From 59b853372d3e06636620a192e1fdad6d89e8cc0e Mon Sep 17 00:00:00 2001

From: Mark Reynolds <mreynolds@redhat.com>

Date: Fri, 22 Mar 2013 13:18:28 -0400

Subject: [PATCH 53/99] Ticket 632 - 389-ds-base cannot handle Kerberos tickets

 with PAC

        Bug Description:  When FreeIPA is configured with AD trust support, Kerberos

                          tickets may also contain PAC which makes them bigger than

                          usually expected (bigger than 2048 B)

        Fix Description:  Make the default 64k(65536), and allow it to be configurable

                          using: nsslapd-sasl-max-buffer-size

        https://fedorahosted.org/389/ticket/632

        Reviewed by: nkinder(Thanks!)

(cherry picked from commit 6a2b0b1741ce6cdcceea06e630141673d47c6012)

---

 ldap/schema/01core389.ldif      | 13 +++++++++++++

 ldap/servers/slapd/libglobs.c   | 43 +++++++++++++++++++++++++++++++++++++++++

 ldap/servers/slapd/proto-slap.h |  2 ++

 ldap/servers/slapd/saslbind.c   |  2 +-

 ldap/servers/slapd/slap.h       |  2 ++

 5 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif

index d9d1c33..c99c34c 100644

--- a/ldap/schema/01core389.ldif

+++ b/ldap/schema/01core389.ldif

@@ -139,6 +139,19 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2136 NAME 'nsds5ReplicaCleanRUVNotified'

 attributeTypes: ( 2.16.840.1.113730.3.1.2137 NAME 'nsds5ReplicaAbortCleanRUV' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )

 attributeTypes: ( 2.16.840.1.113730.3.1.2111 NAME 'tombstoneNumSubordinates' DESC 'count of immediate subordinates for tombstone entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN '389 directory server' )

 attributeTypes: ( 2.16.840.1.113730.3.1.2138 NAME 'nsslapd-readonly' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2143 NAME 'nsslapd-sasl-mapping-fallback' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2144 NAME 'rootdn-open-time' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2145 NAME 'rootdn-close-time' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2146 NAME 'rootdn-days-allowed' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2147 NAME 'rootdn-allow-host' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2148 NAME 'rootdn-deny-host' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2149 NAME 'rootdn-allow-ip' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2150 NAME 'rootdn-deny-ip' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2151 NAME 'nsslapd-plugin-depends-on-type' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2152 NAME 'nsds5ReplicaProtocolTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2154 NAME 'nsds5ReplicaBackoffMin' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2155 NAME 'nsds5ReplicaBackoffMax' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )

+attributeTypes: ( 2.16.840.1.113730.3.1.2156 NAME 'nsslapd-sasl-max-buffer-size' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )

 #

 # objectclasses

 #

diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c

index 413351d..5bfd665 100644

--- a/ldap/servers/slapd/libglobs.c

+++ b/ldap/servers/slapd/libglobs.c

@@ -83,6 +83,8 @@

 #include "plhash.h"

 #define REMOVE_CHANGELOG_CMD "remove"

+#define DEFAULT_SASL_MAXBUFSIZE "65536"

+#define SLAPD_DEFAULT_SASL_MAXBUFSIZE 65536

 /* On UNIX, there's only one copy of slapd_ldap_debug */

 /* On NT, each module keeps its own module_ldap_debug, which */

@@ -687,6 +689,10 @@ static struct config_get_and_set {

 		NULL, 0,

 		(void**)&global_slapdFrontendConfig.disk_logging_critical,

 		CONFIG_ON_OFF, (ConfigGetFunc)config_get_disk_logging_critical},

+	{CONFIG_SASL_MAXBUFSIZE, config_set_sasl_maxbufsize,

+		NULL, 0,

+		(void**)&global_slapdFrontendConfig.sasl_max_bufsize,

+		CONFIG_INT, (ConfigGetFunc)config_get_sasl_maxbufsize},

 #ifdef MEMPOOL_EXPERIMENTAL

 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,

 		NULL, 0,

@@ -1087,6 +1093,7 @@ FrontendConfig_init () {

   cfg->disk_threshold = 2097152;  /* 2 mb */

   cfg->disk_grace_period = 60; /* 1 hour */

   cfg->disk_logging_critical = LDAP_OFF;

+  cfg->sasl_max_bufsize = SLAPD_DEFAULT_SASL_MAXBUFSIZE;

