-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.

A related question - since we only support Fedora 14 now and we always
compile with --with-openldap on that platform, should we remove the
mozldap code altogether? I don't think it would cause any harm,
realistically, there should be no users.

https://fedorahosted.org/freeipa/ticket/576
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0lp1gACgkQHsardTLnvCXCxwCgvsea3YRxufYCk3jMsqRjWBvC
rwcAoK+UE2vqbyplGptEU/5ucmGH5S11
=Knnx
-----END PGP SIGNATURE-----
From 63a9d029446b2cf40a71dbc35ced8383e82aa967 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 3 Jan 2011 16:16:57 +0100
Subject: [PATCH] Do not use LDAP_DEPRECATED in plugins

Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.

https://fedorahosted.org/freeipa/ticket/576
---
 daemons/configure.ac                               |    2 +
 daemons/ipa-kpasswd/ipa_kpasswd.c                  |   18 +++++--
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h   |    8 ++-
 .../ipa-pwd-extop/ipapwd_common.c                  |   50 +++++++++++++++----
 .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.c    |   24 ++++++++-
 ipa-client/ipa-client-common.h                     |    4 ++
 ipa-client/ipa-getkeytab.c                         |    4 --
 ipa-client/ipa-join.c                              |   31 +++++++++++--
 8 files changed, 112 insertions(+), 29 deletions(-)

diff --git a/daemons/configure.ac b/daemons/configure.ac
index 221a63a..370c5d6 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -199,9 +199,11 @@ AC_ARG_WITH([openldap],
 if test "x$with_openldap" == xyes; then
     LDAP_CFLAGS="${OPENLDAP_CFLAGS} $NSPR4 $NSS3 -DUSE_OPENLDAP"
     LDAP_LIBS="${OPENLDAP_LIBS}"
+    AC_DEFINE_UNQUOTED(WITH_OPENLDAP, 1, [Use OpenLDAP libraries])
 else
     LDAP_CFLAGS="${MOZLDAP_CFLAGS}"
     LDAP_LIBS="${MOZLDAP_LIBS}"
+    AC_DEFINE_UNQUOTED(WITH_MOZLDAP, 1, [Use Mozilla LDAP libraries])
 fi
 AC_SUBST(LDAP_CFLAGS)
 AC_SUBST(LDAP_LIBS)
diff --git a/daemons/ipa-kpasswd/ipa_kpasswd.c b/daemons/ipa-kpasswd/ipa_kpasswd.c
index 9b4c2dd..18a2894 100644
--- a/daemons/ipa-kpasswd/ipa_kpasswd.c
+++ b/daemons/ipa-kpasswd/ipa_kpasswd.c
@@ -42,7 +42,6 @@
 #ifdef WITH_MOZLDAP
 #include <mozldap/ldap.h>
 #else
-#define LDAP_DEPRECATED 1
 #include <ldap.h>
 #endif
 #include <sasl/sasl.h>
@@ -331,6 +330,7 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
 	struct berval *control = NULL;
 	struct berval newpw;
 	char hostname[1024];
+        char *uri;
 	struct berval **ncvals;
 	char *ldap_base = NULL;
 	char *filter;
@@ -386,11 +386,19 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
 		goto done;
 	}
 
+        ret = asprintf(&uri, "ldap://%s:389";, hostname);
+        if (ret == -1) {
+            syslog(LOG_ERR, "Out of memory!");
+            goto done;
+        }
+
 	/* connect to ldap server */
 	/* TODO: support referrals ? */
-	ld = ldap_init(hostname, 389);
-	if(ld == NULL) {
-		syslog(LOG_ERR, "Unable to connect to ldap server");
+        ret = ldap_initialize(&ld, uri);
+        free(uri);
+	if(ret != LDAP_SUCCESS) {
+		syslog(LOG_ERR, "Unable to connect to ldap server: %s",
+                                ldap_err2string(ret));
 		goto done;
 	}
 
@@ -414,7 +422,7 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd, char **e
 	/* find base dn */
 	/* TODO: address the case where we have multiple naming contexts */
 	tv.tv_sec = 10;
-	tv.tv_usec = 0; 
+	tv.tv_usec = 0;
 
 	ret = ldap_search_ext_s(ld, "", LDAP_SCOPE_BASE,
 				"objectclass=*", root_attrs, 0,
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 4f8764f..c3d13fb 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -41,6 +41,12 @@
 #  include <config.h>
 #endif
 
+#ifdef WITH_MOZLDAP
+#include <mozldap/ldap.h>
+#else
+#include <ldap.h>
+#endif
+
 #include <stdio.h>
 #include <string.h>
 #include <sys/types.h>
@@ -49,8 +55,6 @@
 #include <unistd.h>
 #include <stdbool.h>
 
-#define LDAP_DEPRECATED 1
-
 #include <prio.h>
 #include <ssl.h>
 #include <dirsrv/slapi-plugin.h>
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index cf6b3fc..2bc36c0 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -373,6 +373,40 @@ static void pwd_values_free(Slapi_ValueSet** results,
     slapi_vattr_values_free(results, actual_type_name, buffer_flags);
 }
 
