Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 157632 Details for
Bug 245369
mod_admserv: Task cache refresh uses wrong credentials
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
diffs
cvsdiffs (text/plain), 20.56 KB, created by
Rich Megginson
on 2007-06-22 17:34:44 UTC
(
hide
)
Description:
diffs
Filename:
MIME Type:
Creator:
Rich Megginson
Created:
2007-06-22 17:34:44 UTC
Size:
20.56 KB
patch
obsolete
>Index: mod_admserv/mod_admserv.c >=================================================================== >RCS file: /cvs/dirsec/mod_admserv/mod_admserv.c,v >retrieving revision 1.30 >diff -u -8 -r1.30 mod_admserv.c >--- mod_admserv/mod_admserv.c 19 Jun 2007 23:31:12 -0000 1.30 >+++ mod_admserv/mod_admserv.c 22 Jun 2007 17:29:01 -0000 >@@ -753,17 +753,17 @@ > static int > sslinit(AdmldapInfo info, const char *configdir) > { > if (!NSS_IsInitialized()) { > /* mod_nss is used when we are a TLS/SSL server - mod_nss starts up before we do > and will set up all of the TLS/SSL stuff */ > /* if we are acting as simply a TLS/SSL client to the directory server, > we still have to perform our own TLS/SSL client init */ >- if (ADMSSL_Init(info, configdir, 0)) { >+ if (ADMSSL_Init(info, (char *)configdir, 0)) { > ap_log_error(APLOG_MARK, APLOG_CRIT, 0 /* status */, NULL, > "sslinit: NSS is required to use LDAPS, but security initialization failed. Cannot start server"); > exit(1); > } > } else { > ap_log_error(APLOG_MARK, APLOG_DEBUG, 0 /* status */, NULL, > "sslinit: mod_nss has been started and initialized"); > } >@@ -811,16 +811,17 @@ > goto done; > } > } > > userGroupServer.host = NULL; > userGroupServer.port = 0; > userGroupServer.secure = 0; > userGroupServer.baseDN = NULL; >+ userGroupServer.admservSieDN = NULL; > > if (NULL == admldapGetLDAPHndl(info)) { > /* LDAP is not available; gather info from the cache */ > userGroupLdapURL = admldapGetDirectoryURL(info); > userGroupBindDN = admldapGetSIEDN(info); > userGroupBindPW = admldapGetSIEPWD(info); > if (NULL == userGroupBindPW) { > ADM_GetCurrentPassword(&error, &userGroupBindPW); >@@ -1030,80 +1031,80 @@ > ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, msg); > if (send_response) { > return admserv_error_std(r, msg); > } > > return DONE; > } > >+ > static int > sync_task_sie_data(const char *name, char *query, void *arg, request_rec *r) > { > AttrNameList serverlist = NULL; > AttributeList installlist = NULL; > AdmldapInfo ldapInfo = NULL; > int errorCode; > PsetHndl tmp; > int servercnt, i; > UserCacheEntry *cache_entry = NULL; > char *siedn = NULL; >- char *passwd = NULL; >+ const char *userdn = apr_table_get(r->notes, RQ_NOTES_USERDN); >+ const char *passwd = apr_table_get(r->notes, RQ_NOTES_USERPW); > > ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, > "sync_task_sie_data: getting ldap info for [%s]", > configdir); > ldapInfo = admldapBuildInfo(configdir, &errorCode); > > if (!ldapInfo) { > ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, > "sync_task_sie_data: Could not build ldap info for config in [%s]: %d", > configdir, errorCode); > return FALSE; > } > > siedn = admldapGetSIEDN(ldapInfo); > task_register_server(ADMIN_SERVER_ID, siedn); >- PL_strfree(siedn); > >- passwd = admldapGetSIEPWD(ldapInfo); >+ /* HACK HACK HACK */ >+ /* getServerDNListSSL uses the siedn as the binddn - so we temporarily >+ replace the siedn with the userdn - fortunately it doesn't use the >+ siedn as the SIE DN */ >+ admldapSetSIEDN(ldapInfo, userdn); > if (NULL == passwd) { /* use the passwd in cache if possible */ >- char *userdn = admldapGetUserDN(ldapInfo, NULL); > cache_entry = (UserCacheEntry*)HashTableFind(auth_users, userdn); > if (cache_entry) { >- admSetCachedSIEPWD(cache_entry->userPW); >+ passwd = cache_entry->userPW; > } >- PL_strfree(userdn); >- } else { >- PL_strfree(passwd); > } >- >+ admSetCachedSIEPWD(passwd); > > serverlist = getServerDNListSSL(ldapInfo); >+ /* HACK HACK HACK - reset after getServerDNListSSL */ >+ admldapSetSIEDN(ldapInfo, siedn); >+ > servercnt=0; > if (serverlist) { > while (serverlist[servercnt]) servercnt++; > } > if (servercnt) { > for (i=0; i < servercnt; i++) { > /* Create Pset for each individual server */ > char *host = admldapGetHost(ldapInfo); >- char *siedn = admldapGetSIEDN(ldapInfo); >- char *siepwd = admldapGetSIEPWD(ldapInfo); > tmp = psetRealCreateSSL(host, > admldapGetPort(ldapInfo), > admldapGetSecurity(ldapInfo), > serverlist[i], >- siedn, >- siepwd, >+ (char *)userdn, >+ (char *)passwd, > NULL, > &errorCode); > PL_strfree(host); >- PL_strfree(siedn); >- PL_strfree(siepwd); > if (tmp) { > # define SERVER_ID_ATTRIBUTE (char*)"nsServerID" > > int errorcode; > char* serverid = psetGetAttrSingleValue(tmp, SERVER_ID_ATTRIBUTE, &errorcode); > > psetDelete(tmp); > tmp = NULL; >@@ -1131,36 +1132,43 @@ > } else { > ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, > "sync_task_sie_data: no servers found"); > } > > /* DT 02/02/98 > * Register installed product tasks > */ >+ /* HACK HACK HACK */ >+ /* getInstalledServerDNListSSL uses the siedn as the binddn - so we temporarily >+ replace the siedn with the userdn - fortunately it doesn't use the >+ siedn as the SIE DN */ >+ admldapSetSIEDN(ldapInfo, userdn); > if ((installlist = getInstalledServerDNListSSL(ldapInfo))) { > int ii = 0; > while (installlist[ii]) { > char *productID = installlist[ii]->attrName; > char *productDN = installlist[ii]->attrVal[0]; > task_register_server(productID, productDN); > ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, > "sync_task_sie_data: registered product [%s] dn [%s]", > productID, productDN); > ii++; > } > deleteAttributeList(installlist); > } >+ /* HACK HACK HACK - reset after getInstalledServerDNListSSL */ >+ admldapSetSIEDN(ldapInfo, siedn); >+ PL_strfree(siedn); > > destroyAdmldap(ldapInfo); > > return TRUE; > } > >-static int update_ds(char *admroot, char *pwd, request_rec *r); > static int update_admpwd(char *admroot, char *newuid, char *newpw); > static int update_adm_conf(char *admroot, char *newpw); > > /* > * Miodrag (06-15-98) > * The following metthod is called from the runtime command > * "change_sie_password" after the sie password is changed > * >@@ -1226,17 +1234,16 @@ > "task_update_registry_server_bindpw(): ldap_modify for %s failed: %s", > userDN, ldap_err2string(ldapError)); > goto bailout; > } > /* update the auth_users cache */ > ldapURL = formLdapURL(®istryServer, r->pool); > create_auth_users_cache_entry(uid, (char *)userDN, password, ldapURL); > >- registryServer.bindPW = password; > rval = 1; > bailout: > closeLDAPConnection(ld); > if (NULL != ldapURL) > free(ldapURL); > return rval; > } > >@@ -1248,17 +1255,16 @@ > { > FILE *f; > char *uid=NULL ,*pw=NULL, *col=NULL; > char *newpw=query; > char filename[BIG_LINE]; > char inbuf[BIG_LINE]; > char outbuf[64]; /* needs at least 36 bytes */ > char *origpw = (char *)apr_table_get(r->notes, RQ_NOTES_USERPW); >- int ds_done = 0; > int admpwd_done = 0; > > apr_snprintf(filename, sizeof(filename), "%s/admpw", configdir); > > if (newpw==NULL) { > ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, > "Wrong usage, password param missing"); > return 0; >@@ -1281,22 +1287,16 @@ > if (col == NULL) { > ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, > "admpw file [%s] is corrupted", filename); > return 0; > } > > uid = inbuf; *col=0; pw=col+1; > >- if (!update_ds(configdir, newpw, r)) { >- ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, >- "failed to update siepwd on DS"); >- return 0; >- } >- ds_done = 1; > apr_sha1_base64(newpw, strlen(newpw), outbuf); > if (!update_admpwd(configdir, uid, outbuf)) { > ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, > "failed to update admpw"); > goto recover; > } > admpwd_done = 1; > >@@ -1304,19 +1304,16 @@ > ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, > "failed to update server bindpw"); > goto recover; > } > apr_table_set(r->notes, RQ_NOTES_USERPW, newpw); > return 1; > > recover: >- if (ds_done) { >- update_ds(configdir, origpw, r); >- } > if (admpwd_done) { > apr_sha1_base64(origpw, strlen(origpw), outbuf); > update_admpwd(configdir, uid, outbuf); > } > return 0; > } > > /* >@@ -1349,74 +1346,16 @@ > fclose(f); > return 0; > } > > fclose(f); > return 1; > } > >-/* >- * Modify userpassword in the DS >- */ >-static int >-update_ds(char *admroot, char *pwd, request_rec *r) >-{ >- int errorCode; >- PsetHndl pset; >- const char *binddn = 0; >- const char *bindpw = 0; >- AdmldapInfo ldapInfo = NULL; >- >- /* Initialize the pset */ >- >- ldapInfo = admldapBuildInfo(admroot, &errorCode); >- >- if (!ldapInfo) { >- ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, >- "AdmInit: Failed to read data from adm.conf"); >- return 0; >- } >- >- if (admldapGetSecurity(ldapInfo)) { >- sslinit(ldapInfo, admroot); >- } >- >- destroyAdmldap(ldapInfo); >- >- binddn = apr_table_get(r->notes, RQ_NOTES_USERDN); >- bindpw = apr_table_get(r->notes, RQ_NOTES_USERPW); >- >- pset = psetCreateSSL((char*)"admin-serv", >- admroot, >- (char*)binddn, >- (char*)bindpw, >- &errorCode); >- >- if (pset) { >- } else { >- ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, >- "PSET Creation Failed for binddn [%s], err=%d", >- binddn, errorCode); >- return 0; >- } >- >- errorCode = psetSetSingleValueAttr(pset, (char*)"userpassword", pwd); >- psetDelete(pset); >- pset = NULL; >- >- if (errorCode) { >- ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, >- "PSET Set Failed for attribute userpassword, err=%d", >- errorCode); >- return 0; >- } >- return 1; >-} >- > static void > populate_tasks_from_server(char *serverid, const void *sieDN, void *userdata) > { > PopulateTasksData *data = (PopulateTasksData *)userdata; > LDAP *server = data->server; > LDAPMessage *result, *e; > int ldapError; > char normDN[1024]; >@@ -1429,18 +1368,18 @@ > if(data->server == NULL) { > if(!(server = openLDAPConnection(®istryServer))) { > ap_log_error(APLOG_MARK, APLOG_CRIT, 0, NULL, > "populate_tasks_from_server(): Unable to open LDAPConnection to [%s:%d]", > registryServer.host, registryServer.port); > return; > } > ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, >- "populate_tasks_from_server(): Opened new LDAPConnection to [%s:%d] user [%s]", >- registryServer.host, registryServer.port, registryServer.bindDN); >+ "populate_tasks_from_server(): Opened new LDAPConnection to [%s:%d]", >+ registryServer.host, registryServer.port); > data->server = server; > } > > tries = 0; > do { > ldapError = ldap_search_s(server, (char *)sieDN, LDAP_SCOPE_SUBTREE, NS_EXEC_REF_QUERY, > searchAttributes, 0, &result); > if(ldapError != LDAP_SERVER_DOWN && ldapError != LDAP_CONNECT_ERROR) >@@ -1537,16 +1476,18 @@ > } > > static int > admserv_check_authz(request_rec *r) > { > int ldapError; > char entryDN[LINE_LENGTH]; > char *p; >+ char *siedn; /* this is looked up from the serverid, which is >+ extracted from the uri */ > LDAP *server; > const char *userdn; > const char *pw; > char *serverid; > char *storage = entryDN; > char *uri; > char *saveduri; > long now; >@@ -1573,40 +1514,40 @@ > } > > serverid = uri+1; > uri = p+1; > /* need a copy because build_full_DN modifies the uri argument */ > saveduri = apr_pstrdup(r->pool, uri); > *p = '\0'; > >- if (!