 #ifdef MEMPOOL_EXPERIMENTAL

   cfg->mempool_switch = LDAP_ON;

@@ -1295,6 +1302,29 @@ config_set_disk_grace_period( const char *attrname, char *value, char *errorbuf,

     return retVal;

 }

+int

+config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply )

+{

+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();

+    int retVal = LDAP_SUCCESS;

+    int default_size = atoi(DEFAULT_SASL_MAXBUFSIZE);

+    int size;

+

+    size = atoi(value);

+    if(size < default_size){

+        PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "nsslapd-sasl-max-buffer-size is too low (%d), "

+            "setting to default value (%d).\n",size, default_size);

+        size = default_size;

+    }

+    if(apply){

+        CFG_LOCK_WRITE(slapdFrontendConfig);

+        slapdFrontendConfig->sasl_max_bufsize = size;

+        CFG_UNLOCK_WRITE(slapdFrontendConfig);

+    }

+

+    return retVal;

+}

+

 int 

 config_set_port( const char *attrname, char *port, char *errorbuf, int apply ) {

   long nPort;

@@ -3715,6 +3745,19 @@ config_get_port(){

 }

 int

+config_get_sasl_maxbufsize()

+{

+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();

+    int retVal;

+

+    CFG_LOCK_READ(slapdFrontendConfig);

+    retVal = slapdFrontendConfig->sasl_max_bufsize;

+    CFG_UNLOCK_READ(slapdFrontendConfig);

+

+    return retVal;

+}

+

+int

 config_get_disk_monitoring(){

     slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();

     int retVal;

diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h

index 9d3a16d..a68c2d9 100644

--- a/ldap/servers/slapd/proto-slap.h

+++ b/ldap/servers/slapd/proto-slap.h

@@ -390,6 +390,7 @@ int config_set_disk_threshold( const char *attrname, char *value, char *errorbuf

 int config_set_disk_grace_period( const char *attrname, char *value, char *errorbuf, int apply );

 int config_set_disk_logging_critical( const char *attrname, char *value, char *errorbuf, int apply );

 int config_set_auditlog_unhashed_pw(const char *attrname, char *value, char *errorbuf, int apply);

+int config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply );

 #if !defined(_WIN32) && !defined(AIX)

 int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply );

@@ -544,6 +545,7 @@ int config_get_disk_monitoring();

 PRUint64 config_get_disk_threshold();

 int config_get_disk_grace_period();

 int config_get_disk_logging_critical();

+int config_get_sasl_maxbufsize();

 int is_abspath(const char *);

 char* rel2abspath( char * );

diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c

index f75e977..2d6ec0a 100644

--- a/ldap/servers/slapd/saslbind.c

+++ b/ldap/servers/slapd/saslbind.c

@@ -659,7 +659,7 @@ void ids_sasl_server_new(Connection *conn)

     }

     /* Enable security for this connection */

-    secprops.maxbufsize = 2048; /* DBDB: hack */

+    secprops.maxbufsize = config_get_sasl_maxbufsize();

     secprops.max_ssf = 0xffffffff;

     secprops.min_ssf = config_get_minssf();

     /* If anonymous access is disabled, set the appropriate flag */

diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h

index 403ea8a..d290c92 100644

--- a/ldap/servers/slapd/slap.h

+++ b/ldap/servers/slapd/slap.h

@@ -2002,6 +2002,7 @@ typedef struct _slapdEntryPoints {

 #define CONFIG_DISK_THRESHOLD "nsslapd-disk-monitoring-threshold"

 #define CONFIG_DISK_GRACE_PERIOD "nsslapd-disk-monitoring-grace-period"

 #define CONFIG_DISK_LOGGING_CRITICAL "nsslapd-disk-monitoring-logging-critical"

+#define CONFIG_SASL_MAXBUFSIZE "nsslapd-sasl-max-buffer-size"

 #ifdef MEMPOOL_EXPERIMENTAL

 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"

@@ -2230,6 +2231,7 @@ typedef struct _slapdFrontendConfig {

   char *entryusn_import_init;   /* Entry USN: determine the initital value of import */

   int pagedsizelimit;

   char *default_naming_context; /* Default naming context (normalized) */

+  int sasl_max_bufsize;         /* The max receive buffer size for SASL */

   /* disk monitoring */

   int disk_monitoring;

-- 

1.8.1.4