CONFIG_INT, NULL, DEFAULT_PW_MINDIGITS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINDIGITS_STR},
{CONFIG_PW_MINALPHAS_ATTRIBUTE, config_set_pw_minalphas,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_minalphas,
- CONFIG_INT, NULL, DEFAULT_PW_MINALPHAS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINALPHAS_STR},
{CONFIG_PW_MINUPPERS_ATTRIBUTE, config_set_pw_minuppers,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_minuppers,
- CONFIG_INT, NULL, DEFAULT_PW_MINUPPERS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINUPPERS_STR},
{CONFIG_PW_MINLOWERS_ATTRIBUTE, config_set_pw_minlowers,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_minlowers,
- CONFIG_INT, NULL, DEFAULT_PW_MINLOWERS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINLOWERS_STR},
{CONFIG_PW_MINSPECIALS_ATTRIBUTE, config_set_pw_minspecials,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_minspecials,
- CONFIG_INT, NULL, DEFAULT_PW_MINSPECIALS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINSPECIALS_STR},
{CONFIG_PW_MIN8BIT_ATTRIBUTE, config_set_pw_min8bit,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_min8bit,
- CONFIG_INT, NULL, DEFAULT_PW_MIN8BIT},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MIN8BIT_STR},
{CONFIG_PW_MAXREPEATS_ATTRIBUTE, config_set_pw_maxrepeats,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_maxrepeats,
- CONFIG_INT, NULL, DEFAULT_PW_MAXREPEATS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAXREPEATS_STR},
{CONFIG_PW_MINCATEGORIES_ATTRIBUTE, config_set_pw_mincategories,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_mincategories,
- CONFIG_INT, NULL, DEFAULT_PW_MINCATEGORIES},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINCATEGORIES_STR},
{CONFIG_PW_MINTOKENLENGTH_ATTRIBUTE, config_set_pw_mintokenlength,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_mintokenlength,
- CONFIG_INT, NULL, DEFAULT_PW_MINTOKENLENGTH},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MINTOKENLENGTH_STR},
{CONFIG_ERRORLOG_ATTRIBUTE, config_set_errorlog,
NULL, 0,
(void**)&global_slapdFrontendConfig.errorlog,
@@ -512,7 +509,7 @@ static struct config_get_and_set {
{CONFIG_AUDITLOG_LOGEXPIRATIONTIME_ATTRIBUTE, NULL,
log_set_expirationtime, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_exptime,
- CONFIG_INT, NULL, DEFAULT_LOG_EXPTIME},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR},
{CONFIG_SCHEMACHECK_ATTRIBUTE, config_set_schemacheck,
NULL, 0,
(void**)&global_slapdFrontendConfig.schemacheck,
@@ -547,7 +544,7 @@ static struct config_get_and_set {
{CONFIG_ACCESSLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,
log_set_maxdiskspace, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_maxdiskspace,
- CONFIG_INT, NULL, DEFAULT_LOG_ACCESS_MAXDISKSPACE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ACCESS_MAXDISKSPACE_STR},
{CONFIG_REFERRAL_ATTRIBUTE, (ConfigSetFunc)config_set_defaultreferral,
NULL, 0,
(void**)&global_slapdFrontendConfig.defaultreferral,
@@ -555,7 +552,7 @@ static struct config_get_and_set {
{CONFIG_PW_MAXFAILURE_ATTRIBUTE, config_set_pw_maxfailure,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_maxfailure,
- CONFIG_INT, NULL, DEFAULT_PW_MAXFAILURE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PW_MAXFAILURE_STR},
{CONFIG_ACCESSLOG_ATTRIBUTE, config_set_accesslog,
NULL, 0,
(void**)&global_slapdFrontendConfig.accesslog,
@@ -579,15 +576,15 @@ static struct config_get_and_set {
{CONFIG_PW_MAXAGE_ATTRIBUTE, config_set_pw_maxage,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_maxage,
- CONFIG_LONG, NULL, DEFAULT_PW_MAXAGE},
+ CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_MAXAGE_STR},
{CONFIG_AUDITLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE, NULL,
log_set_rotationtimeunit, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_rotationunit,
- CONFIG_STRING_OR_UNKNOWN, NULL, INIT_AUDITLOG_ROTATIONUNIT},
+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_AUDITLOG_ROTATIONUNIT},
{CONFIG_PW_RESETFAILURECOUNT_ATTRIBUTE, config_set_pw_resetfailurecount,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_resetfailurecount,
- CONFIG_LONG, NULL, DEFAULT_PW_RESETFAILURECOUNT},
+ CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_RESETFAILURECOUNT_STR},
{CONFIG_PW_ISGLOBAL_ATTRIBUTE, config_set_pw_is_global_policy,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_is_global_policy,
@@ -603,11 +600,11 @@ static struct config_get_and_set {
{CONFIG_AUDITLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL,
log_set_numlogsperdir, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_maxnumlogs,
- CONFIG_INT, NULL, DEFAULT_LOG_MAXNUMLOGS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXNUMLOGS_STR},
{CONFIG_ERRORLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE, NULL,
log_set_expirationtimeunit, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_exptimeunit,
- CONFIG_STRING_OR_UNKNOWN, NULL, INIT_ERRORLOG_EXPTIMEUNIT},
+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT},
/* errorlog list is read only, so no set func and no config var addr */
{CONFIG_ERRORLOG_LIST_ATTRIBUTE, NULL,
NULL, 0, NULL,
@@ -615,11 +612,11 @@ static struct config_get_and_set {
{CONFIG_GROUPEVALNESTLEVEL_ATTRIBUTE, config_set_groupevalnestlevel,
NULL, 0,
(void**)&global_slapdFrontendConfig.groupevalnestlevel,
- CONFIG_INT, NULL, DEFAULT_GROUPEVALNESTLEVEL},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_GROUPEVALNESTLEVEL_STR},
{CONFIG_ACCESSLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE, NULL,
log_set_expirationtimeunit, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_exptimeunit,
- CONFIG_STRING_OR_UNKNOWN, NULL, INIT_ACCESSLOG_EXPTIMEUNIT},
+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT},
{CONFIG_ROOTPW_ATTRIBUTE, config_set_rootpw,
NULL, 0,
(void**)&global_slapdFrontendConfig.rootpw,
@@ -631,15 +628,15 @@ static struct config_get_and_set {
{CONFIG_ACCESSLOGLEVEL_ATTRIBUTE, config_set_accesslog_level,
NULL, 0,
(void**)&global_slapdFrontendConfig.accessloglevel,
- CONFIG_INT, NULL, DEFAULT_ACCESSLOGLEVEL},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_ACCESSLOG_LEVEL_STR},
{CONFIG_ERRORLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE, NULL,
log_set_rotationtimeunit, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_rotationunit,
- CONFIG_STRING_OR_UNKNOWN, NULL, INIT_ERRORLOG_ROTATIONUNIT},
+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_ERRORLOG_ROTATIONUNIT},
{CONFIG_SECUREPORT_ATTRIBUTE, config_set_secureport,
NULL, 0,
(void**)&global_slapdFrontendConfig.secureport,
- CONFIG_INT, NULL, NULL/* deletion is not allowed */},
+ CONFIG_INT, NULL, NULL},
{CONFIG_BASEDN_ATTRIBUTE, config_set_basedn,
NULL, 0,
(void**)&global_slapdFrontendConfig.certmap_basedn,
@@ -647,15 +644,15 @@ static struct config_get_and_set {
{CONFIG_TIMELIMIT_ATTRIBUTE, config_set_timelimit,
NULL, 0,
(void**)&global_slapdFrontendConfig.timelimit,
- CONFIG_INT, NULL, DEFAULT_TIMELIMIT},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_TIMELIMIT_STR},
{CONFIG_ERRORLOG_MAXLOGSIZE_ATTRIBUTE, NULL,
log_set_logsize, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_maxlogsize,
- CONFIG_INT, NULL, DEFAULT_LOG_MAXLOGSIZE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR},
{CONFIG_RESERVEDESCRIPTORS_ATTRIBUTE, config_set_reservedescriptors,
NULL, 0,
(void**)&global_slapdFrontendConfig.reservedescriptors,
- CONFIG_INT, NULL, DEFAULT_RESERVE_FDS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_RESERVE_FDS_STR},
/* access log list is read only, no set func, no config var addr */
{CONFIG_ACCESSLOG_LIST_ATTRIBUTE, NULL,
NULL, 0, NULL,
@@ -682,19 +679,19 @@ static struct config_get_and_set {
{CONFIG_ACCESSLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE, NULL,
log_set_rotationtimeunit, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_rotationunit,
- CONFIG_STRING, NULL, INIT_ACCESSLOG_ROTATIONUNIT},
+ CONFIG_STRING, NULL, SLAPD_INIT_ACCESSLOG_ROTATIONUNIT},
{CONFIG_PW_LOCKDURATION_ATTRIBUTE, config_set_pw_lockduration,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_lockduration,
- CONFIG_LONG, NULL, DEFAULT_PW_LOCKDURATION},
+ CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_LOCKDURATION_STR},
{CONFIG_ACCESSLOG_MAXLOGSIZE_ATTRIBUTE, NULL,
log_set_logsize, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_maxlogsize,
- CONFIG_INT, NULL, DEFAULT_LOG_MAXLOGSIZE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR},
{CONFIG_IDLETIMEOUT_ATTRIBUTE, config_set_idletimeout,
NULL, 0,
(void**)&global_slapdFrontendConfig.idletimeout,
- CONFIG_INT, NULL, DEFAULT_IDLE_TIMEOUT},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_IDLE_TIMEOUT_STR},
{CONFIG_NAGLE_ATTRIBUTE, config_set_nagle,
NULL, 0,
(void**)&global_slapdFrontendConfig.nagle,
@@ -702,7 +699,7 @@ static struct config_get_and_set {
{CONFIG_ERRORLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,
log_set_mindiskspace, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_minfreespace,
- CONFIG_INT, NULL, DEFAULT_LOG_MINFREESPACE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR},
{CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE, NULL,
log_set_logging, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_logging_enabled,
@@ -722,7 +719,7 @@ static struct config_get_and_set {
{CONFIG_AUDITLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE, NULL,
log_set_expirationtimeunit, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_exptimeunit,
- CONFIG_STRING_OR_UNKNOWN, NULL, INIT_AUDITLOG_EXPTIMEUNIT},
+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT},
{CONFIG_ALLOW_HASHED_PW_ATTRIBUTE, config_set_allow_hashed_pw,
NULL, 0,
(void**)&global_slapdFrontendConfig.allow_hashed_pw,
@@ -734,11 +731,11 @@ static struct config_get_and_set {
{CONFIG_LISTENHOST_ATTRIBUTE, config_set_listenhost,
NULL, 0,
(void**)&global_slapdFrontendConfig.listenhost,
- CONFIG_STRING, NULL, NULL/* NULL value is allowed */},
+ CONFIG_STRING, NULL, "" /* Empty value is allowed */},
{CONFIG_SNMP_INDEX_ATTRIBUTE, config_set_snmp_index,
NULL, 0,
(void**) &global_slapdFrontendConfig.snmp_index,
- CONFIG_INT, NULL, DEFAULT_SNMP_INDEX},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_SNMP_INDEX_STR},
{CONFIG_LDAPI_FILENAME_ATTRIBUTE, config_set_ldapi_filename,
NULL, 0,
(void**)&global_slapdFrontendConfig.ldapi_filename,
@@ -754,7 +751,7 @@ static struct config_get_and_set {
{CONFIG_LDAPI_ROOT_DN_ATTRIBUTE, config_set_ldapi_root_dn,
NULL, 0,
(void**)&global_slapdFrontendConfig.ldapi_root_dn,
- CONFIG_STRING, NULL, DEFAULT_DIRECTORY_MANAGER},
+ CONFIG_STRING, NULL, SLAPD_DEFAULT_DIRECTORY_MANAGER},
{CONFIG_LDAPI_MAP_ENTRIES_ATTRIBUTE, config_set_ldapi_map_entries,
NULL, 0,
(void**)&global_slapdFrontendConfig.ldapi_map_entries,
@@ -762,20 +759,20 @@ static struct config_get_and_set {
{CONFIG_LDAPI_UIDNUMBER_TYPE_ATTRIBUTE, config_set_ldapi_uidnumber_type,
NULL, 0,
(void**)&global_slapdFrontendConfig.ldapi_uidnumber_type,
- CONFIG_STRING, NULL, DEFAULT_UIDNUM_TYPE},
+ CONFIG_STRING, NULL, SLAPD_DEFAULT_UIDNUM_TYPE},
{CONFIG_LDAPI_GIDNUMBER_TYPE_ATTRIBUTE, config_set_ldapi_gidnumber_type,
NULL, 0,
(void**)&global_slapdFrontendConfig.ldapi_gidnumber_type,
- CONFIG_STRING, NULL, DEFAULT_GIDNUM_TYPE},
+ CONFIG_STRING, NULL, SLAPD_DEFAULT_GIDNUM_TYPE},
{CONFIG_LDAPI_SEARCH_BASE_DN_ATTRIBUTE, config_set_ldapi_search_base_dn,
NULL, 0,
(void**)&global_slapdFrontendConfig.ldapi_search_base_dn,
- CONFIG_STRING, NULL, DEFAULT_LDAPI_SEARCH_BASE},
+ CONFIG_STRING, NULL, SLAPD_DEFAULT_LDAPI_SEARCH_BASE},
#if defined(ENABLE_AUTO_DN_SUFFIX)
{CONFIG_LDAPI_AUTO_DN_SUFFIX_ATTRIBUTE, config_set_ldapi_auto_dn_suffix,
NULL, 0,
(void**)&global_slapdFrontendConfig.ldapi_auto_dn_suffix,
- CONFIG_STRING, NULL, DEFAULT_LDAPI_AUTO_DN},