(p = (char*)HashTableFind(servers, serverid))) { >+ if (!(siedn = (char*)HashTableFind(servers, serverid))) { > /* DT 4/6/98 -- If we're seeing a serverid for the first time, then we try to do > * a resync to pull in new data for the serverid. If it still fails, > * then the client is out of luck. */ > >- admserv_runtime_command_exec(RUNTIME_RESYNC_COMMAND, NULL, NULL); >+ admserv_runtime_command_exec(RUNTIME_RESYNC_COMMAND, r->args, r); > >- if (!(p = (char*)HashTableFind(servers, serverid))) { >+ if (!(siedn = (char*)HashTableFind(servers, serverid))) { > ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > "admserv_check_authz(): unable to find registered server (%s)", > serverid); > return admserv_error(r, HTTP_BAD_REQUEST, "server not registered"); /*i18n*/ > } > } > > if (!STRNCASECMP(r->uri, AUTH_URI, strlen(AUTH_URI))) { > /* already authenticated - no remapping required - no task authz required */ > ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, > "admserv_check_authz(): passing [%s] to the userauth handler", > r->uri); > return OK; > } > >- if (!build_full_DN(&storage, entryDN+LINE_LENGTH, uri, p)) { >+ if (!build_full_DN(&storage, entryDN+LINE_LENGTH, uri, siedn)) { > ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, > "admserv_check_authz(): unable to build DN from URL - bad URL [%s]", > uri); > return admserv_error_std(r, "server not registered"); /*i18n*/ > } > > convert_to_lower_case(entryDN); > >@@ -2259,18 +2200,19 @@ > return DONE; > } > > /* Registry DS setup */ > registryServer.host = admldapGetHost(info); > registryServer.port = (admldapGetPort(info) < 0) ? 389 : admldapGetPort(info); > registryServer.secure = (admldapGetSecurity(info)) ? 1 : 0; > registryServer.baseDN = admldapGetBaseDN(info); >- registryServer.bindDN = admldapGetSIEDN(info); >- registryServer.bindPW = admldapGetSIEPWD(info); >+ registryServer.bindDN = ""; /* deprecated - use user credentials */ >+ registryServer.bindPW = ""; /* deprecated - use user credentials */ >+ registryServer.admservSieDN = admldapGetSIEDN(info); > > destroyAdmldap(info); > info = NULL; > /* DT 5/18/98 Change for new User/Group stuff */ > > /* Populate U/G Info */ > > userGroupServer.host = NULL; >@@ -2278,17 +2220,17 @@ > if (buildUGInfo(&errorInfo, base_server) != TRUE) { > ap_log_error(APLOG_MARK, APLOG_CRIT, 0, base_server, > "mod_admserv_post_config(): unable to build user/group LDAP server info: %s", > errorInfo); > return DONE; > } > > /* Register the admin server tasks */ >- task_register_server(ADMIN_SERVER_ID, registryServer.bindDN); >+ task_register_server(ADMIN_SERVER_ID, registryServer.admservSieDN); > > /* Populate the auth_tasks cache for the Local Admin */ > > server = openLDAPConnection(®istryServer); > > if (server) { > } else { > ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, >@@ -2321,17 +2263,17 @@ > */ > char startds[LINE_LENGTH]; > char normStartds[LINE_LENGTH]; > char *storage = startds; > char *uri = apr_pstrdup(module_pool, STARTDS_IDENTIFIER); > TaskCacheEntry *cache_entry; > > if (!build_full_DN(&storage, startds+LINE_LENGTH, uri, >- registryServer.bindDN)) { >+ registryServer.admservSieDN)) { > ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server, > "mod_admserv_post_config: unable to build DN from URL - bad URL [%s]", > uri?uri:"none"); > return OK; > } > convert_to_lower_case(startds); > adm_normalize_dn(startds, normStartds); > if (!