|
|
058656 |
From 656b141630c5f37a953a75ff05d3a1a30b14eef1 Mon Sep 17 00:00:00 2001
|
|
|
058656 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
058656 |
Date: Thu, 1 Feb 2018 14:28:24 -0500
|
|
|
058656 |
Subject: [PATCH] Ticket 49557 - Add config option for checking CRL on outbound
|
|
|
058656 |
SSL Connections
|
|
|
058656 |
|
|
|
058656 |
Bug Description: There are cases where a CRL is not available during an outbound
|
|
|
058656 |
replication connection. This is seen as an error by openldap,
|
|
|
058656 |
and the connection fails.
|
|
|
058656 |
|
|
|
058656 |
Fix Description: Add on/off option for checking the CRL. The default is not to
|
|
|
058656 |
check the CRL.
|
|
|
058656 |
|
|
|
058656 |
https://pagure.io/389-ds-base/issue/49557
|
|
|
058656 |
|
|
|
058656 |
Reviewed by: wibrown, Ludwig Krispenz, Thierry Bordaz
|
|
|
058656 |
---
|
|
|
058656 |
dirsrvtests/tests/suites/{ssl => tls}/__init__.py | 0
|
|
|
058656 |
dirsrvtests/tests/suites/tls/tls_check_crl_test.py | 52 +++++++++++++++++
|
|
|
058656 |
ldap/schema/01core389.ldif | 1 +
|
|
|
058656 |
ldap/servers/slapd/ldaputil.c | 9 ++-
|
|
|
058656 |
ldap/servers/slapd/libglobs.c | 66 +++++++++++++++++++++-
|
|
|
058656 |
ldap/servers/slapd/proto-slap.h | 2 +
|
|
|
058656 |
ldap/servers/slapd/slap.h | 10 +++-
|
|
|
058656 |
7 files changed, 135 insertions(+), 5 deletions(-)
|
|
|
058656 |
rename dirsrvtests/tests/suites/{ssl => tls}/__init__.py (100%)
|
|
|
058656 |
create mode 100644 dirsrvtests/tests/suites/tls/tls_check_crl_test.py
|
|
|
058656 |
|
|
|
058656 |
diff --git a/dirsrvtests/tests/suites/ssl/__init__.py b/dirsrvtests/tests/suites/tls/__init__.py
|
|
|
058656 |
similarity index 100%
|
|
|
058656 |
rename from dirsrvtests/tests/suites/ssl/__init__.py
|
|
|
058656 |
rename to dirsrvtests/tests/suites/tls/__init__.py
|
|
|
058656 |
diff --git a/dirsrvtests/tests/suites/tls/tls_check_crl_test.py b/dirsrvtests/tests/suites/tls/tls_check_crl_test.py
|
|
|
058656 |
new file mode 100644
|
|
|
058656 |
index 000000000..8b4d07f94
|
|
|
058656 |
--- /dev/null
|
|
|
058656 |
+++ b/dirsrvtests/tests/suites/tls/tls_check_crl_test.py
|
|
|
058656 |
@@ -0,0 +1,52 @@
|
|
|
058656 |
+# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
058656 |
+# Copyright (C) 2018 Red Hat, Inc.
|
|
|
058656 |
+# All rights reserved.
|
|
|
058656 |
+#
|
|
|
058656 |
+# License: GPL (version 3 or any later version).
|
|
|
058656 |
+# See LICENSE for details.
|
|
|
058656 |
+# --- END COPYRIGHT BLOCK ---
|
|
|
058656 |
+#
|
|
|
058656 |
+
|
|
|
058656 |
+
|
|
|
058656 |
+import pytest
|
|
|
058656 |
+import ldap
|
|
|
058656 |
+from lib389.topologies import topology_st
|
|
|
058656 |
+
|
|
|
058656 |
+def test_tls_check_crl(topology_st):
|
|
|
058656 |
+ """Test that TLS check_crl configurations work as expected.