+ CONFIG_STRING, NULL, SLAPD_DEFAULT_LDAPI_AUTO_DN},
#endif
{CONFIG_ANON_LIMITS_DN_ATTRIBUTE, config_set_anon_limits_dn,
NULL, 0,
@@ -789,27 +786,27 @@ static struct config_get_and_set {
{CONFIG_ACCESSLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,
log_set_mindiskspace, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_minfreespace,
- CONFIG_INT, NULL, DEFAULT_LOG_MINFREESPACE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR},
{CONFIG_ERRORLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL,
log_set_numlogsperdir, SLAPD_ERROR_LOG,
(void**)&global_slapdFrontendConfig.errorlog_maxnumlogs,
- CONFIG_INT, NULL, DEFAULT_LOG_MAXNUMLOGS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXNUMLOGS_STR},
{CONFIG_SECURELISTENHOST_ATTRIBUTE, config_set_securelistenhost,
NULL, 0,
(void**)&global_slapdFrontendConfig.securelistenhost,
- CONFIG_STRING, NULL, NULL/* NULL value is allowed */},
+ CONFIG_STRING, NULL, "" /* Empty value is allowed */},
{CONFIG_AUDITLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,
log_set_mindiskspace, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_minfreespace,
- CONFIG_INT, NULL, DEFAULT_LOG_MINFREESPACE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR},
{CONFIG_ROOTDN_ATTRIBUTE, config_set_rootdn,
NULL, 0,
(void**)&global_slapdFrontendConfig.rootdn,
- CONFIG_STRING, NULL, DEFAULT_DIRECTORY_MANAGER},
+ CONFIG_STRING, NULL, SLAPD_DEFAULT_DIRECTORY_MANAGER},
{CONFIG_PW_MINAGE_ATTRIBUTE, config_set_pw_minage,
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_minage,
- CONFIG_LONG, NULL, DEFAULT_PW_MINAGE},
+ CONFIG_LONG, NULL, SLAPD_DEFAULT_PW_MINAGE_STR},
{CONFIG_AUDITFILE_ATTRIBUTE, config_set_auditlog,
NULL, 0,
(void**)&global_slapdFrontendConfig.auditlog,
@@ -838,11 +835,11 @@ static struct config_get_and_set {
{CONFIG_MAXBERSIZE_ATTRIBUTE, config_set_maxbersize,
NULL, 0,
(void**)&global_slapdFrontendConfig.maxbersize,
- CONFIG_INT, NULL, STRINGIFYDEFINE(DEFAULT_MAXBERSIZE)},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAXBERSIZE_STR},
{CONFIG_MAXSASLIOSIZE_ATTRIBUTE, config_set_maxsasliosize,
NULL, 0,
(void**)&global_slapdFrontendConfig.maxsasliosize,
- CONFIG_INT, NULL, DEFAULT_MAX_SASLIO_SIZE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAX_SASLIO_SIZE_STR},
{CONFIG_VERSIONSTRING_ATTRIBUTE, config_set_versionstring,
NULL, 0,
(void**)&global_slapdFrontendConfig.versionstring,
@@ -854,7 +851,7 @@ static struct config_get_and_set {
{CONFIG_MAXDESCRIPTORS_ATTRIBUTE, config_set_maxdescriptors,
NULL, 0,
(void**)&global_slapdFrontendConfig.maxdescriptors,
- CONFIG_INT, NULL, DEFAULT_MAXDESCRIPTORS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_MAXDESCRIPTORS_STR},
{CONFIG_CONNTABLESIZE_ATTRIBUTE, config_set_conntablesize,
NULL, 0,
(void**)&global_slapdFrontendConfig.conntablesize,
@@ -862,7 +859,7 @@ static struct config_get_and_set {
{CONFIG_SSLCLIENTAUTH_ATTRIBUTE, config_set_SSLclientAuth,
NULL, 0,
(void **)&global_slapdFrontendConfig.SSLclientAuth,
- CONFIG_SPECIAL_SSLCLIENTAUTH, NULL, DEFAULT_SSLCLIENTAPTH},
+ CONFIG_SPECIAL_SSLCLIENTAUTH, NULL, SLAPD_DEFAULT_SSLCLIENTAUTH_STR},
{CONFIG_SSL_CHECK_HOSTNAME_ATTRIBUTE, config_set_ssl_check_hostname,
NULL, 0, NULL,
CONFIG_ON_OFF, (ConfigGetFunc)config_get_ssl_check_hostname,
@@ -912,7 +909,7 @@ static struct config_get_and_set {
{CONFIG_BAKDIR_ATTRIBUTE, config_set_bakdir,
NULL, 0,
(void**)&global_slapdFrontendConfig.bakdir,
- CONFIG_STRING, (ConfigGetFunc)config_get_bakdir,
+ CONFIG_STRING, (ConfigGetFunc)config_get_bakdir,
NULL/* deletion is not allowed */},
/* parameterizing sasl plugin path */
{CONFIG_SASLPATH_ATTRIBUTE, config_set_saslpath,
@@ -934,7 +931,7 @@ static struct config_get_and_set {
config_set_outbound_ldap_io_timeout,
NULL, 0,
(void **)&global_slapdFrontendConfig.outbound_ldap_io_timeout,
- CONFIG_INT, NULL, DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT_STR},
{CONFIG_UNAUTH_BINDS_ATTRIBUTE, config_set_unauth_binds_switch,
NULL, 0,
(void**)&global_slapdFrontendConfig.allow_unauth_binds,
@@ -950,15 +947,15 @@ static struct config_get_and_set {
(void**)&global_slapdFrontendConfig.allow_anon_access,
CONFIG_SPECIAL_ANON_ACCESS_SWITCH,
(ConfigGetFunc)config_get_anon_access_switch,
- DEFAULT_ALLOW_ANON_ACCESS},
+ SLAPD_DEFAULT_ALLOW_ANON_ACCESS_STR},
{CONFIG_LOCALSSF_ATTRIBUTE, config_set_localssf,
NULL, 0,
(void**)&global_slapdFrontendConfig.localssf,
- CONFIG_INT, NULL, DEFAULT_LOCAL_SSF},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOCAL_SSF_STR},
{CONFIG_MINSSF_ATTRIBUTE, config_set_minssf,
NULL, 0,
(void**)&global_slapdFrontendConfig.minssf,
- CONFIG_INT, NULL, DEFAULT_MIN_SSF},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_MIN_SSF_STR},
{CONFIG_MINSSF_EXCLUDE_ROOTDSE, config_set_minssf_exclude_rootdse,
NULL, 0,
(void**)&global_slapdFrontendConfig.minssf_exclude_rootdse,
@@ -978,21 +975,16 @@ static struct config_get_and_set {
NULL, 0,
(void**)&global_slapdFrontendConfig.entryusn_import_init,
CONFIG_STRING, (ConfigGetFunc)config_get_entryusn_import_init,
- ENTRYUSN_IMPORT_INIT},
- {CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE, config_set_allowed_to_delete_attrs,
- NULL, 0,
- (void**)&global_slapdFrontendConfig.allowed_to_delete_attrs,
- CONFIG_STRING, (ConfigGetFunc)config_get_allowed_to_delete_attrs,
- DEFAULT_ALLOWED_TO_DELETE_ATTRS },
+ SLAPD_ENTRYUSN_IMPORT_INIT},
{CONFIG_VALIDATE_CERT_ATTRIBUTE, config_set_validate_cert_switch,
NULL, 0,
(void**)&global_slapdFrontendConfig.validate_cert,
CONFIG_SPECIAL_VALIDATE_CERT_SWITCH,
- (ConfigGetFunc)config_get_validate_cert_switch, DEFAULT_VALIDATE_CERT},
+ (ConfigGetFunc)config_get_validate_cert_switch, SLAPD_DEFAULT_VALIDATE_CERT_STR},
{CONFIG_PAGEDSIZELIMIT_ATTRIBUTE, config_set_pagedsizelimit,
NULL, 0,
(void**)&global_slapdFrontendConfig.pagedsizelimit,
- CONFIG_INT, NULL, DEFAULT_PAGEDSIZELIMIT},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_PAGEDSIZELIMIT_STR},
{CONFIG_DEFAULT_NAMING_CONTEXT, config_set_default_naming_context,
NULL, 0,
(void**)&global_slapdFrontendConfig.default_naming_context,
@@ -1006,12 +998,12 @@ static struct config_get_and_set {
NULL, 0,
(void**)&global_slapdFrontendConfig.disk_threshold,
CONFIG_LONG_LONG, (ConfigGetFunc)config_get_disk_threshold,
- DEFAULT_DISK_THRESHOLD},
+ SLAPD_DEFAULT_DISK_THRESHOLD_STR},
{CONFIG_DISK_GRACE_PERIOD, config_set_disk_grace_period,
NULL, 0,
(void**)&global_slapdFrontendConfig.disk_grace_period,
CONFIG_INT, (ConfigGetFunc)config_get_disk_grace_period,
- DEFAULT_DISK_GRACE_PERIOD},
+ SLAPD_DEFAULT_DISK_GRACE_PERIOD_STR},
{CONFIG_DISK_LOGGING_CRITICAL, config_set_disk_logging_critical,
NULL, 0,
(void**)&global_slapdFrontendConfig.disk_logging_critical,
@@ -1025,26 +1017,27 @@ static struct config_get_and_set {
{CONFIG_NDN_CACHE_SIZE, config_set_ndn_cache_max_size,
NULL, 0,
(void**)&global_slapdFrontendConfig.ndn_cache_max_size,
- CONFIG_INT, (ConfigGetFunc)config_get_ndn_cache_size, DEFAULT_NDN_SIZE},
+ CONFIG_INT, (ConfigGetFunc)config_get_ndn_cache_size, SLAPD_DEFAULT_NDN_SIZE_STR},
+ /* The issue here is that we probably need "empty string" to be valid, rather than NULL for reset purposes */
{CONFIG_ALLOWED_SASL_MECHS, config_set_allowed_sasl_mechs,
NULL, 0,
(void**)&global_slapdFrontendConfig.allowed_sasl_mechs,
- CONFIG_STRING, (ConfigGetFunc)config_get_allowed_sasl_mechs, DEFAULT_ALLOWED_TO_DELETE_ATTRS},
+ CONFIG_STRING, (ConfigGetFunc)config_get_allowed_sasl_mechs, ""},
{CONFIG_IGNORE_VATTRS, config_set_ignore_vattrs,
NULL, 0,
(void**)&global_slapdFrontendConfig.ignore_vattrs,
- CONFIG_ON_OFF, (ConfigGetFunc)config_get_ignore_vattrs, DEFAULT_ALLOWED_TO_DELETE_ATTRS},
+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_ignore_vattrs, &init_ignore_vattrs},
{CONFIG_UNHASHED_PW_SWITCH_ATTRIBUTE, config_set_unhashed_pw_switch,
NULL, 0,
(void**)&global_slapdFrontendConfig.unhashed_pw_switch,
CONFIG_SPECIAL_UNHASHED_PW_SWITCH,
(ConfigGetFunc)config_get_unhashed_pw_switch,
- DEFAULT_UNHASHED_PW_SWITCH},
+ SLAPD_DEFAULT_UNHASHED_PW_SWITCH_STR},
{CONFIG_SASL_MAXBUFSIZE, config_set_sasl_maxbufsize,
NULL, 0,
(void**)&global_slapdFrontendConfig.sasl_max_bufsize,
CONFIG_INT, (ConfigGetFunc)config_get_sasl_maxbufsize,
- DEFAULT_SASL_MAXBUFSIZE},
+ SLAPD_DEFAULT_SASL_MAXBUFSIZE_STR},
{CONFIG_SEARCH_RETURN_ORIGINAL_TYPE, config_set_return_orig_type_switch,
NULL, 0,
(void**)&global_slapdFrontendConfig.return_orig_type,
@@ -1068,7 +1061,7 @@ static struct config_get_and_set {
{CONFIG_LISTEN_BACKLOG_SIZE, config_set_listen_backlog_size,
NULL, 0,
(void**)&global_slapdFrontendConfig.listen_backlog_size, CONFIG_INT,
- (ConfigGetFunc)config_get_listen_backlog_size, &init_listen_backlog_size},
+ (ConfigGetFunc)config_get_listen_backlog_size, DAEMON_LISTEN_SIZE_STR},
{CONFIG_DYNAMIC_PLUGINS, config_set_dynamic_plugins,
NULL, 0,
(void**)&global_slapdFrontendConfig.dynamic_plugins, CONFIG_ON_OFF,
@@ -1105,7 +1098,7 @@ static struct config_get_and_set {
{CONFIG_MAXSIMPLEPAGED_PER_CONN_ATTRIBUTE, config_set_maxsimplepaged_per_conn,
NULL, 0,
(void**)&global_slapdFrontendConfig.maxsimplepaged_per_conn,
- CONFIG_INT, (ConfigGetFunc)config_get_maxsimplepaged_per_conn, DEFAULT_MAXSIMPLEPAGED_PER_CONN_STR},
+ CONFIG_INT, (ConfigGetFunc)config_get_maxsimplepaged_per_conn, SLAPD_DEFAULT_MAXSIMPLEPAGED_PER_CONN_STR},
#ifdef ENABLE_NUNC_STANS
{CONFIG_ENABLE_NUNC_STANS, config_set_enable_nunc_stans,
NULL, 0,
@@ -1122,13 +1115,13 @@ static struct config_get_and_set {
NULL, 0,
(void**)&global_slapdFrontendConfig.mempool_maxfreelist,
CONFIG_INT, (ConfigGetFunc)config_get_mempool_maxfreelist,
- DEFAULT_MEMPOOL_MAXFREELIST},
+ SLAPD_DEFAULT_MEMPOOL_MAXFREELIST_STR},
#endif /* MEMPOOL_EXPERIMENTAL */
/* Audit fail log configuration */
{CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE, NULL,
log_set_mode, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_mode,
- CONFIG_STRING, NULL, INIT_AUDITFAILLOG_MODE},
+ CONFIG_STRING, NULL, SLAPD_INIT_LOG_MODE},
{CONFIG_AUDITFAILLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,
log_set_rotationsync_enabled, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_rotationsync_enabled,
@@ -1136,31 +1129,31 @@ static struct config_get_and_set {
{CONFIG_AUDITFAILLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE, NULL,
log_set_rotationsynchour, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_rotationsynchour,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONSYNCHOUR},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR},
{CONFIG_AUDITFAILLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL,
log_set_rotationsyncmin, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_rotationsyncmin,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONSYNCMIN},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR},
{CONFIG_AUDITFAILLOG_LOGROTATIONTIME_ATTRIBUTE, NULL,
log_set_rotationtime, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_rotationtime,
- CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONTIME},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_ROTATIONTIME_STR},
{CONFIG_AUDITFAILLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,
log_set_maxdiskspace, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_maxdiskspace,
- CONFIG_INT, NULL, DEFAULT_LOG_MAXDISKSPACE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXDISKSPACE_STR},
{CONFIG_AUDITFAILLOG_MAXLOGSIZE_ATTRIBUTE, NULL,
log_set_logsize, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_maxlogsize,
- CONFIG_INT, NULL, DEFAULT_LOG_MAXLOGSIZE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR},
{CONFIG_AUDITFAILLOG_LOGEXPIRATIONTIME_ATTRIBUTE, NULL,
log_set_expirationtime, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_exptime,