(cache_entry = (TaskCacheEntry *)HashTableFind(auth_tasks, normStartds))) { >@@ -2491,17 +2433,17 @@ > ap_rprintf(r, "UserDN: %s\n", apr_table_get(r->notes, RQ_NOTES_USERDN)); > ap_rprintf(r, "UserDirectory: ldap%s://%s/%s\n", > userGroupServer.secure ? "s" : "", > userGroupServer.host, userGroupServer.baseDN); > ap_rprintf(r, "ldapHost: %s\n", registryServer.host); > ap_rprintf(r, "ldapPort: %d\n", registryServer.port); > ap_rprintf(r, "ldapSecurity: %s\n", (registryServer.secure == 1) ? "on" : "off"); > ap_rprintf(r, "ldapBaseDN: %s\n", registryServer.baseDN); >- ap_rprintf(r, "SIE: %s\n", registryServer.bindDN); >+ ap_rprintf(r, "SIE: %s\n", registryServer.admservSieDN); > ap_rputs("NMC_Status: 0\n", r); > > return OK; > } > > static int > authenticate_user(LdapServerData *data, char *baseDN, char *user, const char *pw, request_rec *r) > { >@@ -2527,38 +2469,41 @@ > "unable to open LDAPConnection to server [%s:%d]", data->host, data->port); > return DECLINED; > } while (server != NULL && ++tries < 2); > > if (ldapError != LDAPU_SUCCESS) > { > closeLDAPConnection(server); > ap_log_rerror(APLOG_MARK, APLOG_NOTICE|APLOG_NOERRNO, 0, r, >- "unable to bind to server [%s:%d] as [%s]", data->host, data->port, data->bindDN); /*i18n*/ >+ "unable to bind to server [%s:%d] as [%s]", >+ data->host, data->port, >+ (data->bindDN && *data->bindDN) ? data->bindDN : "(anonymous)"); /*i18n*/ > return DECLINED; > } > > /* The basic auth data may be either uid:pw or userDN:pw. The test for '=' > * is hopefully adequate to detect a DN... > */ > if (!strchr(user, '=')) > { > /* not a DN, so resolve the DN from the uid */ > > tries = 0; > do { >- ldapError = ldapu_find_userdn(server, user, baseDN ? baseDN : data->baseDN, &userdn); >+ /* first try the basedn in the ldap server data, then the basedn param as a fallback */ >+ ldapError = ldapu_find_userdn(server, user, data->baseDN ? data->baseDN : baseDN, &userdn); > if(ldapError != LDAP_SERVER_DOWN && ldapError != LDAP_CONNECT_ERROR) > break; > > closeLDAPConnection(server); > if(!(server = openLDAPConnection(data))) > ap_log_rerror(APLOG_MARK, APLOG_NOTICE|APLOG_NOERRNO, 0, r, >- "unable to find user [%s] in server [%s:%d]", >- user, data->host, data->port); >+ "unable to find user [%s] in server [%s:%d] under base DN [%s]", >+ user, data->host, data->port, data->baseDN ? data->baseDN : baseDN); > return DECLINED; > } while (server != NULL && ++tries < 2); > > if (ldapError != LDAPU_SUCCESS) > { > closeLDAPConnection(server); > > if ((ldapError == LDAP_CONNECT_ERROR) || (ldapError == LDAP_SERVER_DOWN)) >Index: mod_admserv/mod_admserv.h >=================================================================== >RCS file: /cvs/dirsec/mod_admserv/mod_admserv.h,v >retrieving revision 1.4 >diff -u -8 -r1.4 mod_admserv.h >--- mod_admserv/mod_admserv.h 15 Nov 2006 21:31:40 -0000 1.4 >+++ mod_admserv/mod_admserv.h 22 Jun 2007 17:29:01 -0000 >@@ -126,19 +126,22 @@ > long now; > } PopulateTasksData; > > typedef struct LdapServerData { > DWORD dPad; > char *host; > int port; > int secure; /* track whether the server is running in secure mode */ >- char *baseDN; >- char *bindDN; >- char *bindPW; >+ char *baseDN; /* for the config ds, usually o=NetscapeRoot >+ for the user/group ds, this is the default >+ suffix e.g. dc=example,dc=com */ >+ char *bindDN; /* deprecated since the SIE cannot bind anymore */ >+ char *bindPW; /* deprecated since the SIE cannot bind anymore */ >+ char *admservSieDN; /* SIE DN of this admin server */ > } LdapServerData; > > typedef struct ServletLookupData { > char *nsExecRef; > char *taskcn; > char *serverDN; > char *serverID; > } ServletLookupData;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=157632">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 245369
: 157632 |
157665