mirror of
https://git.centos.org/rpms/389-ds-base.git
synced 2025-02-24 00:32:54 +00:00
import 389-ds-base-1.3.4.0-30.el7_2
This commit is contained in:
CentOS Sources
parent
3fe9c0d493
commit
ed61979b35
2 changed files with 167 additions and 1 deletions
|
|
@ -0,0 +1,160 @@
|
|||
From e40a6ef764f13b6efcf573a6181b6747bb029b90 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Reynolds <mreynolds@redhat.com>
|
||||
Date: Thu, 24 Mar 2016 09:46:11 -0400
|
||||
Subject: [PATCH] Ticket 47888 - DES to AES password conversion fails if a
|
||||
backend is empty
|
||||
|
||||
Bug Description: The process of converting DES passwords to AES can incorrectly
|
||||
disable the DES plugin if an error is encountered. In this case
|
||||
it was because a backend was defined but was missing the top entry
|
||||
which lead to an error 32 when searching for DES passwords. This
|
||||
causes the existing DES passwords to fail to decode.
|
||||
|
||||
Fix Description: There are two issues here. One, we should ignore errors when
|
||||
searching all the backends for passwords. Two, we should only
|
||||
disable the DES plugin if all the DES passwords were successfully
|
||||
converted.
|
||||
|
||||
https://fedorahosted.org/389/ticket/48777
|
||||
|
||||
Reviewed by: nhosoi(Thanks!)
|
||||
|
||||
(cherry picked from commit 6b7f980e80af3803bc395e50bd4228ded9bceb00)
|
||||
(cherry picked from commit c6eaf691c6ff3330dc1a3dcbf4dcc31af52c2919)
|
||||
---
|
||||
ldap/servers/slapd/daemon.c | 53 ++++++++++++++++++++++-----------------------
|
||||
1 file changed, 26 insertions(+), 27 deletions(-)
|
||||
|
||||
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
|
||||
index d25c44d..d702129 100644
|
||||
--- a/ldap/servers/slapd/daemon.c
|
||||
+++ b/ldap/servers/slapd/daemon.c
|
||||
@@ -694,7 +694,8 @@ convert_pbe_des_to_aes()
|
||||
char **attrs = NULL;
|
||||
char **backends = NULL;
|
||||
char *val = NULL;
|
||||
- int converted_des = 0;
|
||||
+ int converted_des_passwd = 0;
|
||||
+ int disable_des = 1;
|
||||
int result = -1;
|
||||
int have_aes = 0;
|
||||
int have_des = 0;
|
||||
@@ -739,7 +740,7 @@ convert_pbe_des_to_aes()
|
||||
char *cookie = NULL;
|
||||
|
||||
LDAPDebug(LDAP_DEBUG_ANY, "convert_pbe_des_to_aes: "
|
||||
- "Converting DES passwords to AES...\n",0,0,0);
|
||||
+ "Checking for DES passwords to convert to AES...\n",0,0,0);
|
||||
|
||||
be = slapi_get_first_backend(&cookie);
|
||||
while (be){
|
||||
@@ -777,10 +778,13 @@ convert_pbe_des_to_aes()
|
||||
slapi_search_internal_pb(pb);
|
||||
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
|
||||
if (LDAP_SUCCESS != result) {
|
||||
- LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
||||
- "failed to search for password on (%s) error (%d)\n",
|
||||
- backends[be_idx], result, 0);
|
||||
- goto done;
|
||||
+ slapi_log_error(SLAPI_LOG_TRACE, "convert_pbe_des_to_aes: ",
|
||||
+ "Failed to search for password attribute (%s) error (%d), skipping suffix (%s)\n",
|
||||
+ attrs[i], result, backends[be_idx]);
|
||||
+ slapi_free_search_results_internal(pb);
|
||||
+ slapi_pblock_destroy(pb);
|
||||
+ pb = NULL;
|
||||
+ continue;
|
||||
}
|
||||
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
|
||||
for (ii = 0; entries && entries[ii]; ii++){
|
||||
@@ -799,9 +803,9 @@ convert_pbe_des_to_aes()
|
||||
/* decode the DES password */
|
||||
if(pw_rever_decode(val, &passwd, attrs[i]) == -1){
|
||||
LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
||||
- "failed to decode existing DES password for (%s)\n",
|
||||
+ "Failed to decode existing DES password for (%s)\n",
|
||||
slapi_entry_get_dn(entries[ii]), 0, 0);
|
||||
- converted_des = 0;
|
||||
+ disable_des = 0;
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -813,7 +817,7 @@ convert_pbe_des_to_aes()
|
||||
slapi_entry_get_dn(entries[ii]), 0, 0);
|
||||
slapi_ch_free_string(&passwd);
|
||||
slapi_value_free(&sval);
|
||||
- converted_des = 0;
|
||||
+ disable_des = 0;