|
|
|
058656 |
+
|
|
|
058656 |
+ :id:
|
|
|
058656 |
+ :steps:
|
|
|
058656 |
+ 1. Enable TLS
|
|
|
058656 |
+ 2. Set invalid value
|
|
|
058656 |
+ 3. Set valid values
|
|
|
058656 |
+ 4. Check config reset
|
|
|
058656 |
+ :expectedresults:
|
|
|
058656 |
+ 1. TlS is setup
|
|
|
058656 |
+ 2. The invalid value is rejected
|
|
|
058656 |
+ 3. The valid values are used
|
|
|
058656 |
+ 4. The value can be reset
|
|
|
058656 |
+ """
|
|
|
058656 |
+ standalone = topology_st.standalone
|
|
|
058656 |
+ # Enable TLS
|
|
|
058656 |
+ standalone.enable_tls()
|
|
|
058656 |
+ # Check all the valid values.
|
|
|
058656 |
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
|
|
|
058656 |
+ with pytest.raises(ldap.OPERATIONS_ERROR):
|
|
|
058656 |
+ standalone.config.set('nsslapd-tls-check-crl', 'tnhoeutnoeutn')
|
|
|
058656 |
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
|
|
|
058656 |
+
|
|
|
058656 |
+ standalone.config.set('nsslapd-tls-check-crl', 'peer')
|
|
|
058656 |
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'peer')
|
|
|
058656 |
+
|
|
|
058656 |
+ standalone.config.set('nsslapd-tls-check-crl', 'none')
|
|
|
058656 |
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
|
|
|
058656 |
+
|
|
|
058656 |
+ standalone.config.set('nsslapd-tls-check-crl', 'all')
|
|
|
058656 |
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'all')
|
|
|
058656 |
+
|
|
|
058656 |
+ standalone.config.remove_all('nsslapd-tls-check-crl')
|
|
|
058656 |
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
|
|
|
058656 |
+
|
|
|
058656 |
+
|
|
|
058656 |
+
|
|
|
058656 |
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
|
|
|
058656 |
index ab124c86c..c7f9fef2b 100644
|
|
|
058656 |
--- a/ldap/schema/01core389.ldif
|
|
|
058656 |
+++ b/ldap/schema/01core389.ldif
|
|
|
058656 |
@@ -304,6 +304,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2332 NAME 'allowWeakDHParam' DESC 'Netsc
|
|
|
058656 |
attributeTypes: ( 2.16.840.1.113730.3.1.2333 NAME 'nsds5ReplicaReleaseTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
|
|
|
058656 |
attributeTypes: ( 2.16.840.1.113730.3.1.2335 NAME 'nsds5ReplicaIgnoreMissingChange' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
|
|
|
058656 |
attributeTypes: ( 2.16.840.1.113730.3.1.2336 NAME 'nsDS5ReplicaBindDnGroupCheckInterval' DESC 'Replication configuration setting for controlling the bind dn group check interval' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
|
|
|
058656 |
+attributeTypes: ( 2.16.840.1.113730.3.1.2344 NAME 'nsslapd-tls-check-crl' DESC 'Check CRL when opening outbound TLS connections. Valid options are none, peer, all.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
|
|
|
058656 |
#
|
|
|
058656 |
# objectclasses
|
|
|
058656 |
#
|
|
|