- CONFIG_INT, NULL, DEFAULT_LOG_EXPTIME},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_EXPTIME_STR},
{CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL,
log_set_numlogsperdir, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_maxnumlogs,
- CONFIG_INT, NULL, DEFAULT_LOG_MAXNUMLOGS},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MAXNUMLOGS_STR},
{CONFIG_AUDITFAILLOG_LIST_ATTRIBUTE, NULL,
NULL, 0, NULL,
CONFIG_CHARRAY, (ConfigGetFunc)config_get_auditfaillog_list, NULL},
@@ -1175,19 +1168,19 @@ static struct config_get_and_set {
{CONFIG_AUDITFAILLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE, NULL,
log_set_expirationtimeunit, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_exptimeunit,
- CONFIG_STRING_OR_UNKNOWN, NULL, INIT_AUDITFAILLOG_EXPTIMEUNIT},
+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_LOG_EXPTIMEUNIT},
{CONFIG_AUDITFAILLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,
log_set_mindiskspace, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_minfreespace,
- CONFIG_INT, NULL, DEFAULT_LOG_MINFREESPACE},
+ CONFIG_INT, NULL, SLAPD_DEFAULT_LOG_MINFREESPACE_STR},
{CONFIG_AUDITFAILLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE, NULL,
log_set_rotationtimeunit, SLAPD_AUDITFAIL_LOG,
(void**)&global_slapdFrontendConfig.auditfaillog_rotationunit,
- CONFIG_STRING_OR_UNKNOWN, NULL, INIT_AUDITFAILLOG_ROTATIONUNIT},
+ CONFIG_STRING_OR_UNKNOWN, NULL, SLAPD_INIT_AUDITFAILLOG_ROTATIONUNIT},
{CONFIG_AUDITFAILFILE_ATTRIBUTE, config_set_auditfaillog,
NULL, 0,
(void**)&global_slapdFrontendConfig.auditfaillog,
- CONFIG_STRING_OR_EMPTY, NULL, NULL/* deletion is not allowed */},
+ CONFIG_STRING_OR_EMPTY, NULL, "" /* prevents deletion when null */},
/* End audit fail log configuration */
/* warning: initialization makes pointer from integer without a cast [enabled by default]. Why do we get this? */
#ifdef HAVE_CLOCK_GETTIME
@@ -1203,7 +1196,7 @@ static struct config_get_and_set {
{CONFIG_LOGGING_BACKEND, NULL,
log_set_backend, 0,
(void**)&global_slapdFrontendConfig.logging_backend,
- CONFIG_STRING_OR_EMPTY, NULL, INIT_LOGGING_BACKEND_INTERNAL}
+ CONFIG_STRING_OR_EMPTY, NULL, SLAPD_INIT_LOGGING_BACKEND_INTERNAL}
};
/*
@@ -1451,18 +1444,18 @@ FrontendConfig_init(void) {
cfg->ldapi_filename = slapi_ch_strdup(SLAPD_LDAPI_DEFAULT_FILENAME);
init_ldapi_switch = cfg->ldapi_switch = LDAP_OFF;
init_ldapi_bind_switch = cfg->ldapi_bind_switch = LDAP_OFF;
- cfg->ldapi_root_dn = slapi_ch_strdup(DEFAULT_DIRECTORY_MANAGER);
+ cfg->ldapi_root_dn = slapi_ch_strdup(SLAPD_DEFAULT_DIRECTORY_MANAGER);
init_ldapi_map_entries = cfg->ldapi_map_entries = LDAP_OFF;
- cfg->ldapi_uidnumber_type = slapi_ch_strdup(DEFAULT_UIDNUM_TYPE);
- cfg->ldapi_gidnumber_type = slapi_ch_strdup(DEFAULT_GIDNUM_TYPE);
+ cfg->ldapi_uidnumber_type = slapi_ch_strdup(SLAPD_DEFAULT_UIDNUM_TYPE);
+ cfg->ldapi_gidnumber_type = slapi_ch_strdup(SLAPD_DEFAULT_GIDNUM_TYPE);
/* These DNs are no need to be normalized. */
- cfg->ldapi_search_base_dn = slapi_ch_strdup(DEFAULT_LDAPI_SEARCH_BASE);
+ cfg->ldapi_search_base_dn = slapi_ch_strdup(SLAPD_DEFAULT_LDAPI_SEARCH_BASE);
#if defined(ENABLE_AUTO_DN_SUFFIX)
- cfg->ldapi_auto_dn_suffix = slapi_ch_strdup(DEFAULT_LDAPI_AUTO_DN);
+ cfg->ldapi_auto_dn_suffix = slapi_ch_strdup(SLAPD_DEFAULT_LDAPI_AUTO_DN);
#endif
init_allow_unauth_binds = cfg->allow_unauth_binds = LDAP_OFF;
init_require_secure_binds = cfg->require_secure_binds = LDAP_OFF;
- cfg->allow_anon_access = SLAPD_ANON_ACCESS_ON;
+ cfg->allow_anon_access = SLAPD_DEFAULT_ALLOW_ANON_ACCESS;
init_slapi_counters = cfg->slapi_counters = LDAP_ON;
cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS;
cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN;
@@ -1476,7 +1469,12 @@ FrontendConfig_init(void) {
cfg->minssf = SLAPD_DEFAULT_MIN_SSF;
/* minssf is applied to rootdse, by default */
init_minssf_exclude_rootdse = cfg->minssf_exclude_rootdse = LDAP_OFF;
- cfg->validate_cert = SLAPD_VALIDATE_CERT_WARN;
+ cfg->validate_cert = SLAPD_DEFAULT_VALIDATE_CERT;
+ cfg->maxdescriptors = SLAPD_DEFAULT_MAXDESCRIPTORS;
+ cfg->groupevalnestlevel = SLAPD_DEFAULT_GROUPEVALNESTLEVEL;
+ cfg->snmp_index = SLAPD_DEFAULT_SNMP_INDEX;
+
+ cfg->SSLclientAuth = SLAPD_DEFAULT_SSLCLIENTAUTH;
#ifdef USE_SYSCONF
cfg->conntablesize = sysconf( _SC_OPEN_MAX );
@@ -1509,12 +1507,12 @@ FrontendConfig_init(void) {
cfg->slapd_type = 0;
cfg->versionstring = SLAPD_VERSION_STR;
cfg->sizelimit = SLAPD_DEFAULT_SIZELIMIT;
- cfg->pagedsizelimit = 0;
+ cfg->pagedsizelimit = SLAPD_DEFAULT_PAGEDSIZELIMIT;
cfg->timelimit = SLAPD_DEFAULT_TIMELIMIT;
cfg->anon_limits_dn = slapi_ch_strdup("");
init_schemacheck = cfg->schemacheck = LDAP_ON;
init_schemamod = cfg->schemamod = LDAP_ON;
- init_syntaxcheck = cfg->syntaxcheck = LDAP_OFF;
+ init_syntaxcheck = cfg->syntaxcheck = LDAP_ON;
init_plugin_track = cfg->plugin_track = LDAP_OFF;
init_moddn_aci = cfg->moddn_aci = LDAP_ON;
init_syntaxlogging = cfg->syntaxlogging = LDAP_OFF;
@@ -1540,31 +1538,27 @@ FrontendConfig_init(void) {
init_pw_syntax = cfg->pw_policy.pw_syntax = LDAP_OFF;
init_pw_exp = cfg->pw_policy.pw_exp = LDAP_OFF;
init_pw_send_expiring = cfg->pw_policy.pw_send_expiring = LDAP_OFF;
- cfg->pw_policy.pw_minlength = 8;
- cfg->pw_policy.pw_mindigits = 0;
- cfg->pw_policy.pw_minalphas = 0;
- cfg->pw_policy.pw_minuppers = 0;
- cfg->pw_policy.pw_minlowers = 0;
- cfg->pw_policy.pw_minspecials = 0;
- cfg->pw_policy.pw_min8bit = 0;
- cfg->pw_policy.pw_maxrepeats = 0;
- cfg->pw_policy.pw_mincategories = 3;
- cfg->pw_policy.pw_mintokenlength = 3;
-#if defined(CPU_x86_64)
- cfg->pw_policy.pw_maxage = 8639913600; /* 99999 days */
-#else
- cfg->pw_policy.pw_maxage = 8640000; /* 100 days */
-#endif
- cfg->pw_policy.pw_minage = 0;
- cfg->pw_policy.pw_warning = _SEC_PER_DAY; /* 1 day */
+ cfg->pw_policy.pw_minlength = SLAPD_DEFAULT_PW_MINLENGTH;
+ cfg->pw_policy.pw_mindigits = SLAPD_DEFAULT_PW_MINDIGITS;
+ cfg->pw_policy.pw_minalphas = SLAPD_DEFAULT_PW_MINALPHAS;
+ cfg->pw_policy.pw_minuppers = SLAPD_DEFAULT_PW_MINUPPERS;
+ cfg->pw_policy.pw_minlowers = SLAPD_DEFAULT_PW_MINLOWERS;
+ cfg->pw_policy.pw_minspecials = SLAPD_DEFAULT_PW_MINSPECIALS;
+ cfg->pw_policy.pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT;
+ cfg->pw_policy.pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS;
+ cfg->pw_policy.pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES;
+ cfg->pw_policy.pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH;
+ cfg->pw_policy.pw_maxage = SLAPD_DEFAULT_PW_MAXAGE;
+ cfg->pw_policy.pw_minage = SLAPD_DEFAULT_PW_MINAGE;
+ cfg->pw_policy.pw_warning = SLAPD_DEFAULT_PW_WARNING;
init_pw_history = cfg->pw_policy.pw_history = LDAP_OFF;
- cfg->pw_policy.pw_inhistory = 6;
+ cfg->pw_policy.pw_inhistory = SLAPD_DEFAULT_PW_INHISTORY;
init_pw_lockout = cfg->pw_policy.pw_lockout = LDAP_OFF;
- cfg->pw_policy.pw_maxfailure = 3;
+ cfg->pw_policy.pw_maxfailure = SLAPD_DEFAULT_PW_MAXFAILURE;
init_pw_unlock = cfg->pw_policy.pw_unlock = LDAP_ON;
- cfg->pw_policy.pw_lockduration = 3600; /* 60 minutes */
- cfg->pw_policy.pw_resetfailurecount = 600; /* 10 minutes */
- cfg->pw_policy.pw_gracelimit = 0;
+ cfg->pw_policy.pw_lockduration = SLAPD_DEFAULT_PW_LOCKDURATION;
+ cfg->pw_policy.pw_resetfailurecount = SLAPD_DEFAULT_PW_RESETFAILURECOUNT;
+ cfg->pw_policy.pw_gracelimit = SLAPD_DEFAULT_PW_GRACELIMIT;
cfg->pw_policy.pw_admin = NULL;
cfg->pw_policy.pw_admin_user = NULL;
init_pw_is_legacy = cfg->pw_policy.pw_is_legacy = LDAP_ON;
@@ -1572,70 +1566,70 @@ FrontendConfig_init(void) {
init_pw_is_global_policy = cfg->pw_is_global_policy = LDAP_OFF;
init_accesslog_logging_enabled = cfg->accesslog_logging_enabled = LDAP_ON;
- cfg->accesslog_mode = slapi_ch_strdup(INIT_ACCESSLOG_MODE);
- cfg->accesslog_maxnumlogs = 10;
- cfg->accesslog_maxlogsize = 100;
- cfg->accesslog_rotationtime = 1;
- cfg->accesslog_rotationunit = slapi_ch_strdup(INIT_ACCESSLOG_ROTATIONUNIT);
+ cfg->accesslog_mode = slapi_ch_strdup(SLAPD_INIT_LOG_MODE);
+ cfg->accesslog_maxnumlogs = SLAPD_DEFAULT_LOG_ACCESS_MAXNUMLOGS;
+ cfg->accesslog_maxlogsize = SLAPD_DEFAULT_LOG_MAXLOGSIZE;
+ cfg->accesslog_rotationtime = SLAPD_DEFAULT_LOG_ROTATIONTIME;
+ cfg->accesslog_rotationunit = slapi_ch_strdup(SLAPD_INIT_ACCESSLOG_ROTATIONUNIT);
init_accesslog_rotationsync_enabled =
cfg->accesslog_rotationsync_enabled = LDAP_OFF;
- cfg->accesslog_rotationsynchour = 0;
- cfg->accesslog_rotationsyncmin = 0;
- cfg->accesslog_maxdiskspace = 500;
- cfg->accesslog_minfreespace = 5;
- cfg->accesslog_exptime = 1;
- cfg->accesslog_exptimeunit = slapi_ch_strdup(INIT_ACCESSLOG_EXPTIMEUNIT);
- cfg->accessloglevel = 256;
+ cfg->accesslog_rotationsynchour = SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR;
+ cfg->accesslog_rotationsyncmin = SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN;
+ cfg->accesslog_maxdiskspace = SLAPD_DEFAULT_LOG_ACCESS_MAXDISKSPACE;
+ cfg->accesslog_minfreespace = SLAPD_DEFAULT_LOG_MINFREESPACE;
+ cfg->accesslog_exptime = SLAPD_DEFAULT_LOG_EXPTIME;
+ cfg->accesslog_exptimeunit = slapi_ch_strdup(SLAPD_INIT_LOG_EXPTIMEUNIT);
+ cfg->accessloglevel = SLAPD_DEFAULT_ACCESSLOG_LEVEL;
init_accesslogbuffering = cfg->accesslogbuffering = LDAP_ON;
init_csnlogging = cfg->csnlogging = LDAP_ON;
init_errorlog_logging_enabled = cfg->errorlog_logging_enabled = LDAP_ON;
- cfg->errorlog_mode = slapi_ch_strdup(INIT_ERRORLOG_MODE);
- cfg->errorlog_maxnumlogs = 1;
- cfg->errorlog_maxlogsize = 100;
- cfg->errorlog_rotationtime = 1;
- cfg->errorlog_rotationunit = slapi_ch_strdup (INIT_ERRORLOG_ROTATIONUNIT);
+ cfg->errorlog_mode = slapi_ch_strdup(SLAPD_INIT_LOG_MODE);
+ cfg->errorlog_maxnumlogs = SLAPD_DEFAULT_LOG_MAXNUMLOGS;
+ cfg->errorlog_maxlogsize = SLAPD_DEFAULT_LOG_MAXLOGSIZE;
+ cfg->errorlog_rotationtime = SLAPD_DEFAULT_LOG_ROTATIONTIME;
+ cfg->errorlog_rotationunit = slapi_ch_strdup (SLAPD_INIT_ERRORLOG_ROTATIONUNIT);
init_errorlog_rotationsync_enabled =
cfg->errorlog_rotationsync_enabled = LDAP_OFF;
- cfg->errorlog_rotationsynchour = 0;
- cfg->errorlog_rotationsyncmin = 0;
- cfg->errorlog_maxdiskspace = 100;
- cfg->errorlog_minfreespace = 5;
- cfg->errorlog_exptime = 1;
- cfg->errorlog_exptimeunit = slapi_ch_strdup(INIT_ERRORLOG_EXPTIMEUNIT);
+ cfg->errorlog_rotationsynchour = SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR;
+ cfg->errorlog_rotationsyncmin = SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN;
+ cfg->errorlog_maxdiskspace = SLAPD_DEFAULT_LOG_MAXDISKSPACE;
+ cfg->errorlog_minfreespace = SLAPD_DEFAULT_LOG_MINFREESPACE;
+ cfg->errorlog_exptime = SLAPD_DEFAULT_LOG_EXPTIME;
+ cfg->errorlog_exptimeunit = slapi_ch_strdup(SLAPD_INIT_LOG_EXPTIMEUNIT);
cfg->errorloglevel = SLAPD_DEFAULT_ERRORLOG_LEVEL;
init_auditlog_logging_enabled = cfg->auditlog_logging_enabled = LDAP_OFF;
- cfg->auditlog_mode = slapi_ch_strdup(INIT_AUDITLOG_MODE);
- cfg->auditlog_maxnumlogs = 1;
- cfg->auditlog_maxlogsize = 100;
- cfg->auditlog_rotationtime = 1;
- cfg->auditlog_rotationunit = slapi_ch_strdup(INIT_AUDITLOG_ROTATIONUNIT);
+ cfg->auditlog_mode = slapi_ch_strdup(SLAPD_INIT_LOG_MODE);
+ cfg->auditlog_maxnumlogs = SLAPD_DEFAULT_LOG_MAXNUMLOGS;
+ cfg->auditlog_maxlogsize = SLAPD_DEFAULT_LOG_MAXLOGSIZE;
+ cfg->auditlog_rotationtime = SLAPD_DEFAULT_LOG_ROTATIONTIME;
+ cfg->auditlog_rotationunit = slapi_ch_strdup(SLAPD_INIT_AUDITLOG_ROTATIONUNIT);
init_auditlog_rotationsync_enabled =
cfg->auditlog_rotationsync_enabled = LDAP_OFF;
- cfg->auditlog_rotationsynchour = 0;
- cfg->auditlog_rotationsyncmin = 0;
- cfg->auditlog_maxdiskspace = 100;
- cfg->auditlog_minfreespace = 5;
- cfg->auditlog_exptime = 1;
- cfg->auditlog_exptimeunit = slapi_ch_strdup(INIT_AUDITLOG_EXPTIMEUNIT);
- init_auditlog_logging_hide_unhashed_pw =
- cfg->auditlog_logging_hide_unhashed_pw = LDAP_ON;
+ cfg->auditlog_rotationsynchour = SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR;
+ cfg->auditlog_rotationsyncmin = SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN;
+ cfg->auditlog_maxdiskspace = SLAPD_DEFAULT_LOG_MAXDISKSPACE;
+ cfg->auditlog_minfreespace = SLAPD_DEFAULT_LOG_MINFREESPACE;
+ cfg->auditlog_exptime = SLAPD_DEFAULT_LOG_EXPTIME;
+ cfg->auditlog_exptimeunit = slapi_ch_strdup(SLAPD_INIT_LOG_EXPTIMEUNIT);
+ init_auditlog_logging_hide_unhashed_pw =
+ cfg->auditlog_logging_hide_unhashed_pw = LDAP_ON;
init_auditfaillog_logging_enabled = cfg->auditfaillog_logging_enabled = LDAP_OFF;
- cfg->auditfaillog_mode = slapi_ch_strdup(INIT_AUDITFAILLOG_MODE);
- cfg->auditfaillog_maxnumlogs = 1;
- cfg->auditfaillog_maxlogsize = 100;
- cfg->auditfaillog_rotationtime = 1;
- cfg->auditfaillog_rotationunit = slapi_ch_strdup(INIT_AUDITFAILLOG_ROTATIONUNIT);
+ cfg->auditfaillog_mode = slapi_ch_strdup(SLAPD_INIT_LOG_MODE);
+ cfg->auditfaillog_maxnumlogs = SLAPD_DEFAULT_LOG_MAXNUMLOGS;
+ cfg->auditfaillog_maxlogsize = SLAPD_DEFAULT_LOG_MAXLOGSIZE;
+ cfg->auditfaillog_rotationtime = SLAPD_DEFAULT_LOG_ROTATIONTIME;
+ cfg->auditfaillog_rotationunit = slapi_ch_strdup(SLAPD_INIT_AUDITFAILLOG_ROTATIONUNIT);
init_auditfaillog_rotationsync_enabled =
cfg->auditfaillog_rotationsync_enabled = LDAP_OFF;
- cfg->auditfaillog_rotationsynchour = 0;
- cfg->auditfaillog_rotationsyncmin = 0;
- cfg->auditfaillog_maxdiskspace = 100;
- cfg->auditfaillog_minfreespace = 5;
- cfg->auditfaillog_exptime = 1;
- cfg->auditfaillog_exptimeunit = slapi_ch_strdup(INIT_AUDITFAILLOG_EXPTIMEUNIT);
+ cfg->auditfaillog_rotationsynchour = SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR;
+ cfg->auditfaillog_rotationsyncmin = SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN;
+ cfg->auditfaillog_maxdiskspace = SLAPD_DEFAULT_LOG_MAXDISKSPACE;
+ cfg->auditfaillog_minfreespace = SLAPD_DEFAULT_LOG_MINFREESPACE;
+ cfg->auditfaillog_exptime = SLAPD_DEFAULT_LOG_EXPTIME;
+ cfg->auditfaillog_exptimeunit = slapi_ch_strdup(SLAPD_INIT_LOG_EXPTIMEUNIT);
init_auditfaillog_logging_hide_unhashed_pw =
cfg->auditfaillog_logging_hide_unhashed_pw = LDAP_ON;
@@ -1643,35 +1637,36 @@ FrontendConfig_init(void) {
init_logging_hr_timestamps =
cfg->logging_hr_timestamps = LDAP_ON;
#endif
-
init_entryusn_global = cfg->entryusn_global = LDAP_OFF;
- cfg->entryusn_import_init = slapi_ch_strdup(ENTRYUSN_IMPORT_INIT);
- cfg->allowed_to_delete_attrs = slapi_ch_strdup("passwordadmindn nsslapd-listenhost nsslapd-securelistenhost nsslapd-defaultnamingcontext");
+ cfg->entryusn_import_init = slapi_ch_strdup(SLAPD_ENTRYUSN_IMPORT_INIT);
cfg->default_naming_context = NULL; /* store normalized dn */
cfg->allowed_sasl_mechs = NULL;
init_disk_monitoring = cfg->disk_monitoring = LDAP_OFF;
- cfg->disk_threshold = 2097152; /* 2 mb */
- cfg->disk_grace_period = 60; /* 1 hour */
+ cfg->disk_threshold = SLAPD_DEFAULT_DISK_THRESHOLD;
+ cfg->disk_grace_period = SLAPD_DEFAULT_DISK_GRACE_PERIOD;
init_disk_logging_critical = cfg->disk_logging_critical = LDAP_OFF;
init_ndn_cache_enabled = cfg->ndn_cache_enabled = LDAP_ON;
- cfg->ndn_cache_max_size = NDN_DEFAULT_SIZE;
+ cfg->ndn_cache_max_size = SLAPD_DEFAULT_NDN_SIZE;
init_sasl_mapping_fallback = cfg->sasl_mapping_fallback = LDAP_OFF;
- cfg->ignore_vattrs = LDAP_OFF;
+ init_ignore_vattrs =
+ cfg->ignore_vattrs = LDAP_OFF;
cfg->sasl_max_bufsize = SLAPD_DEFAULT_SASL_MAXBUFSIZE;
- cfg->unhashed_pw_switch = SLAPD_UNHASHED_PW_ON;
+ cfg->unhashed_pw_switch = SLAPD_DEFAULT_UNHASHED_PW_SWITCH;
init_return_orig_type = cfg->return_orig_type = LDAP_OFF;
init_enable_turbo_mode = cfg->enable_turbo_mode = LDAP_ON;
init_connection_buffer = cfg->connection_buffer = CONNECTION_BUFFER_ON;
init_connection_nocanon = cfg->connection_nocanon = LDAP_ON;
init_plugin_logging = cfg->plugin_logging = LDAP_OFF;
- init_listen_backlog_size = cfg->listen_backlog_size = DAEMON_LISTEN_SIZE;
+ cfg->listen_backlog_size = DAEMON_LISTEN_SIZE;
init_ignore_time_skew = cfg->ignore_time_skew = LDAP_OFF;
init_dynamic_plugins = cfg->dynamic_plugins = LDAP_OFF;
init_cn_uses_dn_syntax_in_dns = cfg->cn_uses_dn_syntax_in_dns = LDAP_OFF;
init_global_backend_local = LDAP_OFF;
- cfg->maxsimplepaged_per_conn = DEFAULT_MAXSIMPLEPAGED_PER_CONN;
- cfg->maxbersize = DEFAULT_MAXBERSIZE;
+ cfg->maxsimplepaged_per_conn = SLAPD_DEFAULT_MAXSIMPLEPAGED_PER_CONN;
+ cfg->maxbersize = SLAPD_DEFAULT_MAXBERSIZE;
+ cfg->logging_backend = slapi_ch_strdup(SLAPD_INIT_LOGGING_BACKEND_INTERNAL);
+ cfg->rootdn = slapi_ch_strdup(SLAPD_DEFAULT_DIRECTORY_MANAGER);
#ifdef ENABLE_NUNC_STANS
init_enable_nunc_stans = cfg->enable_nunc_stans = LDAP_ON;
#endif
@@ -1683,7 +1678,7 @@ FrontendConfig_init(void) {
#ifdef MEMPOOL_EXPERIMENTAL
init_mempool_switch = cfg->mempool_switch = LDAP_ON;
- cfg->mempool_maxfreelist = 1024;
+ cfg->mempool_maxfreelist = SLAPD_DEFAULT_MEMPOOL_MAXFREELIST;
cfg->system_page_size = sysconf(_SC_PAGE_SIZE); /* not to get every time; no set, get only */
{
long sc_size = cfg->system_page_size;
@@ -1986,7 +1981,7 @@ config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, in
{
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
int retVal = LDAP_SUCCESS;
- long default_size = atol(DEFAULT_SASL_MAXBUFSIZE);
+ long default_size = SLAPD_DEFAULT_SASL_MAXBUFSIZE;
long size;
char *endp;
@@ -2194,7 +2189,7 @@ config_set_snmp_index(const char *attrname, char *value, char *errorbuf, int app
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- snmp_index_disable = atol(DEFAULT_SNMP_INDEX); /* if snmp index is disabled, use the nsslapd-port instead */;
+ snmp_index_disable = SLAPD_DEFAULT_SNMP_INDEX; /* if snmp index is disabled, use the nsslapd-port instead */;
if (config_value_is_null(attrname, value, errorbuf, 0)) {
snmp_index = snmp_index_disable;
@@ -4337,21 +4332,19 @@ config_set_auditfaillog( const char *attrname, char *value, char *errorbuf, int
int retVal = LDAP_SUCCESS;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- if ( config_value_is_null( attrname, value, errorbuf, 1 )) {
- return LDAP_OPERATIONS_ERROR;
+ /* Dont block the update to null */
+ if ( ! config_value_is_null( attrname, value, errorbuf, 1 )) {
+ retVal = log_update_auditfaillogdir ( value, apply );
+ if (retVal != LDAP_SUCCESS) {
+ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot open auditfaillog directory \"%s\"", value);
+ }
}
-
- retVal = log_update_auditfaillogdir ( value, apply );
-
- if (retVal != LDAP_SUCCESS) {
- slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot open auditfaillog directory \"%s\"", value);
- }
-
+
if ( apply ) {
- CFG_LOCK_WRITE(slapdFrontendConfig);
- slapi_ch_free ( (void **) &(slapdFrontendConfig->auditfaillog) );
- slapdFrontendConfig->auditfaillog = slapi_ch_strdup ( value );
- CFG_UNLOCK_WRITE(slapdFrontendConfig);
+ CFG_LOCK_WRITE(slapdFrontendConfig);
+ slapi_ch_free ( (void **) &(slapdFrontendConfig->auditfaillog) );
+ slapdFrontendConfig->auditfaillog = slapi_ch_strdup ( value );
+ CFG_UNLOCK_WRITE(slapdFrontendConfig);
}
return retVal;
}
@@ -5930,7 +5923,7 @@ config_set_maxbersize( const char *attrname, char *value, char *errorbuf, int ap
}
if (size == 0) {
- size = DEFAULT_MAXBERSIZE;
+ size = SLAPD_DEFAULT_MAXBERSIZE;
}
CFG_LOCK_WRITE(slapdFrontendConfig);
@@ -5948,7 +5941,7 @@ config_get_maxbersize()
maxbersize = slapdFrontendConfig->maxbersize;
if (maxbersize == 0) {
- maxbersize = DEFAULT_MAXBERSIZE;
+ maxbersize = SLAPD_DEFAULT_MAXBERSIZE;
}
return maxbersize;
@@ -7085,83 +7078,6 @@ config_set_entryusn_import_init( const char *attrname, char *value,
}
char *
-config_get_allowed_to_delete_attrs(void)
-{
- char *retVal;
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- CFG_LOCK_READ(slapdFrontendConfig);
- retVal = slapi_ch_strdup(slapdFrontendConfig->allowed_to_delete_attrs);
- CFG_UNLOCK_READ(slapdFrontendConfig);
-
- return retVal;
-}
-
-int
-config_set_allowed_to_delete_attrs( const char *attrname, char *value,
- char *errorbuf, int apply )
-{
- int retVal = LDAP_SUCCESS;
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-
- if ( config_value_is_null( attrname, value, errorbuf, 1 )) {
- return LDAP_OPERATIONS_ERROR;
- }
-
- if (apply) {
- char *vcopy = slapi_ch_strdup(value);
- char **allowed = NULL, **s, *d;
- struct config_get_and_set *cgas = 0;
- int needcopy = 0;
- allowed = slapi_str2charray_ext(vcopy, " ", 0);
- for (s = allowed; s && *s; s++) ;
- for (--s; s && (s >= allowed) && *s; s--) {
- cgas = (struct config_get_and_set *)PL_HashTableLookup(confighash,
- *s);
- if (!cgas && PL_strcasecmp(*s, "aci") /* aci is an exception */) {
- slapi_log_err(SLAPI_LOG_ERR, "config_set_allowed_to_delete_attrs",
- "%s: Unknown attribute %s will be ignored\n",
- CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE, *s);
- charray_remove(allowed, *s, 1);
- needcopy = 1;
- s--;
- }
- }
- if (needcopy) {
- /* given value included unknown attribute,
- * we need to re-create a value. */
- /* reuse the duplicated string for the new attr value. */
- if (allowed && (NULL == *allowed)) {
- /* all the values to allow to delete are invalid */
- slapi_log_err(SLAPI_LOG_ERR, "config_set_allowed_to_delete_attrs",
- "%s: Given attributes are all invalid. No effects.\n",
- CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE);
- slapi_ch_array_free(allowed);
- return LDAP_NO_SUCH_ATTRIBUTE;
- } else {
- for (s = allowed, d = vcopy; s && *s; s++) {
- size_t slen = strlen(*s);
- memmove(d, *s, slen);
- d += slen;
- memmove(d, " ", 1);
- d++;
- }
- *(d-1) = '\0';
- strcpy(value, vcopy); /* original value needs to be refreshed */
- }
- } else {
- slapi_ch_free_string(&vcopy);
- vcopy = slapi_ch_strdup(value);
- }
- slapi_ch_array_free(allowed);
- CFG_LOCK_WRITE(slapdFrontendConfig);
- slapi_ch_free_string(&(slapdFrontendConfig->allowed_to_delete_attrs));
- slapdFrontendConfig->allowed_to_delete_attrs = vcopy;
- CFG_UNLOCK_WRITE(slapdFrontendConfig);
- }
- return retVal;
-}
-
-char *
config_get_allowed_sasl_mechs()
{
char *retVal;
@@ -7609,8 +7525,8 @@ config_set(const char *attr, struct berval **values, char *errorbuf, int apply)
break;
default:
- if ((NULL == values) &&
- config_allowed_to_delete_attrs(cgas->attr_name)) {
+ if (values == NULL && cgas->initvalue != NULL) {
+ /* We are deleting all our values and reset to defaults */
char initvalbuf[64];
void *initval = cgas->initvalue;
if (cgas->config_var_type == CONFIG_ON_OFF) {
@@ -7624,23 +7540,26 @@ config_set(const char *attr, struct berval **values, char *errorbuf, int apply)
slapi_log_err(SLAPI_LOG_ERR, "config_set",
"The attribute %s is read only; ignoring setting NULL value\n", attr);
}
- }
- for (ii = 0; !retval && values && values[ii]; ++ii)
- {
- if (cgas->setfunc) {
- retval = (cgas->setfunc)(cgas->attr_name,
- (char *)values[ii]->bv_val, errorbuf, apply);
- } else if (cgas->logsetfunc) {
- retval = (cgas->logsetfunc)(cgas->attr_name,
- (char *)values[ii]->bv_val, cgas->whichlog,
- errorbuf, apply);
- } else {
- slapi_log_err(SLAPI_LOG_ERR, "config_set",
- "The attribute %s is read only; ignoring new value %s\n",
- attr, values[ii]->bv_val);
+ } else if (values != NULL) {
+ for (ii = 0; !retval && values && values[ii]; ++ii)
+ {
+ if (cgas->setfunc) {
+ retval = (cgas->setfunc)(cgas->attr_name,
+ (char *)values[ii]->bv_val, errorbuf, apply);
+ } else if (cgas->logsetfunc) {
+ retval = (cgas->logsetfunc)(cgas->attr_name,
+ (char *)values[ii]->bv_val, cgas->whichlog,
+ errorbuf, apply);
+ } else {
+ slapi_log_err(SLAPI_LOG_ERR, "config_set",
+ "The attribute %s is read only; ignoring new value %s\n",
+ attr, values[ii]->bv_val);
+ }
+ values[ii]->bv_len = strlen((char *)values[ii]->bv_val);
}
- values[ii]->bv_len = strlen((char *)values[ii]->bv_val);
- }
+ } else {
+ retval = LDAP_UNWILLING_TO_PERFORM;
+ }
break;
}
@@ -7924,27 +7843,6 @@ config_set_entry(Slapi_Entry *e)
return 1;
}
-/* these attr types are allowed to delete */
-int
-config_allowed_to_delete_attrs(const char *attr_type)
-{
- int rc = 0;
- if (attr_type) {
- char *delattrs = config_get_allowed_to_delete_attrs();
- char **allowed = slapi_str2charray_ext(delattrs, " ", 0);
- char **ap;
- for (ap = allowed; ap && *ap; ap++) {
- if (strcasecmp (attr_type, *ap) == 0) {
- rc = 1;
- break;
- }
- }
- slapi_ch_array_free(allowed);
- slapi_ch_free_string(&delattrs);
- }
- return rc;
-}
-
void
config_set_accesslog_enabled(int value)
{
@@ -8292,7 +8190,7 @@ invalid_sasl_mech(char *str)
}
if(strlen(str) < 1){
/* ignore empty values */
- return 1;
+ return 0;
}
/*
diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
index 9838bd3..1e456c8 100644
--- a/ldap/servers/slapd/log.c
+++ b/ldap/servers/slapd/log.c
@@ -242,28 +242,29 @@ void g_set_detached(int val)
/******************************************************************************
* Tell me whether logging begins or not
******************************************************************************/
-void g_log_init(int log_enabled)
+void g_log_init()
{
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ slapdFrontendConfig_t *cfg = getFrontendConfig();
+ CFG_LOCK_READ(cfg);
/* ACCESS LOG */
- loginfo.log_access_state = 0;
+ loginfo.log_access_state = cfg->accesslog_logging_enabled;
loginfo.log_access_mode = SLAPD_DEFAULT_FILE_MODE;
- loginfo.log_access_maxnumlogs = 1;
- loginfo.log_access_maxlogsize = -1;
- loginfo.log_access_rotationsync_enabled = 0;
- loginfo.log_access_rotationsynchour = -1;
- loginfo.log_access_rotationsyncmin = -1;
+ loginfo.log_access_maxnumlogs = cfg->accesslog_maxnumlogs;
+ loginfo.log_access_maxlogsize = cfg->accesslog_maxlogsize * LOG_MB_IN_BYTES;
+ loginfo.log_access_rotationsync_enabled = cfg->accesslog_rotationsync_enabled;
+ loginfo.log_access_rotationsynchour = cfg->accesslog_rotationsynchour;
+ loginfo.log_access_rotationsyncmin = cfg->accesslog_rotationsyncmin;
loginfo.log_access_rotationsyncclock = -1;
- loginfo.log_access_rotationtime = 1; /* default: 1 */
+ loginfo.log_access_rotationtime = cfg->accesslog_rotationtime; /* default: 1 */
loginfo.log_access_rotationunit = LOG_UNIT_DAYS; /* default: day */
loginfo.log_access_rotationtime_secs = _SEC_PER_DAY; /* default: 1 day */
- loginfo.log_access_maxdiskspace = -1;
- loginfo.log_access_minfreespace = -1;
- loginfo.log_access_exptime = -1; /* default: -1 */
+ loginfo.log_access_maxdiskspace = cfg->accesslog_maxdiskspace * LOG_MB_IN_BYTES;
+ loginfo.log_access_minfreespace = cfg->accesslog_minfreespace * LOG_MB_IN_BYTES;
+ loginfo.log_access_exptime = cfg->accesslog_exptime; /* default: -1 */
loginfo.log_access_exptimeunit = LOG_UNIT_MONTHS; /* default: month */
loginfo.log_access_exptime_secs = -1; /* default: -1 */
- loginfo.log_access_level = LDAP_DEBUG_STATS;
+ loginfo.log_access_level = cfg->accessloglevel;
loginfo.log_access_ctime = 0L;
loginfo.log_access_fdes = NULL;
loginfo.log_access_file = NULL;
@@ -277,23 +278,22 @@ void g_log_init(int log_enabled)
if ((loginfo.log_access_buffer->lock = PR_NewLock())== NULL ) {
exit (-1);
}
- slapdFrontendConfig->accessloglevel = LDAP_DEBUG_STATS;
/* ERROR LOG */
- loginfo.log_error_state = 0;
+ loginfo.log_error_state = cfg->errorlog_logging_enabled;
loginfo.log_error_mode = SLAPD_DEFAULT_FILE_MODE;
- loginfo.log_error_maxnumlogs = 1;
- loginfo.log_error_maxlogsize = -1;
- loginfo.log_error_rotationsync_enabled = 0;
- loginfo.log_error_rotationsynchour = -1;
- loginfo.log_error_rotationsyncmin = -1;
+ loginfo.log_error_maxnumlogs = cfg->errorlog_maxnumlogs;
+ loginfo.log_error_maxlogsize = cfg->errorlog_maxlogsize * LOG_MB_IN_BYTES;
+ loginfo.log_error_rotationsync_enabled = cfg->errorlog_rotationsync_enabled;
+ loginfo.log_error_rotationsynchour = cfg->errorlog_rotationsynchour;
+ loginfo.log_error_rotationsyncmin = cfg->errorlog_rotationsyncmin;
loginfo.log_error_rotationsyncclock = -1;
- loginfo.log_error_rotationtime = 1; /* default: 1 */
+ loginfo.log_error_rotationtime = cfg->errorlog_rotationtime; /* default: 1 */
loginfo.log_error_rotationunit = LOG_UNIT_WEEKS; /* default: week */
loginfo.log_error_rotationtime_secs = 604800; /* default: 1 week */
- loginfo.log_error_maxdiskspace = -1;
- loginfo.log_error_minfreespace = -1;
- loginfo.log_error_exptime = -1; /* default: -1 */
+ loginfo.log_error_maxdiskspace = cfg->errorlog_maxdiskspace * LOG_MB_IN_BYTES;
+ loginfo.log_error_minfreespace = cfg->errorlog_minfreespace * LOG_MB_IN_BYTES;
+ loginfo.log_error_exptime = cfg->errorlog_exptime; /* default: -1 */
loginfo.log_error_exptimeunit = LOG_UNIT_MONTHS; /* default: month */
loginfo.log_error_exptime_secs = -1; /* default: -1 */
loginfo.log_error_ctime = 0L;
@@ -307,20 +307,20 @@ void g_log_init(int log_enabled)
}
/* AUDIT LOG */
- loginfo.log_audit_state = 0;
+ loginfo.log_audit_state = cfg->auditlog_logging_enabled;
loginfo.log_audit_mode = SLAPD_DEFAULT_FILE_MODE;
- loginfo.log_audit_maxnumlogs = 1;
- loginfo.log_audit_maxlogsize = -1;
- loginfo.log_audit_rotationsync_enabled = 0;
- loginfo.log_audit_rotationsynchour = -1;
- loginfo.log_audit_rotationsyncmin = -1;
+ loginfo.log_audit_maxnumlogs = cfg->auditlog_maxnumlogs;
+ loginfo.log_audit_maxlogsize = cfg->auditlog_maxlogsize * LOG_MB_IN_BYTES;
+ loginfo.log_audit_rotationsync_enabled = cfg->auditlog_rotationsync_enabled;
+ loginfo.log_audit_rotationsynchour = cfg->auditlog_rotationsynchour;
+ loginfo.log_audit_rotationsyncmin = cfg->auditlog_rotationsyncmin;
loginfo.log_audit_rotationsyncclock = -1;
- loginfo.log_audit_rotationtime = 1; /* default: 1 */
+ loginfo.log_audit_rotationtime = cfg->auditlog_rotationtime; /* default: 1 */
loginfo.log_audit_rotationunit = LOG_UNIT_WEEKS; /* default: week */
loginfo.log_audit_rotationtime_secs = 604800; /* default: 1 week */
- loginfo.log_audit_maxdiskspace = -1;
- loginfo.log_audit_minfreespace = -1;
- loginfo.log_audit_exptime = -1; /* default: -1 */
+ loginfo.log_audit_maxdiskspace = cfg->auditlog_maxdiskspace * LOG_MB_IN_BYTES;
+ loginfo.log_audit_minfreespace = cfg->auditlog_minfreespace * LOG_MB_IN_BYTES;
+ loginfo.log_audit_exptime = cfg->auditlog_exptime; /* default: -1 */
loginfo.log_audit_exptimeunit = LOG_UNIT_WEEKS; /* default: week */
loginfo.log_audit_exptime_secs = -1; /* default: -1 */
loginfo.log_audit_ctime = 0L;
@@ -334,20 +334,20 @@ void g_log_init(int log_enabled)
}
/* AUDIT LOG */
- loginfo.log_auditfail_state = 0;
+ loginfo.log_auditfail_state = cfg->auditfaillog_logging_enabled;
loginfo.log_auditfail_mode = SLAPD_DEFAULT_FILE_MODE;
- loginfo.log_auditfail_maxnumlogs = 1;
- loginfo.log_auditfail_maxlogsize = -1;
- loginfo.log_auditfail_rotationsync_enabled = 0;
- loginfo.log_auditfail_rotationsynchour = -1;
- loginfo.log_auditfail_rotationsyncmin = -1;
+ loginfo.log_auditfail_maxnumlogs = cfg->auditfaillog_maxnumlogs;
+ loginfo.log_auditfail_maxlogsize = cfg->auditfaillog_maxlogsize * LOG_MB_IN_BYTES;
+ loginfo.log_auditfail_rotationsync_enabled = cfg->auditfaillog_rotationsync_enabled;
+ loginfo.log_auditfail_rotationsynchour = cfg->auditfaillog_rotationsynchour;
+ loginfo.log_auditfail_rotationsyncmin = cfg->auditfaillog_rotationsyncmin;
loginfo.log_auditfail_rotationsyncclock = -1;
- loginfo.log_auditfail_rotationtime = 1; /* default: 1 */
+ loginfo.log_auditfail_rotationtime = cfg->auditfaillog_rotationtime; /* default: 1 */
loginfo.log_auditfail_rotationunit = LOG_UNIT_WEEKS; /* default: week */
loginfo.log_auditfail_rotationtime_secs = 604800; /* default: 1 week */
- loginfo.log_auditfail_maxdiskspace = -1;
- loginfo.log_auditfail_minfreespace = -1;
- loginfo.log_auditfail_exptime = -1; /* default: -1 */
+ loginfo.log_auditfail_maxdiskspace = cfg->auditfaillog_maxdiskspace * LOG_MB_IN_BYTES;
+ loginfo.log_auditfail_minfreespace = cfg->auditfaillog_minfreespace * LOG_MB_IN_BYTES;
+ loginfo.log_auditfail_exptime = cfg->auditfaillog_exptime; /* default: -1 */
loginfo.log_auditfail_exptimeunit = LOG_UNIT_WEEKS; /* default: week */
loginfo.log_auditfail_exptime_secs = -1; /* default: -1 */
loginfo.log_auditfail_ctime = 0L;
@@ -360,6 +360,7 @@ void g_log_init(int log_enabled)
if ((loginfo.log_auditfail_rwlock =slapi_new_rwlock())== NULL ) {
exit (-1);
}
+ CFG_UNLOCK_READ(cfg);
}
/******************************************************************************
@@ -998,8 +999,9 @@ log_set_logsize(const char *attrname, char *logsize_str, int logtype, char *retu
rv = LDAP_OPERATIONS_ERROR;
}
- if ((max_logsize > mdiskspace) && (mdiskspace != -1))
- rv = 2;
+ if ((max_logsize > mdiskspace) && (mdiskspace != -1)) {
+ rv = 2;
+ }
switch (logtype) {
case SLAPD_ACCESS_LOG:
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index 78f21d0..7b7a5ed 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -669,7 +669,7 @@ main( int argc, char **argv)
#endif
slapd_init();
- g_log_init(1);
+ g_log_init();
vattr_init();
if (slapd_exemode == SLAPD_EXEMODE_REFERRAL) {
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 8131a66..73010c2 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -367,7 +367,6 @@ int config_set_accesslogbuffering(const char *attrname, char *value, char *error
int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
int config_set_force_sasl_external(const char *attrname, char *value, char *errorbuf, int apply );
int config_set_entryusn_global( const char *attrname, char *value, char *errorbuf, int apply );
-int config_set_allowed_to_delete_attrs( const char *attrname, char *value, char *errorbuf, int apply );
int config_set_entryusn_import_init( const char *attrname, char *value, char *errorbuf, int apply );
int config_set_default_naming_context( const char *attrname, char *value, char *errorbuf, int apply );
int config_set_disk_monitoring( const char *attrname, char *value, char *errorbuf, int apply );
@@ -539,10 +538,8 @@ int config_get_system_page_bits(void);
#endif
int config_get_force_sasl_external(void);
int config_get_entryusn_global(void);
-char *config_get_allowed_to_delete_attrs(void);
char *config_get_entryusn_import_init(void);
char *config_get_default_naming_context(void);
-int config_allowed_to_delete_attrs(const char *attr_type);
void config_set_accesslog_enabled(int value);
void config_set_auditlog_enabled(int value);
void config_set_auditfaillog_enabled(int value);
@@ -812,7 +809,7 @@ int audit_log_openf( char *pathname, int locked);
int auditfail_log_openf( char *pathname, int locked);
void g_set_detached(int);
-void g_log_init(int log_enabled);
+void g_log_init(void);
char *g_get_access_log(void);
char *g_get_error_log(void);
char *g_get_audit_log(void);
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index eeed212..674da83 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -95,7 +95,6 @@ typedef struct symbol_t {
#define SLAPD_SSLCLIENTAUTH_OFF 0
#define SLAPD_SSLCLIENTAUTH_ALLOWED 1 /* server asks for cert, but client need not send one */
#define SLAPD_SSLCLIENTAUTH_REQUIRED 2 /* server will refuse SSL session unless client sends cert */
-#define SLAPD_SSLCLIENTAUTH_DEFAULT SLAPD_SSLCLIENTAUTH_ALLOWED
#define NUM_SNMP_INT_TBL_ROWS 5
#define SNMP_FIELD_LENGTH 100
@@ -224,35 +223,180 @@ typedef void (*VFPV)(); /* takes undefined arguments */
#define SLAPD_INVALID_SOCKET_INDEX (-1)
+/* ============================================================================
+ * CONFIGURATION DEFAULTS
+ *
+ * All our server defaults are defined here. Sometimes these are in pairs of a
+ * type and a str type. These are largely consumed in libglobs.c
+ * The reason for their inclusion here is cleanliness of libglobs, centralisation
+ * There were a few values that differed between the libglobs and the define,
+ * so this also helps to eliminate that.
