From 59b853372d3e06636620a192e1fdad6d89e8cc0e Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 22 Mar 2013 13:18:28 -0400
Subject: [PATCH 53/99] Ticket 632 - 389-ds-base cannot handle Kerberos tickets
 with PAC

        Bug Description:  When FreeIPA is configured with AD trust support, Kerberos
                          tickets may also contain PAC which makes them bigger than
                          usually expected (bigger than 2048 B)

        Fix Description:  Make the default 64k(65536), and allow it to be configurable
                          using: nsslapd-sasl-max-buffer-size

        https://fedorahosted.org/389/ticket/632

        Reviewed by: nkinder(Thanks!)
(cherry picked from commit 6a2b0b1741ce6cdcceea06e630141673d47c6012)
---
 ldap/schema/01core389.ldif      | 13 +++++++++++++
 ldap/servers/slapd/libglobs.c   | 43 +++++++++++++++++++++++++++++++++++++++++
 ldap/servers/slapd/proto-slap.h |  2 ++
 ldap/servers/slapd/saslbind.c   |  2 +-
 ldap/servers/slapd/slap.h       |  2 ++
 5 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index d9d1c33..c99c34c 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -139,6 +139,19 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2136 NAME 'nsds5ReplicaCleanRUVNotified'
 attributeTypes: ( 2.16.840.1.113730.3.1.2137 NAME 'nsds5ReplicaAbortCleanRUV' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2111 NAME 'tombstoneNumSubordinates' DESC 'count of immediate subordinates for tombstone entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN '389 directory server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2138 NAME 'nsslapd-readonly' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2143 NAME 'nsslapd-sasl-mapping-fallback' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2144 NAME 'rootdn-open-time' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2145 NAME 'rootdn-close-time' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2146 NAME 'rootdn-days-allowed' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2147 NAME 'rootdn-allow-host' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2148 NAME 'rootdn-deny-host' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2149 NAME 'rootdn-allow-ip' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2150 NAME 'rootdn-deny-ip' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2151 NAME 'nsslapd-plugin-depends-on-type' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2152 NAME 'nsds5ReplicaProtocolTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2154 NAME 'nsds5ReplicaBackoffMin' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2155 NAME 'nsds5ReplicaBackoffMax' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2156 NAME 'nsslapd-sasl-max-buffer-size' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 #
 # objectclasses
 #
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 413351d..5bfd665 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -83,6 +83,8 @@
 #include "plhash.h"
 
 #define REMOVE_CHANGELOG_CMD "remove"
+#define DEFAULT_SASL_MAXBUFSIZE "65536"
+#define SLAPD_DEFAULT_SASL_MAXBUFSIZE 65536
 
 /* On UNIX, there's only one copy of slapd_ldap_debug */
 /* On NT, each module keeps its own module_ldap_debug, which */
@@ -687,6 +689,10 @@ static struct config_get_and_set {
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.disk_logging_critical,
 		CONFIG_ON_OFF, (ConfigGetFunc)config_get_disk_logging_critical},
+	{CONFIG_SASL_MAXBUFSIZE, config_set_sasl_maxbufsize,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.sasl_max_bufsize,
+		CONFIG_INT, (ConfigGetFunc)config_get_sasl_maxbufsize},
 #ifdef MEMPOOL_EXPERIMENTAL
 	,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
 		NULL, 0,
@@ -1087,6 +1093,7 @@ FrontendConfig_init () {
   cfg->disk_threshold = 2097152;  /* 2 mb */
   cfg->disk_grace_period = 60; /* 1 hour */
   cfg->disk_logging_critical = LDAP_OFF;
+  cfg->sasl_max_bufsize = SLAPD_DEFAULT_SASL_MAXBUFSIZE;
 
 #ifdef MEMPOOL_EXPERIMENTAL
   cfg->mempool_switch = LDAP_ON;
@@ -1295,6 +1302,29 @@ config_set_disk_grace_period( const char *attrname, char *value, char *errorbuf,
     return retVal;
 }
 
+int
+config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply )
+{
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+    int retVal = LDAP_SUCCESS;
+    int default_size = atoi(DEFAULT_SASL_MAXBUFSIZE);
+    int size;
+
+    size = atoi(value);
+    if(size < default_size){
+        PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "nsslapd-sasl-max-buffer-size is too low (%d), "
+            "setting to default value (%d).\n",size, default_size);
+        size = default_size;
+    }
+    if(apply){
+        CFG_LOCK_WRITE(slapdFrontendConfig);
+        slapdFrontendConfig->sasl_max_bufsize = size;
+        CFG_UNLOCK_WRITE(slapdFrontendConfig);
+    }
+
+    return retVal;
+}
+
 int 
 config_set_port( const char *attrname, char *port, char *errorbuf, int apply ) {
   long nPort;
@@ -3715,6 +3745,19 @@ config_get_port(){
 }
 
 int
+config_get_sasl_maxbufsize()
+{
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+    int retVal;
+
+    CFG_LOCK_READ(slapdFrontendConfig);
+    retVal = slapdFrontendConfig->sasl_max_bufsize;
+    CFG_UNLOCK_READ(slapdFrontendConfig);
+
+    return retVal;
+}
+
+int
 config_get_disk_monitoring(){
     slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
     int retVal;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 9d3a16d..a68c2d9 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -390,6 +390,7 @@ int config_set_disk_threshold( const char *attrname, char *value, char *errorbuf
 int config_set_disk_grace_period( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_disk_logging_critical( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_auditlog_unhashed_pw(const char *attrname, char *value, char *errorbuf, int apply);
+int config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply );
 
 #if !defined(_WIN32) && !defined(AIX)
 int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply );
@@ -544,6 +545,7 @@ int config_get_disk_monitoring();
 PRUint64 config_get_disk_threshold();
 int config_get_disk_grace_period();
 int config_get_disk_logging_critical();
+int config_get_sasl_maxbufsize();
 
 int is_abspath(const char *);
 char* rel2abspath( char * );
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index f75e977..2d6ec0a 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -659,7 +659,7 @@ void ids_sasl_server_new(Connection *conn)
     }
 
     /* Enable security for this connection */
-    secprops.maxbufsize = 2048; /* DBDB: hack */
+    secprops.maxbufsize = config_get_sasl_maxbufsize();
     secprops.max_ssf = 0xffffffff;
     secprops.min_ssf = config_get_minssf();
     /* If anonymous access is disabled, set the appropriate flag */
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 403ea8a..d290c92 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -2002,6 +2002,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_DISK_THRESHOLD "nsslapd-disk-monitoring-threshold"
 #define CONFIG_DISK_GRACE_PERIOD "nsslapd-disk-monitoring-grace-period"
 #define CONFIG_DISK_LOGGING_CRITICAL "nsslapd-disk-monitoring-logging-critical"
+#define CONFIG_SASL_MAXBUFSIZE "nsslapd-sasl-max-buffer-size"
 
 #ifdef MEMPOOL_EXPERIMENTAL
 #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool"
@@ -2230,6 +2231,7 @@ typedef struct _slapdFrontendConfig {
   char *entryusn_import_init;   /* Entry USN: determine the initital value of import */
   int pagedsizelimit;
   char *default_naming_context; /* Default naming context (normalized) */
+  int sasl_max_bufsize;         /* The max receive buffer size for SASL */
 
   /* disk monitoring */
   int disk_monitoring;
-- 
1.8.1.4