058656 |
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
|
|
|
058656 |
index fa9d276a3..2fc2f0615 100644
|
|
|
058656 |
--- a/ldap/servers/slapd/ldaputil.c
|
|
|
058656 |
+++ b/ldap/servers/slapd/ldaputil.c
|
|
|
058656 |
@@ -570,6 +570,7 @@ slapi_ldif_parse_line(
|
|
|
058656 |
}
|
|
|
058656 |
|
|
|
058656 |
#if defined(USE_OPENLDAP)
|
|
|
058656 |
+
|
|
|
058656 |
static int
|
|
|
058656 |
setup_ol_tls_conn(LDAP *ld, int clientauth)
|
|
|
058656 |
{
|
|
|
058656 |
@@ -602,7 +603,13 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
|
|
|
058656 |
}
|
|
|
058656 |
}
|
|
|
058656 |
if (slapi_client_uses_openssl(ld)) {
|
|
|
058656 |
- const int crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
|
|
|
058656 |
+ int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
|
|
|
058656 |
+ tls_check_crl_t tls_check_state = config_get_tls_check_crl();
|
|
|
058656 |
+ if (tls_check_state == TLS_CHECK_PEER) {
|
|
|
058656 |
+ crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
|
|
|
058656 |
+ } else if (tls_check_state == TLS_CHECK_ALL) {
|
|
|
058656 |
+ crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
|
|
|
058656 |
+ }
|
|
|
058656 |
/* Sets the CRL evaluation strategy. */
|
|
|
058656 |
rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
|
|
|
058656 |
if (rc) {
|
|
|
058656 |
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
|
|
|
058656 |
index c1a765aca..eb6552af1 100644
|
|
|
058656 |
--- a/ldap/servers/slapd/libglobs.c
|
|
|
058656 |
+++ b/ldap/servers/slapd/libglobs.c
|
|
|
058656 |
@@ -157,7 +157,8 @@ typedef enum {
|
|
|
058656 |
CONFIG_STRING_OR_EMPTY, /* use an empty string */
|
|
|
058656 |
CONFIG_SPECIAL_ANON_ACCESS_SWITCH, /* maps strings to an enumeration */
|
|
|
058656 |
CONFIG_SPECIAL_VALIDATE_CERT_SWITCH, /* maps strings to an enumeration */
|
|
|
058656 |
- CONFIG_SPECIAL_UNHASHED_PW_SWITCH /* unhashed pw: on/off/nolog */
|
|
|
058656 |
+ CONFIG_SPECIAL_UNHASHED_PW_SWITCH, /* unhashed pw: on/off/nolog */
|
|
|
058656 |
+ CONFIG_SPECIAL_TLS_CHECK_CRL, /* maps enum tls_check_crl_t to char * */
|
|
|
058656 |
} ConfigVarType;
|
|
|
058656 |
|
|
|
058656 |
static int32_t config_set_onoff(const char *attrname, char *value, int32_t *configvalue, char *errorbuf, int apply);
|
|
|
058656 |
@@ -1173,7 +1174,15 @@ static struct config_get_and_set
|
|
|
058656 |
{CONFIG_LOGGING_BACKEND, NULL,
|
|
|
058656 |
log_set_backend, 0,
|
|
|
058656 |
(void **)&global_slapdFrontendConfig.logging_backend,
|
|
|
058656 |
- CONFIG_STRING_OR_EMPTY, NULL, SLAPD_INIT_LOGGING_BACKEND_INTERNAL}};
|
|
|
058656 |
+ CONFIG_STRING_OR_EMPTY, NULL, SLAPD_INIT_LOGGING_BACKEND_INTERNAL},
|
|
|
058656 |
+ {CONFIG_TLS_CHECK_CRL_ATTRIBUTE, config_set_tls_check_crl,
|
|
|
058656 |
+ NULL, 0,
|
|
|
058656 |
+ (void **)&global_slapdFrontendConfig.tls_check_crl,
|
|
|
058656 |
+ CONFIG_SPECIAL_TLS_CHECK_CRL, (ConfigGetFunc)config_get_tls_check_crl,
|
|
|
058656 |
+ "none" /* Allow reset to this value */}
|
|
|
058656 |
+
|
|
|
058656 |
+ /* End config */
|
|
|
058656 |
+ };
|
|
|
058656 |
|
|
|
058656 |
/*
|
|
|
058656 |
* hashNocaseString - used for case insensitive hash lookups
|
|
|
058656 |
@@ -1506,7 +1515,6 @@ FrontendConfig_init(void)
|
|
|
058656 |
cfg->maxdescriptors = SLAPD_DEFAULT_MAXDESCRIPTORS;
|
|
|
058656 |
cfg->groupevalnestlevel = SLAPD_DEFAULT_GROUPEVALNESTLEVEL;
|
|
|
058656 |
cfg->snmp_index = SLAPD_DEFAULT_SNMP_INDEX;
|
|
|
058656 |
-
|
|
|
058656 |
cfg->SSLclientAuth = SLAPD_DEFAULT_SSLCLIENTAUTH;
|
|
|
058656 |
|
|
|
058656 |
#ifdef USE_SYSCONF
|
|
|
058656 |
@@ -1524,6 +1532,7 @@ FrontendConfig_init(void)
|
|
|
058656 |
#endif
|
|
|
058656 |
init_security = cfg->security = LDAP_OFF;
|
|
|
058656 |
init_ssl_check_hostname = cfg->ssl_check_hostname = LDAP_ON;
|
|
|
058656 |
+ cfg->tls_check_crl = TLS_CHECK_NONE;
|
|
|
058656 |
init_return_exact_case = cfg->return_exact_case = LDAP_ON;
|
|
|
058656 |
init_result_tweak = cfg->result_tweak = LDAP_OFF;
|
|
|
058656 |
init_attrname_exceptions = cfg->attrname_exceptions = LDAP_OFF;
|
|
|
058656 |
@@ -2042,6 +2051,7 @@ config_set_port(const char *attrname, char *port, char *errorbuf, int apply)
|
|
|
058656 |
return retVal;
|
|
|
058656 |
}
|
|
|
058656 |
|
|
|
058656 |
+
|
|
|
058656 |
int
|
|
|
058656 |
config_set_secureport(const char *attrname, char *port, char *errorbuf, int apply)
|
|
|
058656 |
{
|
|
|
058656 |
@@ -2073,6 +2083,33 @@ config_set_secureport(const char *attrname, char *port, char *errorbuf, int appl
|
|
|
058656 |
}
|
|
|
058656 |
|
|
|
058656 |
|
|
|
058656 |
+int32_t
|
|
|
058656 |
+config_set_tls_check_crl(const char *attrname, char *value, char *errorbuf, int apply)
|
|
|
058656 |
+{
|
|
|
058656 |
+ int32_t retVal = LDAP_SUCCESS;
|
|
|
058656 |
+ /* Default */
|
|
|
058656 |
+ tls_check_crl_t state = TLS_CHECK_NONE;
|
|
|
058656 |
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
|
|
|
058656 |
+
|
|
|
058656 |
+ if (strcasecmp(value, "none") == 0) {
|
|
|
058656 |
+ state = TLS_CHECK_NONE;
|
|
|
058656 |
+ } else if (strcasecmp(value, "peer") == 0) {
|
|
|
058656 |
+ state = TLS_CHECK_PEER;
|
|
|
058656 |
+ } else if (strcasecmp(value, "all") == 0) {
|
|
|
058656 |
+ state = TLS_CHECK_ALL;
|
|
|
058656 |
+ } else {
|
|
|
058656 |
+ retVal = LDAP_OPERATIONS_ERROR;
|
|
|
058656 |
+ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: unsupported value: %s", attrname, value);
|
|
|
058656 |
+ }
|
|
|
058656 |
+
|
|
|
058656 |
+ if (retVal == LDAP_SUCCESS && apply) {
|
|
|
058656 |
+ slapi_atomic_store_32((int32_t *)&(slapdFrontendConfig->tls_check_crl), state, __ATOMIC_RELEASE);
|
|
|
058656 |
+ }
|
|
|
058656 |
+
|
|
|
058656 |
+ return retVal;
|
|
|
058656 |
+}
|
|
|
058656 |
+
|
|
|
058656 |
+
|
|
|
058656 |
int
|
|
|
058656 |
config_set_SSLclientAuth(const char *attrname, char *value, char *errorbuf, int apply)
|
|
|
058656 |
{
|
|
|
058656 |
@@ -4591,6 +4628,12 @@ config_set_versionstring(const char *attrname __attribute__((unused)), char *ver
|
|
|
058656 |
|
|
|
058656 |
#define config_copy_strval(s) s ? slapi_ch_strdup(s) : NULL;
|
|
|
058656 |
|
|
|
058656 |
+tls_check_crl_t
|
|
|
058656 |
+config_get_tls_check_crl() {
|
|
|
058656 |
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
|
|
|
058656 |
+ return (tls_check_crl_t)slapi_atomic_load_32((int32_t *)&(slapdFrontendConfig->tls_check_crl), __ATOMIC_ACQUIRE);
|
|
|
058656 |
+}
|
|
|
058656 |
+
|
|
|
058656 |
int
|
|
|
058656 |
config_get_port()
|
|
|
058656 |
{
|
|
|
058656 |
@@ -7439,6 +7482,23 @@ config_set_value(
|
|
|
058656 |
slapi_entry_attr_set_int(e, cgas->attr_name, ival);
|
|
|
058656 |
break;
|
|
|
058656 |
|
|
|
058656 |
+ case CONFIG_SPECIAL_TLS_CHECK_CRL:
|
|
|
058656 |
+ if (!value) {
|
|
|
058656 |
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, (char *)cgas->initvalue);
|
|
|
058656 |
+ break;
|
|
|
058656 |
+ }
|
|
|
058656 |
+ tls_check_crl_t state = *(tls_check_crl_t *)value;
|
|
|
058656 |
+
|
|
|
058656 |
+ if (state == TLS_CHECK_ALL) {
|
|
|
058656 |
+ sval = "all";
|
|
|
058656 |
+ } else if (state == TLS_CHECK_PEER) {
|
|
|
058656 |
+ sval = "peer";
|
|
|
058656 |
+ } else {
|
|
|
058656 |
+ sval = "none";
|
|
|
058656 |
+ }
|
|
|
058656 |
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, sval);
|
|
|
058656 |
+ break;
|
|
|
058656 |
+
|
|
|
058656 |
case CONFIG_SPECIAL_SSLCLIENTAUTH:
|
|
|
058656 |
if (!value) {
|
|
|
058656 |
slapi_entry_attr_set_charptr(e, cgas->attr_name, "off");
|
|
|
058656 |
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
|
|
|
058656 |
index 3b7ab53b2..b13334ad1 100644
|
|
|
058656 |
--- a/ldap/servers/slapd/proto-slap.h
|
|
|
058656 |
+++ b/ldap/servers/slapd/proto-slap.h
|
|
|
058656 |
@@ -236,6 +236,7 @@ int config_set_port(const char *attrname, char *port, char *errorbuf, int apply)
|
|
|
058656 |
int config_set_secureport(const char *attrname, char *port, char *errorbuf, int apply);
|
|
|
058656 |
int config_set_SSLclientAuth(const char *attrname, char *value, char *errorbuf, int apply);
|
|
|
058656 |
int config_set_ssl_check_hostname(const char *attrname, char *value, char *errorbuf, int apply);
|
|
|
058656 |
+int32_t config_set_tls_check_crl(const char *attrname, char *value, char *errorbuf, int apply);
|
|
|
058656 |
int config_set_SSL3ciphers(const char *attrname, char *value, char *errorbuf, int apply);
|
|
|
058656 |
int config_set_localhost(const char *attrname, char *value, char *errorbuf, int apply);
|
|
|
058656 |
int config_set_listenhost(const char *attrname, char *value, char *errorbuf, int apply);
|
|
|
058656 |
@@ -397,6 +398,7 @@ void log_disable_hr_timestamps(void);
|
|
|
058656 |
|
|
|
058656 |
int config_get_SSLclientAuth(void);
|
|
|
058656 |
int config_get_ssl_check_hostname(void);
|
|
|
058656 |
+tls_check_crl_t config_get_tls_check_crl(void);
|
|
|
058656 |
char *config_get_SSL3ciphers(void);
|
|
|
058656 |
char *config_get_localhost(void);
|
|
|
058656 |
char *config_get_listenhost(void);
|
|
|
058656 |
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
|
|
|
058656 |
index 216d94afd..443d90094 100644
|
|
|
058656 |
--- a/ldap/servers/slapd/slap.h
|
|
|
058656 |
+++ b/ldap/servers/slapd/slap.h
|
|
|
058656 |
@@ -443,6 +443,13 @@ typedef void (*VFPV)(); /* takes undefined arguments */
|
|
|
058656 |
typedef int32_t slapi_onoff_t;
|
|
|
058656 |
typedef int32_t slapi_int_t;
|
|
|
058656 |
|
|
|
058656 |
+typedef enum _tls_check_crl_t {
|
|
|
058656 |
+ TLS_CHECK_NONE = 0,
|
|
|
058656 |
+ TLS_CHECK_PEER = 1,
|
|
|
058656 |
+ TLS_CHECK_ALL = 2,
|
|
|
058656 |
+} tls_check_crl_t;
|
|
|
058656 |
+
|
|
|
058656 |
+
|
|
|
058656 |
struct subfilt
|
|
|
058656 |
{
|
|
|
058656 |
char *sf_type;
|
|
|
058656 |
@@ -2151,6 +2158,7 @@ typedef struct _slapdEntryPoints
|
|
|
058656 |
#define CONFIG_RUNDIR_ATTRIBUTE "nsslapd-rundir"
|
|
|
058656 |
#define CONFIG_SSLCLIENTAUTH_ATTRIBUTE "nsslapd-SSLclientAuth"
|
|
|
058656 |
#define CONFIG_SSL_CHECK_HOSTNAME_ATTRIBUTE "nsslapd-ssl-check-hostname"
|
|
|
058656 |
+#define CONFIG_TLS_CHECK_CRL_ATTRIBUTE "nsslapd-tls-check-crl"
|
|
|
058656 |
#define CONFIG_HASH_FILTERS_ATTRIBUTE "nsslapd-hash-filters"
|
|
|
058656 |
#define CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE "nsslapd-outbound-ldap-io-timeout"
|
|
|
058656 |
#define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external"
|
|
|
058656 |
@@ -2263,6 +2271,7 @@ typedef struct _slapdFrontendConfig
|
|
|
058656 |
slapi_onoff_t security;
|
|
|
058656 |
int SSLclientAuth;
|
|
|
058656 |
slapi_onoff_t ssl_check_hostname;
|
|
|
058656 |
+ tls_check_crl_t tls_check_crl;
|
|
|
058656 |
int validate_cert;
|
|
|
058656 |
int sizelimit;
|
|
|
058656 |
int SNMPenabled;
|
|
|
058656 |
@@ -2294,7 +2303,6 @@ typedef struct _slapdFrontendConfig
|
|
|
058656 |
slapi_onoff_t plugin_track;
|
|
|
058656 |
slapi_onoff_t moddn_aci;
|
|
|
058656 |
struct pw_scheme *pw_storagescheme;
|
|
|
058656 |
-
|
|
|
058656 |
slapi_onoff_t pwpolicy_local;
|
|
|
058656 |
slapi_onoff_t pw_is_global_policy;
|
|
|
058656 |
slapi_onoff_t pwpolicy_inherit_global;
|
|
|
058656 |
--
|
|
|
058656 |
2.13.6
|
|
|
058656 |
|