+ */
+
+#define SLAPD_DEFAULT_FILE_MODE S_IRUSR | S_IWUSR
+#define SLAPD_DEFAULT_DIR_MODE S_IRWXU
+#define SLAPD_DEFAULT_IDLE_TIMEOUT 0 /* seconds - 0 == never */
+#define SLAPD_DEFAULT_IDLE_TIMEOUT_STR "0"
+#define SLAPD_DEFAULT_SIZELIMIT 2000 /* use -1 for no limit */
+#define SLAPD_DEFAULT_SIZELIMIT_STR "2000"
+#define SLAPD_DEFAULT_TIMELIMIT 3600 /* use -1 for no limit */
+#define SLAPD_DEFAULT_TIMELIMIT_STR "3600"
+#define SLAPD_DEFAULT_LOOKTHROUGHLIMIT 5000 /* use -1 for no limit */
+#define SLAPD_DEFAULT_GROUPNESTLEVEL 5
+#define SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL 40 /* use -1 for no limit */
+#define SLAPD_DEFAULT_MAX_SASLIO_SIZE 2097152 /* 2MB in bytes. Use -1 for no limit */
+#define SLAPD_DEFAULT_MAX_SASLIO_SIZE_STR "2097152"
+#define SLAPD_DEFAULT_IOBLOCK_TIMEOUT 1800000 /* half hour in ms */
+#define SLAPD_DEFAULT_IOBLOCK_TIMEOUT_STR "1800000"
+#define SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT 300000 /* 5 minutes in ms */
+#define SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT_STR "300000"
+#define SLAPD_DEFAULT_RESERVE_FDS 64
+#define SLAPD_DEFAULT_RESERVE_FDS_STR "64"
+#define SLAPD_DEFAULT_MAX_THREADS 30 /* connection pool threads */
+#define SLAPD_DEFAULT_MAX_THREADS_STR "30"
+#define SLAPD_DEFAULT_MAX_THREADS_PER_CONN 5 /* allowed per connection */
+#define SLAPD_DEFAULT_MAX_THREADS_PER_CONN_STR "5"
+#define SLAPD_DEFAULT_MAX_BERSIZE_STR "0"
+#define SLAPD_DEFAULT_SCHEMA_IGNORE_TRAILING_SPACES LDAP_OFF
+#define SLAPD_DEFAULT_LOCAL_SSF 71 /* assume local connections are secure */
+#define SLAPD_DEFAULT_LOCAL_SSF_STR "71"
+#define SLAPD_DEFAULT_MIN_SSF 0 /* allow unsecured connections (no privacy or integrity) */
+#define SLAPD_DEFAULT_MIN_SSF_STR "0"
+#define SLAPD_DEFAULT_SASL_MAXBUFSIZE 2097152
+#define SLAPD_DEFAULT_SASL_MAXBUFSIZE_STR "2097152"
+#define SLAPD_DEFAULT_MAXBERSIZE 2097152
+#define SLAPD_DEFAULT_MAXBERSIZE_STR "2097152"
+#define SLAPD_DEFAULT_MAXSIMPLEPAGED_PER_CONN (-1)
+#define SLAPD_DEFAULT_MAXSIMPLEPAGED_PER_CONN_STR "-1"
+/* We'd like this number to be prime for the hash into the Connection table */
+#define SLAPD_DEFAULT_CONNTABLESIZE 4093 /* connection table size */
+
+#define SLAPD_DEFAULT_NDN_SIZE 20971520
+#define SLAPD_DEFAULT_NDN_SIZE_STR "20971520"
+#ifdef MEMPOOL_EXPERIMENTAL
+#define SLAPD_DEFAULT_MEMPOOL_MAXFREELIST 1024
+#define SLAPD_DEFAULT_MEMPOOL_MAXFREELIST_STR "1024"
+#endif
+
+#define SLAPD_DEFAULT_DIRECTORY_MANAGER "cn=Directory Manager"
+#define SLAPD_DEFAULT_UIDNUM_TYPE "uidNumber"
+#define SLAPD_DEFAULT_GIDNUM_TYPE "gidNumber"
+#define SLAPD_ENTRYUSN_IMPORT_INIT "0"
+#define SLAPD_INIT_LOGGING_BACKEND_INTERNAL "dirsrv-log"
+
+#define SLAPD_DEFAULT_SSLCLIENTAUTH SLAPD_SSLCLIENTAUTH_ALLOWED
+#define SLAPD_DEFAULT_SSLCLIENTAUTH_STR "allowed"
+
+#define SLAPD_DEFAULT_ALLOW_ANON_ACCESS SLAPD_ANON_ACCESS_ON
+#define SLAPD_DEFAULT_ALLOW_ANON_ACCESS_STR "on"
+
+#define SLAPD_DEFAULT_VALIDATE_CERT SLAPD_VALIDATE_CERT_WARN
+#define SLAPD_DEFAULT_VALIDATE_CERT_STR "warn"
+
+#define SLAPD_DEFAULT_UNHASHED_PW_SWITCH SLAPD_UNHASHED_PW_ON
+#define SLAPD_DEFAULT_UNHASHED_PW_SWITCH_STR "on"
+
+#define SLAPD_DEFAULT_LDAPI_SEARCH_BASE "dc=example,dc=com"
+#define SLAPD_DEFAULT_LDAPI_AUTO_DN "cn=peercred,cn=external,cn=auth"
+
+#define SLAPD_MONITOR_DN "cn=monitor"
+#define SLAPD_SCHEMA_DN "cn=schema"
+#define SLAPD_CONFIG_DN "cn=config"
+
+#define SLAPD_INIT_LOG_MODE "600"
+#define SLAPD_INIT_ACCESSLOG_ROTATIONUNIT "day"
+#define SLAPD_INIT_ERRORLOG_ROTATIONUNIT "week"
+#define SLAPD_INIT_AUDITLOG_ROTATIONUNIT "week"
+#define SLAPD_INIT_AUDITFAILLOG_ROTATIONUNIT "week"
+#define SLAPD_INIT_LOG_EXPTIMEUNIT "month"
+
+#define SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR 0
+#define SLAPD_DEFAULT_LOG_ROTATIONSYNCHOUR_STR "0"
+#define SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN 0
+#define SLAPD_DEFAULT_LOG_ROTATIONSYNCMIN_STR "0"
+#define SLAPD_DEFAULT_LOG_ROTATIONTIME 1
+#define SLAPD_DEFAULT_LOG_ROTATIONTIME_STR "1"
+#define SLAPD_DEFAULT_LOG_ACCESS_MAXNUMLOGS 10
+#define SLAPD_DEFAULT_LOG_ACCESS_MAXNUMLOGS_STR "10"
+#define SLAPD_DEFAULT_LOG_MAXNUMLOGS 1
+#define SLAPD_DEFAULT_LOG_MAXNUMLOGS_STR "1"
+#define SLAPD_DEFAULT_LOG_EXPTIME 1
+#define SLAPD_DEFAULT_LOG_EXPTIME_STR "1"
+/* This is in MB */
+#define SLAPD_DEFAULT_LOG_ACCESS_MAXDISKSPACE 500
+#define SLAPD_DEFAULT_LOG_ACCESS_MAXDISKSPACE_STR "500"
+#define SLAPD_DEFAULT_LOG_MAXDISKSPACE 100
+#define SLAPD_DEFAULT_LOG_MAXDISKSPACE_STR "100"
+#define SLAPD_DEFAULT_LOG_MAXLOGSIZE 100
+#define SLAPD_DEFAULT_LOG_MAXLOGSIZE_STR "100"
+#define SLAPD_DEFAULT_LOG_MINFREESPACE 5
+#define SLAPD_DEFAULT_LOG_MINFREESPACE_STR "5"
+
/* The default log levels:
* (LDAP_DEBUG_ANY | LDAP_DEBUG_EMERG | LDAP_DEBUG_ALERT | LDAP_DEBUG_CRIT | LDAP_DEBUG_ERR |
* LDAP_DEBUG_WARNING | LDAP_DEBUG_NOTICE | LDAP_DEBUG_INFO)
*/
-#define SLAPD_DEFAULT_ERRORLOG_LEVEL 266354688
-
-#define SLAPD_DEFAULT_FILE_MODE S_IRUSR | S_IWUSR
-#define SLAPD_DEFAULT_DIR_MODE S_IRWXU
-#define SLAPD_DEFAULT_IDLE_TIMEOUT 0 /* seconds - 0 == never */
-#define SLAPD_DEFAULT_SIZELIMIT 2000 /* use -1 for no limit */
-#define SLAPD_DEFAULT_TIMELIMIT 3600 /* use -1 for no limit */
-#define SLAPD_DEFAULT_LOOKTHROUGHLIMIT 5000 /* use -1 for no limit */
-#define SLAPD_DEFAULT_GROUPNESTLEVEL 5
-#define SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL 40 /* use -1 for no limit */
-#define SLAPD_DEFAULT_MAX_SASLIO_SIZE 2097152 /* 2MB in bytes. Use -1 for no limit */
-#define SLAPD_DEFAULT_IOBLOCK_TIMEOUT 1800000 /* half hour in ms */
-#define SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT 300000 /* 5 minutes in ms */
-#define SLAPD_DEFAULT_RESERVE_FDS 64
-#define SLAPD_DEFAULT_MAX_THREADS 30 /* connection pool threads */
-#define SLAPD_DEFAULT_MAX_THREADS_PER_CONN 5 /* allowed per connection */
-#define SLAPD_DEFAULT_SCHEMA_IGNORE_TRAILING_SPACES LDAP_OFF
-#define SLAPD_DEFAULT_LOCAL_SSF 71 /* assume local connections are secure */
-#define SLAPD_DEFAULT_MIN_SSF 0 /* allow unsecured connections (no privacy or integrity) */
-/* We'd like this number to be prime for the hash into the Connection table */
-#define SLAPD_DEFAULT_CONNTABLESIZE 4093 /* connection table size */
-
-#define SLAPD_MONITOR_DN "cn=monitor"
-#define SLAPD_SCHEMA_DN "cn=schema"
-#define SLAPD_CONFIG_DN "cn=config"
+#define SLAPD_DEFAULT_ERRORLOG_LEVEL 266354688
+#define SLAPD_DEFAULT_ERRORLOG_LEVEL_STR "266354688"
+#define SLAPD_DEFAULT_ACCESSLOG_LEVEL 256
+#define SLAPD_DEFAULT_ACCESSLOG_LEVEL_STR "256"
+
+#define SLAPD_DEFAULT_DISK_THRESHOLD 2097152
+#define SLAPD_DEFAULT_DISK_THRESHOLD_STR "2097152"
+#define SLAPD_DEFAULT_DISK_GRACE_PERIOD 60
+#define SLAPD_DEFAULT_DISK_GRACE_PERIOD_STR "60"
+
+#define SLAPD_DEFAULT_PAGEDSIZELIMIT 0
+#define SLAPD_DEFAULT_PAGEDSIZELIMIT_STR "0"
+#define SLAPD_DEFAULT_MAXDESCRIPTORS 1024
+#define SLAPD_DEFAULT_MAXDESCRIPTORS_STR "1024"
+#define SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL 40
+#define SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL_STR "40"
+#define SLAPD_DEFAULT_GROUPEVALNESTLEVEL 0
+#define SLAPD_DEFAULT_GROUPEVALNESTLEVEL_STR "0"
+#define SLAPD_DEFAULT_SNMP_INDEX 0
+#define SLAPD_DEFAULT_SNMP_INDEX_STR "0"
+
+#define SLAPD_DEFAULT_PW_INHISTORY 6
+#define SLAPD_DEFAULT_PW_INHISTORY_STR "6"
+#define SLAPD_DEFAULT_PW_GRACELIMIT 0
+#define SLAPD_DEFAULT_PW_GRACELIMIT_STR "0"
+#define SLAPD_DEFAULT_PW_MINLENGTH 8
+#define SLAPD_DEFAULT_PW_MINLENGTH_STR "8"
+#define SLAPD_DEFAULT_PW_MINDIGITS 0
+#define SLAPD_DEFAULT_PW_MINDIGITS_STR "0"
+#define SLAPD_DEFAULT_PW_MINALPHAS 0
+#define SLAPD_DEFAULT_PW_MINALPHAS_STR "0"
+#define SLAPD_DEFAULT_PW_MINUPPERS 0
+#define SLAPD_DEFAULT_PW_MINUPPERS_STR "0"
+#define SLAPD_DEFAULT_PW_MINLOWERS 0
+#define SLAPD_DEFAULT_PW_MINLOWERS_STR "0"
+#define SLAPD_DEFAULT_PW_MINSPECIALS 0
+#define SLAPD_DEFAULT_PW_MINSPECIALS_STR "0"
+#define SLAPD_DEFAULT_PW_MIN8BIT 0
+#define SLAPD_DEFAULT_PW_MIN8BIT_STR "0"
+#define SLAPD_DEFAULT_PW_MAXREPEATS 0
+#define SLAPD_DEFAULT_PW_MAXREPEATS_STR "0"
+#define SLAPD_DEFAULT_PW_MINCATEGORIES 3
+#define SLAPD_DEFAULT_PW_MINCATEGORIES_STR "3"
+#define SLAPD_DEFAULT_PW_MINTOKENLENGTH 3
+#define SLAPD_DEFAULT_PW_MINTOKENLENGTH_STR "3"
+#define SLAPD_DEFAULT_PW_MAXAGE 8640000
+#define SLAPD_DEFAULT_PW_MAXAGE_STR "8640000"
+#define SLAPD_DEFAULT_PW_MINAGE 0
+#define SLAPD_DEFAULT_PW_MINAGE_STR "0"
+#define SLAPD_DEFAULT_PW_WARNING 86400
+#define SLAPD_DEFAULT_PW_WARNING_STR "86400"
+#define SLAPD_DEFAULT_PW_MAXFAILURE 3
+#define SLAPD_DEFAULT_PW_MAXFAILURE_STR "3"
+#define SLAPD_DEFAULT_PW_RESETFAILURECOUNT 600
+#define SLAPD_DEFAULT_PW_RESETFAILURECOUNT_STR "600"