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -834,22 +838,18 @@ convert_pbe_des_to_aes()
|
||||
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
|
||||
if (LDAP_SUCCESS != result) {
|
||||
LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
||||
- "failed to convert password for (%s) error (%d)\n",
|
||||
+ "Failed to convert password for (%s) error (%d)\n",
|
||||
slapi_entry_get_dn(entries[ii]), result, 0);
|
||||
- converted_des = -1;
|
||||
+ disable_des = 0;
|
||||
} else {
|
||||
LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
||||
- "successfully converted password for (%s)\n",
|
||||
+ "Successfully converted password for (%s)\n",
|
||||
slapi_entry_get_dn(entries[ii]), result, 0);
|
||||
- converted_des = 1;
|
||||
-
|
||||
+ converted_des_passwd = 1;
|
||||
}
|
||||
slapi_ch_free_string(&passwd);
|
||||
slapi_value_free(&sval);
|
||||
slapi_pblock_destroy(mod_pb);
|
||||
- if(result){
|
||||
- goto done;
|
||||
- }
|
||||
}
|
||||
slapi_ch_free_string(&val);
|
||||
}
|
||||
@@ -860,6 +860,10 @@ convert_pbe_des_to_aes()
|
||||
}
|
||||
slapi_ch_free_string(&filter);
|
||||
}
|
||||
+ if (!converted_des_passwd){
|
||||
+ slapi_log_error(SLAPI_LOG_FATAL, "convert_pbe_des_to_aes",
|
||||
+ "No DES passwords found to convert.\n");
|
||||
+ }
|
||||
}
|
||||
|
||||
done:
|
||||
@@ -870,9 +874,9 @@ done:
|
||||
|
||||
if (have_aes && have_des){
|
||||
/*
|
||||
- * If a conversion attempt did not fail, disable DES plugin
|
||||
+ * If a conversion attempt did not fail then we can disable the DES plugin
|
||||
*/
|
||||
- if(converted_des != -1){
|
||||
+ if(converted_des_passwd && disable_des){
|
||||
/*
|
||||
* Disable the DES plugin - this also prevents potentially expensive
|
||||
* searches at every server startup.
|
||||
@@ -905,14 +909,9 @@ done:
|
||||
des_dn, 0, 0);
|
||||
}
|
||||
slapi_pblock_destroy(pb);
|
||||
- }
|
||||
- if(converted_des == 1){
|
||||
- LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
||||
- "Finished - all DES passwords have been converted to AES.\n",
|
||||
- 0, 0, 0);
|
||||
- } else if (converted_des == 0){
|
||||
- LDAPDebug(LDAP_DEBUG_ANY, "convert_pbe_des_to_aes: "
|
||||
- "Finished - no DES passwords to convert.\n",0,0,0);
|
||||
+ LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
||||
+ "All DES passwords have been converted to AES.\n",
|
||||
+ 0, 0, 0);
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
2.4.3
|
||||
|
||||
|
|
@ -34,7 +34,7 @@
|
|||
Summary: 389 Directory Server (base)
|
||||
Name: 389-ds-base
|
||||
Version: 1.3.4.0
|
||||
Release: %{?relprefix}29%{?prerel}%{?dist}
|
||||
Release: %{?relprefix}30%{?prerel}%{?dist}
|
||||
License: GPLv3+
|
||||
URL: http://port389.org/
|
||||
Group: System Environment/Daemons
|
||||
|
|
@ -211,6 +211,7 @@ Patch84: 0085-Ticket-48536-Crash-in-slapi_get_object_extension.patch
|
|||
Patch85: 0086-Ticket-48445-keep-alive-entries-can-break-replicatio.patch
|
||||
Patch86: 0087-Ticket-48420-change-severity-of-some-messages-relate.patch
|
||||
Patch87: 0088-Ticket-48757-License-tag-does-not-match-actual-licen.patch
|
||||
Patch88: 0089-Ticket-47888-DES-to-AES-password-conversion-fails-if.patch
|
||||
|
||||
%description
|
||||
389 Directory Server is an LDAPv3 compliant server. The base package includes
|
||||
|
|
@ -362,6 +363,7 @@ cp %{SOURCE2} README.devel
|
|||
%patch85 -p1
|
||||
%patch86 -p1
|
||||
%patch87 -p1
|
||||
%patch88 -p1
|
||||
|
||||
%build
|
||||
%if %{use_nunc_stans}
|
||||
|
|
@ -556,6 +558,10 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Mar 30 2016 Noriko Hosoi <nhosoi@redhat.com> - 1.3.4.0-30
|
||||
- release 1.3.4.0-30
|
||||
- Resolves: bug 1321891 - DES to AES password conversion fails if a backend is empty (DS 48777)
|
||||
|
||||
* Thu Mar 10 2016 Noriko Hosoi <nhosoi@redhat.com> - 1.3.4.0-29
|
||||
- release 1.3.4.0-29
|
||||
- Resolves: bug 1316552 - License tag does not match actual license of code (DS 48757)
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue