From 59b853372d3e06636620a192e1fdad6d89e8cc0e Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Fri, 22 Mar 2013 13:18:28 -0400 Subject: [PATCH 53/99] Ticket 632 - 389-ds-base cannot handle Kerberos tickets with PAC Bug Description: When FreeIPA is configured with AD trust support, Kerberos tickets may also contain PAC which makes them bigger than usually expected (bigger than 2048 B) Fix Description: Make the default 64k(65536), and allow it to be configurable using: nsslapd-sasl-max-buffer-size https://fedorahosted.org/389/ticket/632 Reviewed by: nkinder(Thanks!) (cherry picked from commit 6a2b0b1741ce6cdcceea06e630141673d47c6012) --- ldap/schema/01core389.ldif | 13 +++++++++++++ ldap/servers/slapd/libglobs.c | 43 +++++++++++++++++++++++++++++++++++++++++ ldap/servers/slapd/proto-slap.h | 2 ++ ldap/servers/slapd/saslbind.c | 2 +- ldap/servers/slapd/slap.h | 2 ++ 5 files changed, 61 insertions(+), 1 deletion(-) diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif index d9d1c33..c99c34c 100644 --- a/ldap/schema/01core389.ldif +++ b/ldap/schema/01core389.ldif @@ -139,6 +139,19 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2136 NAME 'nsds5ReplicaCleanRUVNotified' attributeTypes: ( 2.16.840.1.113730.3.1.2137 NAME 'nsds5ReplicaAbortCleanRUV' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2111 NAME 'tombstoneNumSubordinates' DESC 'count of immediate subordinates for tombstone entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN '389 directory server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2138 NAME 'nsslapd-readonly' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2143 NAME 'nsslapd-sasl-mapping-fallback' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2144 NAME 'rootdn-open-time' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2145 NAME 'rootdn-close-time' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2146 NAME 'rootdn-days-allowed' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2147 NAME 'rootdn-allow-host' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2148 NAME 'rootdn-deny-host' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2149 NAME 'rootdn-allow-ip' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2150 NAME 'rootdn-deny-ip' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2151 NAME 'nsslapd-plugin-depends-on-type' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2152 NAME 'nsds5ReplicaProtocolTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2154 NAME 'nsds5ReplicaBackoffMin' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2155 NAME 'nsds5ReplicaBackoffMax' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2156 NAME 'nsslapd-sasl-max-buffer-size' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) # # objectclasses # diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index 413351d..5bfd665 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -83,6 +83,8 @@ #include "plhash.h" #define REMOVE_CHANGELOG_CMD "remove" +#define DEFAULT_SASL_MAXBUFSIZE "65536" +#define SLAPD_DEFAULT_SASL_MAXBUFSIZE 65536 /* On UNIX, there's only one copy of slapd_ldap_debug */ /* On NT, each module keeps its own module_ldap_debug, which */ @@ -687,6 +689,10 @@ static struct config_get_and_set { NULL, 0, (void**)&global_slapdFrontendConfig.disk_logging_critical, CONFIG_ON_OFF, (ConfigGetFunc)config_get_disk_logging_critical}, + {CONFIG_SASL_MAXBUFSIZE, config_set_sasl_maxbufsize, + NULL, 0, + (void**)&global_slapdFrontendConfig.sasl_max_bufsize, + CONFIG_INT, (ConfigGetFunc)config_get_sasl_maxbufsize}, #ifdef MEMPOOL_EXPERIMENTAL ,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch, NULL, 0, @@ -1087,6 +1093,7 @@ FrontendConfig_init () { cfg->disk_threshold = 2097152; /* 2 mb */ cfg->disk_grace_period = 60; /* 1 hour */ cfg->disk_logging_critical = LDAP_OFF; + cfg->sasl_max_bufsize = SLAPD_DEFAULT_SASL_MAXBUFSIZE; #ifdef MEMPOOL_EXPERIMENTAL cfg->mempool_switch = LDAP_ON; @@ -1295,6 +1302,29 @@ config_set_disk_grace_period( const char *attrname, char *value, char *errorbuf, return retVal; } +int +config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply ) +{ + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + int retVal = LDAP_SUCCESS; + int default_size = atoi(DEFAULT_SASL_MAXBUFSIZE); + int size; + + size = atoi(value); + if(size < default_size){ + PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "nsslapd-sasl-max-buffer-size is too low (%d), " + "setting to default value (%d).\n",size, default_size); + size = default_size; + } + if(apply){ + CFG_LOCK_WRITE(slapdFrontendConfig); + slapdFrontendConfig->sasl_max_bufsize = size; + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + + return retVal; +} + int config_set_port( const char *attrname, char *port, char *errorbuf, int apply ) { long nPort; @@ -3715,6 +3745,19 @@ config_get_port(){ } int +config_get_sasl_maxbufsize() +{ + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + int retVal; + + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->sasl_max_bufsize; + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +int config_get_disk_monitoring(){ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); int retVal; diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 9d3a16d..a68c2d9 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -390,6 +390,7 @@ int config_set_disk_threshold( const char *attrname, char *value, char *errorbuf int config_set_disk_grace_period( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_disk_logging_critical( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_auditlog_unhashed_pw(const char *attrname, char *value, char *errorbuf, int apply); +int config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply ); #if !defined(_WIN32) && !defined(AIX) int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply ); @@ -544,6 +545,7 @@ int config_get_disk_monitoring(); PRUint64 config_get_disk_threshold(); int config_get_disk_grace_period(); int config_get_disk_logging_critical(); +int config_get_sasl_maxbufsize(); int is_abspath(const char *); char* rel2abspath( char * ); diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c index f75e977..2d6ec0a 100644 --- a/ldap/servers/slapd/saslbind.c +++ b/ldap/servers/slapd/saslbind.c @@ -659,7 +659,7 @@ void ids_sasl_server_new(Connection *conn) } /* Enable security for this connection */ - secprops.maxbufsize = 2048; /* DBDB: hack */ + secprops.maxbufsize = config_get_sasl_maxbufsize(); secprops.max_ssf = 0xffffffff; secprops.min_ssf = config_get_minssf(); /* If anonymous access is disabled, set the appropriate flag */ diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 403ea8a..d290c92 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -2002,6 +2002,7 @@ typedef struct _slapdEntryPoints { #define CONFIG_DISK_THRESHOLD "nsslapd-disk-monitoring-threshold" #define CONFIG_DISK_GRACE_PERIOD "nsslapd-disk-monitoring-grace-period" #define CONFIG_DISK_LOGGING_CRITICAL "nsslapd-disk-monitoring-logging-critical" +#define CONFIG_SASL_MAXBUFSIZE "nsslapd-sasl-max-buffer-size" #ifdef MEMPOOL_EXPERIMENTAL #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool" @@ -2230,6 +2231,7 @@ typedef struct _slapdFrontendConfig { char *entryusn_import_init; /* Entry USN: determine the initital value of import */ int pagedsizelimit; char *default_naming_context; /* Default naming context (normalized) */ + int sasl_max_bufsize; /* The max receive buffer size for SASL */ /* disk monitoring */ int disk_monitoring; -- 1.8.1.4