+#define SLAPD_DEFAULT_PW_LOCKDURATION 3600
+#define SLAPD_DEFAULT_PW_LOCKDURATION_STR "3600"
+
+/* Default password values. */
+
+/* ================ END CONFIGURATION DEFAULTS ============================ */
#define EGG_OBJECT_CLASS "directory-team-extensible-object"
#define EGG_FILTER "(objectclass=directory-team-extensible-object)"
@@ -2126,7 +2270,6 @@ typedef struct _slapdEntryPoints {
#define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external"
#define CONFIG_ENTRYUSN_GLOBAL "nsslapd-entryusn-global"
#define CONFIG_ENTRYUSN_IMPORT_INITVAL "nsslapd-entryusn-import-initval"
-#define CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE "nsslapd-allowed-to-delete-attrs"
#define CONFIG_DEFAULT_NAMING_CONTEXT "nsslapd-defaultnamingcontext"
#define CONFIG_DISK_MONITORING "nsslapd-disk-monitoring"
#define CONFIG_DISK_THRESHOLD "nsslapd-disk-monitoring-threshold"
@@ -2171,6 +2314,7 @@ typedef struct _slapdEntryPoints {
*/
#ifndef DAEMON_LISTEN_SIZE
#define DAEMON_LISTEN_SIZE 128
+#define DAEMON_LISTEN_SIZE_STR "128"
#endif
#define CONFIG_IGNORE_TIME_SKEW "nsslapd-ignore-time-skew"
@@ -2182,6 +2326,9 @@ typedef struct _slapdEntryPoints {
/* flag used to indicate that the change to the config parameter should be saved */
#define CONFIG_APPLY 1
+/* This should be cleaned up and REMOVED.
+ * Apparently it's SLOWER than just straight lock.
+ */
#define SLAPI_CFG_USE_RWLOCK 0
#if SLAPI_CFG_USE_RWLOCK == 0
#define CFG_LOCK_READ(cfg) PR_Lock(cfg->cfg_lock)
@@ -2416,7 +2563,6 @@ typedef struct _slapdFrontendConfig {
#endif /* MEMPOOL_EXPERIMENTAL */
slapi_onoff_t force_sasl_external; /* force SIMPLE bind to be SASL/EXTERNAL if client cert credentials were supplied */
slapi_onoff_t entryusn_global; /* Entry USN: Use global counter */
- char *allowed_to_delete_attrs;/* list of config attrs allowed to delete */
char *entryusn_import_init; /* Entry USN: determine the initital value of import */
int pagedsizelimit;
char *default_naming_context; /* Default naming context (normalized) */
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 696f956..5ad22fd 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -2078,7 +2078,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
"Authentication status. No nsslclientauth in %s ("
SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
configDN, errorCode, slapd_pr_strerror(errorCode));
- switch( SLAPD_SSLCLIENTAUTH_DEFAULT ) {
+ switch( SLAPD_DEFAULT_SSLCLIENTAUTH ) {
case SLAPD_SSLCLIENTAUTH_OFF:
default_val = "off";
break;
7 years, 6 months
Branch '389-ds-base-1.3.5' - rpm/389-ds-base.spec.in
by Noriko Hosoi
rpm/389-ds-base.spec.in | 2 ++
1 file changed, 2 insertions(+)
New commits:
commit f49bd607e3d9582ef990b338f4656d5bbd3c742a
Author: Viktor Ashirov <vashirov(a)redhat.com>
Date: Mon Oct 3 19:17:28 2016 +0200
Ticket #47911 - Move dirsrv-snmp.service to 389-ds-base-snmp package
Bug Description:
After package split dirsrv-snmp.service still belongs to
389-ds-base package.
Fix Description:
Move dirsrv.service to -snmp subpackage and exclude it
from 389-ds-base package.
https://fedorahosted.org/389/ticket/47911
Reviewed by: nhosoi(a)redhat.com
diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in
index 7413cbe..5f934bd 100644
--- a/rpm/389-ds-base.spec.in
+++ b/rpm/389-ds-base.spec.in
@@ -453,6 +453,7 @@ fi
%{_mandir}/man8/*
%exclude %{_sbindir}/ldap-agent*
%exclude %{_mandir}/man1/ldap-agent.1.gz
+%exclude %{_unitdir}/%{pkgname}-snmp.service
%files devel
%defattr(-,root,root,-)
@@ -481,6 +482,7 @@ fi
%config(noreplace)%{_sysconfdir}/%{pkgname}/config/ldap-agent.conf
%{_sbindir}/ldap-agent*
%{_mandir}/man1/ldap-agent.1.gz
+%{_unitdir}/%{pkgname}-snmp.service
%files tests
%defattr(-,root,root,-)
7 years, 7 months
rpm/389-ds-base.spec.in
by Noriko Hosoi
rpm/389-ds-base.spec.in | 2 ++
1 file changed, 2 insertions(+)
New commits:
commit e31b3246b01833dda6be2a0d34b86a95402c54f2
Author: Viktor Ashirov <vashirov(a)redhat.com>
Date: Mon Oct 3 19:17:28 2016 +0200
Ticket #47911 - Move dirsrv-snmp.service to 389-ds-base-snmp package
Bug Description:
After package split dirsrv-snmp.service still belongs to
389-ds-base package.
Fix Description:
Move dirsrv.service to -snmp subpackage and exclude it
from 389-ds-base package.
https://fedorahosted.org/389/ticket/47911
Reviewed by: nhosoi(a)redhat.com
(cherry picked from commit f49bd607e3d9582ef990b338f4656d5bbd3c742a)
diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in
index 9fe6a96..f954a68 100644
--- a/rpm/389-ds-base.spec.in
+++ b/rpm/389-ds-base.spec.in
@@ -477,6 +477,7 @@ fi
%exclude %{_mandir}/man3/ns_job_t.3.gz
%exclude %{_mandir}/man3/ns_thrpool_config.3.gz
%exclude %{_mandir}/man3/nunc-stans.h.3.gz
+%exclude %{_unitdir}/%{pkgname}-snmp.service
%files devel
%defattr(-,root,root,-)
@@ -507,6 +508,7 @@ fi
%config(noreplace)%{_sysconfdir}/%{pkgname}/config/ldap-agent.conf
%{_sbindir}/ldap-agent*
%{_mandir}/man1/ldap-agent.1.gz
+%{_unitdir}/%{pkgname}-snmp.service
%files tests
%defattr(-,root,root,-)
7 years, 7 months
ldap/servers
by William Brown
ldap/servers/plugins/pwdstorage/clear_pwd.c | 1 -
1 file changed, 1 deletion(-)
New commits:
commit c984499b9423c8f93bcb3e446e9b7b957d405ebf
Author: William Brown <firstyear(a)redhat.com>
Date: Fri Nov 4 16:12:26 2016 +1000
Ticket bz1358565 - Fix compiler warning about unused variable
Bug Description: Unused variable len (opps!)
Fix Description: Remove the unused variable.
https://bugzilla.redhat.com/show_bug.cgi?id=1358565
Author: wibrown
Review by: One line fix
diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
index 2afe16e..b9b362d 100644
--- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
@@ -26,7 +26,6 @@ int
clear_pw_cmp( const char *userpwd, const char *dbpwd )
{
int result = 0;
- int len = 0;
int len_user = strlen(userpwd);
int len_dbp = strlen(dbpwd);
if ( len_user != len_dbp ) {
7 years, 7 months
Branch '389-ds-base-1.3.5' - ldap/servers VERSION.sh
by Mark Reynolds
VERSION.sh | 2 +-
ldap/servers/slapd/ch_malloc.c | 5 +----
2 files changed, 2 insertions(+), 5 deletions(-)
New commits:
commit 136b366da0646546d8304aa001a18242d7ff578a
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Nov 3 15:39:29 2016 -0400
Bump version to 1.3.5.15
diff --git a/VERSION.sh b/VERSION.sh
index 9f5604a..7c3ee62 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=3
-VERSION_MAINT=5.14
+VERSION_MAINT=5.15
# NOTE: VERSION_PREREL is automatically set for builds made out of a git tree
VERSION_PREREL=
VERSION_DATE=$(date -u +%Y%m%d)
diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
index 515e746..c8eefa2 100644
--- a/ldap/servers/slapd/ch_malloc.c
+++ b/ldap/servers/slapd/ch_malloc.c
@@ -129,9 +129,6 @@ slapi_ch_malloc(
PR_INCREMENT_COUNTER(slapi_ch_counter_created);
PR_INCREMENT_COUNTER(slapi_ch_counter_exist);
- /* So long as this happens once, we are happy, put it in ch_malloc. */
- create_oom_buffer();
-
return( newmem );
}
@@ -150,7 +147,7 @@ slapi_ch_memalign(size_t size, size_t alignment)
int oserr = errno;
oom_occurred();
- slapi_log_err(SLAPI_LOG_ERR, SLAPD_MODULE,
+ slapi_log_error(SLAPI_LOG_FATAL, SLAPD_MODULE,
"malloc of %lu bytes failed; OS error %d (%s)%s\n",
size, oserr, slapd_system_strerror( oserr ), oom_advice );
exit( 1 );
7 years, 7 months
Branch '389-ds-base-1.3.5' - 4 commits - dirsrvtests/tests ldap/servers
by Mark Reynolds
dirsrvtests/tests/suites/password/pwd_algo_test.py | 143 +++++++++++++++++++++
ldap/servers/plugins/pwdstorage/clear_pwd.c | 33 ++++
ldap/servers/plugins/pwdstorage/crypt_pwd.c | 2
ldap/servers/plugins/pwdstorage/md5_pwd.c | 2
ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c | 1
ldap/servers/plugins/pwdstorage/sha_pwd.c | 15 +-
ldap/servers/plugins/pwdstorage/smd5_pwd.c | 2
ldap/servers/slapd/ch_malloc.c | 50 +++++++
ldap/servers/slapd/slapi-plugin.h | 16 ++
9 files changed, 254 insertions(+), 10 deletions(-)
New commits:
commit 3d227536f7d53a3c3d58c066492eb8a5db834089
Author: William Brown <firstyear(a)redhat.com>
Date: Thu Jul 21 13:22:30 2016 +1000
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Bug Description: Clear and unsalted password types were vulnerable to a timing
attack. This is due to the use of memcmp and strcmp in their comparison.
Fix Description: Add a constant time memcmp function, that does not shortcircuit.
Change all password comparison to use the constant time check. For the clear
scheme, alter the way we do the check to prevent length disclosure timing
attacks.
This resolves CVE-2016-5405
https://bugzilla.redhat.com/show_bug.cgi?id=1358565
https://access.redhat.com/security/cve/CVE-2016-5405
Author: wibrown
Review by: nhosoi (Thanks!)
(cherry picked from commit 9dcaa4a0c866d8696e0a2616ccf962af2833f0b8)
(cherry picked from commit 762219a35005914c6c088d915ac9346ce7e28512)
diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
index 705ea86..515e746 100644
--- a/ldap/servers/slapd/ch_malloc.c
+++ b/ldap/servers/slapd/ch_malloc.c
@@ -119,6 +119,7 @@ slapi_ch_malloc(
size, oserr, slapd_system_strerror( oserr ), oom_advice );
exit( 1 );
}
+
if(!counters_created)
{
create_counters();
@@ -128,6 +129,33 @@ slapi_ch_malloc(
PR_INCREMENT_COUNTER(slapi_ch_counter_created);
PR_INCREMENT_COUNTER(slapi_ch_counter_exist);
+ /* So long as this happens once, we are happy, put it in ch_malloc. */
+ create_oom_buffer();
+
+ return( newmem );
+}
+
+/* See slapi-plugin.h */
+char *
+slapi_ch_memalign(size_t size, size_t alignment)
+{
+ char *newmem;
+
+ if (size <= 0) {
+ log_negative_alloc_msg( "memalign", "bytes", size );
+ return 0;
+ }
+
+ if ( posix_memalign((void **)&newmem, alignment, size) != 0 ) {
+ int oserr = errno;
+
+ oom_occurred();
+ slapi_log_err(SLAPI_LOG_ERR, SLAPD_MODULE,
+ "malloc of %lu bytes failed; OS error %d (%s)%s\n",
+ size, oserr, slapd_system_strerror( oserr ), oom_advice );
+ exit( 1 );
+ }
+
return( newmem );
}
@@ -374,13 +402,12 @@ slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
int result = 0;
const unsigned char *_p1 = (const unsigned char *)p1;
const unsigned char *_p2 = (const unsigned char *)p2;
- size_t i;
if (_p1 == NULL || _p2 == NULL) {
return 2;
}
- for (i = 0; i < n; i++) {
+ for (size_t i = 0; i < n; i++) {
if (_p1[i] ^ _p2[i]) {
result = 1;
}
commit 48a0203355d28bccbf8728a21a32b738c060132b
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Aug 4 13:26:44 2016 -0700
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Description: Build fails with the commit f0e03b5a51972a125fe78f448d1f68e288782d1e:
error: 'for' loop initial declarations are only allowed in C99 mode
for (size_t i = 0; i < n; i++) {
^
Moved "size_t i;" to the top of slapi_ct_memcmp.
(cherry picked from commit 53da6d718b3dfee6cdd78e112d1926e90d03128a)
(cherry picked from commit 3548aff21be9f58e08b3174cb27d9b59af67cc58)
diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
index a38268c..705ea86 100644
--- a/ldap/servers/slapd/ch_malloc.c
+++ b/ldap/servers/slapd/ch_malloc.c
@@ -374,12 +374,13 @@ slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
int result = 0;
const unsigned char *_p1 = (const unsigned char *)p1;
const unsigned char *_p2 = (const unsigned char *)p2;
+ size_t i;
if (_p1 == NULL || _p2 == NULL) {
return 2;
}
- for (size_t i = 0; i < n; i++) {
+ for (i = 0; i < n; i++) {
if (_p1[i] ^ _p2[i]) {
result = 1;
}
commit 6a7aafb83677a0f5df294dfeaafcde2f5587ddcb
Author: William Brown <firstyear(a)redhat.com>
Date: Thu Jul 21 13:22:30 2016 +1000
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Bug Description: Clear and unsalted password types were vulnerable to a timing
attack. This is due to the use of memcmp and strcmp in their comparison.
Fix Description: Add a constant time memcmp function, that does not shortcircuit.
Change all password comparison to use the constant time check. For the clear
scheme, alter the way we do the check to prevent length disclosure timing
attacks.
This resolves CVE-2016-5405
https://bugzilla.redhat.com/show_bug.cgi?id=1358565
https://access.redhat.com/security/cve/CVE-2016-5405
Author: wibrown
Review by: nhosoi (Thanks!)
(cherry picked from commit 9dcaa4a0c866d8696e0a2616ccf962af2833f0b8)
(cherry picked from commit f0e03b5a51972a125fe78f448d1f68e288782d1e)
(cherry picked from commit c4b5dc8bf325f0a358dc135b91023c3edc103a39)
diff --git a/dirsrvtests/tests/suites/password/pwd_algo_test.py b/dirsrvtests/tests/suites/password/pwd_algo_test.py
new file mode 100644
index 0000000..aa8cbf5
--- /dev/null
+++ b/dirsrvtests/tests/suites/password/pwd_algo_test.py
@@ -0,0 +1,143 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+DEBUGGING = True
+USER_DN = 'uid=user,ou=People,%s' % DEFAULT_SUFFIX
+
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+
+
+log = logging.getLogger(__name__)
+
+
+class TopologyStandalone(object):
+ """The DS Topology Class"""
+ def __init__(self, standalone):
+ """Init"""
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ """Create DS Deployment"""
+
+ # Creating standalone instance ...
+ if DEBUGGING:
+ standalone = DirSrv(verbose=True)
+ else:
+ standalone = DirSrv(verbose=False)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ def fin():
+ """If we are debugging just stop the instances, otherwise remove
+ them
+ """
+ if DEBUGGING:
+ standalone.stop()
+ else:
+ standalone.delete()
+
+ request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ standalone.clearTmpDir(__file__)
+
+ return TopologyStandalone(standalone)
+
+def _test_bind(inst, password):
+ result = True
+ userconn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE))
+ try:
+ userconn.simple_bind_s(USER_DN, password)
+ userconn.unbind_s()
+ except ldap.INVALID_CREDENTIALS:
+ result = False
+ return result
+
+def _test_algo(inst, algo_name):
+ inst.config.set('passwordStorageScheme', algo_name)
+
+ if DEBUGGING:
+ print('Testing %s', algo_name)
+
+ # Create the user with a password
+ inst.add_s(Entry((
+ USER_DN, {
+ 'objectClass': 'top account simplesecurityobject'.split(),
+ 'uid': 'user',
+ 'userpassword': 'Secret123'
+ })))
+
+ # Make sure when we read the userPassword field, it is the correct ALGO
+ pw_field = inst.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['userPassword'] )[0]
+
+ if DEBUGGING:
+ print(pw_field.getValue('userPassword'))
+
+ if algo_name != 'CLEAR':
+ assert(algo_name.lower() in pw_field.getValue('userPassword').lower())
+ # Now make sure a bind works
+ assert(_test_bind(inst, 'Secret123'))
+ # Bind with a wrong shorter password, should fail
+ assert(not _test_bind(inst, 'Wrong'))
+ # Bind with a wrong longer password, should fail
+ assert(not _test_bind(inst, 'This is even more wrong'))
+ # Bind with a wrong exact length password.
+ assert(not _test_bind(inst, 'Alsowrong'))
+ # Bind with a subset password, should fail
+ assert(not _test_bind(inst, 'Secret'))
+ if algo_name != 'CRYPT':
+ # Bind with a subset password that is 1 char shorter, to detect off by 1 in clear
+ assert(not _test_bind(inst, 'Secret12'))
+ # Bind with a superset password, should fail
+ assert(not _test_bind(inst, 'Secret123456'))
+ # Delete the user
+ inst.delete_s(USER_DN)
+ # done!
+
+def test_pwd_algo_test(topology):
+ """
+ Assert that all of our password algorithms correctly PASS and FAIL varying
+ password conditions.
+
+ """
+ if DEBUGGING:
+ # Add debugging steps(if any)...
+ pass
+
+ for algo in ('CLEAR', 'CRYPT', 'MD5', 'SHA', 'SHA256', 'SHA384', 'SHA512', 'SMD5', 'SSHA', 'SSHA256', 'SSHA384', 'SSHA512'):
+ _test_algo(topology.standalone, algo)
+
+ log.info('Test PASSED')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
index b9b362d..2afe16e 100644
--- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
@@ -26,6 +26,7 @@ int
clear_pw_cmp( const char *userpwd, const char *dbpwd )
{
int result = 0;
+ int len = 0;
int len_user = strlen(userpwd);
int len_dbp = strlen(dbpwd);
if ( len_user != len_dbp ) {
diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
index 29355a2..93b54b2 100644
--- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
@@ -54,7 +54,7 @@ crypt_pw_cmp( const char *userpwd, const char *dbpwd )
/* we use salt (first 2 chars) of encoded password in call to crypt() */
cp = crypt( userpwd, dbpwd );
if (cp) {
- rc= strcmp( dbpwd, cp);
+ rc= slapi_ct_memcmp( dbpwd, cp, strlen(dbpwd));
} else {
rc = -1;
}
diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
index 0bc8f3c..181661a 100644
--- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
@@ -57,7 +57,7 @@ md5_pw_cmp( const char *userpwd, const char *dbpwd )
bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
/* bver points to b2a_out upon success */
if (bver) {
- rc = strcmp(bver,dbpwd);
+ rc = slapi_ct_memcmp(bver,dbpwd, strlen(dbpwd));
} else {
slapi_log_error(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
"Could not base64 encode hashed value for password compare");
diff --git a/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c b/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c
index 2fed61f..ae1f7b8 100644
--- a/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c
@@ -84,6 +84,7 @@ ns_mta_md5_pw_cmp(const char * clear, const char *mangled)
mta_hash[32] = mta_salt[32] = 0;
+ /* This is salted, so we don't need to change it for constant time */
return( strcmp(mta_hash,ns_mta_hash_alg(buffer,mta_salt,clear)));
}
diff --git a/ldap/servers/plugins/pwdstorage/sha_pwd.c b/ldap/servers/plugins/pwdstorage/sha_pwd.c
index 9594ac9..2e4973b 100644
--- a/ldap/servers/plugins/pwdstorage/sha_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c
@@ -120,13 +120,16 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen )
}
/* the proof is in the comparison... */
- result = ( hash_len >= shaLen ) ?
- ( memcmp( userhash, dbhash, shaLen ) ) : /* include salt */
- ( memcmp( userhash, dbhash + OLD_SALT_LENGTH,
- hash_len - OLD_SALT_LENGTH ) ); /* exclude salt */
+ if ( hash_len >= shaLen ) {
+ result = slapi_ct_memcmp( userhash, dbhash, shaLen );
+ } else {
+ result = slapi_ct_memcmp( userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH );
+ }
- loser:
- if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( &dbhash );
+loser:
+ if ( dbhash && dbhash != quick_dbhash ) {
+ slapi_ch_free_string( &dbhash );
+ }
return result;
}
diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
index f4c92f1..79c2846 100644
--- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
@@ -80,7 +80,7 @@ smd5_pw_cmp( const char *userpwd, const char *dbpwd )
PK11_DestroyContext(ctx, 1);
/* Compare everything up to the salt. */
- rc = memcmp( userhash, dbhash, MD5_LENGTH );
+ rc = slapi_ct_memcmp( userhash, dbhash, MD5_LENGTH );
loser:
if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( (char **)&dbhash );
diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
index 10870df..a38268c 100644
--- a/ldap/servers/slapd/ch_malloc.c
+++ b/ldap/servers/slapd/ch_malloc.c
@@ -365,3 +365,25 @@ slapi_ch_smprintf(const char *fmt, ...)
return p;
}
#endif
+
+/* Constant time memcmp. Does not shortcircuit on failure! */
+/* This relies on p1 and p2 both being size at least n! */
+int
+slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
+{
+ int result = 0;
+ const unsigned char *_p1 = (const unsigned char *)p1;
+ const unsigned char *_p2 = (const unsigned char *)p2;
+
+ if (_p1 == NULL || _p2 == NULL) {
+ return 2;
+ }
+
+ for (size_t i = 0; i < n; i++) {
+ if (_p1[i] ^ _p2[i]) {
+ result = 1;
+ }
+ }
+ return result;
+}
+
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index 89853c0..1e767eb 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -5825,6 +5825,22 @@ char * slapi_ch_smprintf(const char *fmt, ...)
#else
;
#endif
+/**
+ * slapi_ct_memcmp is a constant time memory comparison function. This is for
+ * use with password hashes and other locations which could lead to a timing
+ * attack due to early shortcut returns. This function *does not* shortcircuit
+ * during the comparison, always checking every byte regardless if it has already
+ * found that the memory does not match.
+ *
+ * WARNING! p1 and p2 must both reference content that is at least of size 'n'.
+ * Else this function may over-run (And will certainly fail).
+ *
+ * \param p1 pointer to first value to check.
+ * \param p2 pointer to second value to check.
+ * \param n length in bytes of the content of p1 AND p2.
+ * \return 0 on match. 1 on non-match. 2 on presence of NULL pointer in p1 or p2.
+ */
+int slapi_ct_memcmp( const void *p1, const void *p2, size_t n);
/*
* syntax plugin routines
commit 502df2af823b4b0b2bff8c8be10a50e647a3a4d0
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Aug 8 10:12:33 2016 -0700
Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack
Description: Fixing a compiler warning introduced by commit
f0e03b5a51972a125fe78f448d1f68e288782d1e.
(cherry picked from commit c62ea0c98445d31fb55baebe9778fe860b3266ea)
(cherry picked from commit 3d92679cf97518aedcf6534ac5967edf8d2c9d28)
diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
index 84dac2a..b9b362d 100644
--- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
@@ -25,7 +25,37 @@
int
clear_pw_cmp( const char *userpwd, const char *dbpwd )
{
- return( strcmp( userpwd, dbpwd ));
+ int result = 0;
+ int len_user = strlen(userpwd);
+ int len_dbp = strlen(dbpwd);
+ if ( len_user != len_dbp ) {
+ result = 1;
+ }
+ /* We have to do this comparison ANYWAY else we have a length timing attack. */
+ if ( len_user >= len_dbp ) {
+ /*
+ * If they are the same length, result will be 0 here, and if we pass
+ * the check, we don't update result either. IE we pass.
+ * However, even if the first part of userpw matches dbpwd, but len !=, we
+ * have already failed anyawy. This prevents substring matching.
+ */
+ if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) {
+ result = 1;
+ }
+ } else {
+ /*
+ * If we stretched the userPassword, we'll allow a new timing attack, where
+ * if we see a delay on a short pw, we know we are stretching.
+ * when the delay goes away, it means we've found the length.
+ * Instead, because we don't want to use the short pw for comp, we just compare
+ * dbpwd to itself. We have already got result == 1 if we are here, so we are
+ * just trying to take up time!
+ */
+ if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) {
+ /* Do nothing, we have the if to fix a coverity check. */
+ }
+ }
+ return result;
}
char *
7 years, 7 months