+static int ipapwd_rdn_count(const char *dn)
+{
+    int rdnc = 0;
+
+#ifdef WITH_MOZLDAP
+    char **edn;
+
+    edn = ldap_explode_dn(dn, 0);
+    if (!edn) {
+        LOG_TRACE("ldap_explode_dn(dn) failed ?!");
+        return -1;
+    }
+
+    for (rdnc = 0; edn != NULL && edn[rdnc]; rdnc++) /* count */ ;
+    ldap_value_free(edn);
+#else
+    /* both ldap_explode_dn and ldap_value_free are deprecated
+     * in OpenLDAP */
+    LDAPDN ldn;
+    int ret;
+
+    ret = ldap_str2dn(dn, &ldn, LDAP_DN_FORMAT_LDAPV3);
+    if (ret != LDAP_SUCCESS) {
+        LOG_TRACE("ldap_str2dn(dn) failed ?!");
+        return -1;
+    }
+
+    for (rdnc = 0; ldn != NULL && ldn[rdnc]; rdnc++) /* count */ ;
+    ldap_dnfree(ldn);
+#endif
+
+    return rdnc;
+}
+
 static int ipapwd_getPolicy(const char *dn,
                             Slapi_Entry *target, Slapi_Entry **e)
 {
@@ -386,7 +420,6 @@ static int ipapwd_getPolicy(const char *dn,
                       "krbPwdHistoryLength", NULL};
     Slapi_Entry **es = NULL;
     Slapi_Entry *pe = NULL;
-    char **edn;
     int ret, res, dist, rdnc, scope, i;
     Slapi_DN *sdn = NULL;
     int buffer_flags=0;
@@ -465,14 +498,12 @@ static int ipapwd_getPolicy(const char *dn,
     }
 
     /* count number of RDNs in DN */
-    edn = ldap_explode_dn(dn, 0);
-    if (!edn) {
-        LOG_TRACE("ldap_explode_dn(dn) failed ?!");
+    rdnc = ipapwd_rdn_count(dn);
+    if (rdnc == -1) {
+        LOG_TRACE("ipapwd_rdn_count(dn) failed");
         ret = -1;
         goto done;
     }
-    for (rdnc = 0; edn[rdnc]; rdnc++) /* count */ ;
-    ldap_value_free(edn);
 
     pe = NULL;
     dist = -1;
@@ -490,15 +521,12 @@ static int ipapwd_getPolicy(const char *dn,
         }
         if (slapi_sdn_issuffix(sdn, esdn)) {
             const char *dn1;
-            char **e1;
             int c1;
 
             dn1 = slapi_sdn_get_dn(esdn);
             if (!dn1) continue;
-            e1 = ldap_explode_dn(dn1, 0);
-            if (!e1) continue;
-            for (c1 = 0; e1[c1]; c1++) /* count */ ;
-            ldap_value_free(e1);
+            c1 = ipapwd_rdn_count(dn1);
+            if (c1 == -1) continue;
             if ((dist == -1) ||
                 ((rdnc - c1) < dist)) {
                 dist = rdnc - c1;
diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
index 10aa188..bfad0cf 100644
--- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
+++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
@@ -41,8 +41,6 @@
 #  include <config.h>
 #endif
 
-#define LDAP_DEPRECATED 1
-
 /*
  * Windows Synchronization Plug-in for IPA
  * This plugin allows IPA to intercept operations sent from
@@ -375,7 +373,6 @@ ipa_winsync_get_new_ds_user_dn_cb(void *cbdata, const Slapi_Entry *rawentry,
                                   Slapi_Entry *ad_entry, char **new_dn_string,
                                   const Slapi_DN *ds_suffix, const Slapi_DN *ad_suffix)
 {
-    char **rdns = NULL;
     PRBool flatten = PR_TRUE;
     IPA_WinSync_Config *ipaconfig = ipa_winsync_get_config();
 
@@ -390,6 +387,9 @@ ipa_winsync_get_new_ds_user_dn_cb(void *cbdata, const Slapi_Entry *rawentry,
         return;
     }
 
+#ifdef WITH_MOZLDAP
+    char **rdns = NULL;
+
     rdns = ldap_explode_dn(*new_dn_string, 0);
     if (!rdns || !rdns[0]) {
         ldap_value_free(rdns);
@@ -399,6 +399,24 @@ ipa_winsync_get_new_ds_user_dn_cb(void *cbdata, const Slapi_Entry *rawentry,
     slapi_ch_free_string(new_dn_string);
     *new_dn_string = slapi_ch_smprintf("%s,%s", rdns[0], slapi_sdn_get_dn(ds_suffix));
     ldap_value_free(rdns);
+#else
+    /* both ldap_explode_dn and ldap_value_free are deprecated
+     * in OpenLDAP */
+    LDAPDN ldn;
+    int ret;
+    char *rdn;
+
+    ret = ldap_str2dn(*new_dn_string, &ldn, LDAP_DN_FORMAT_LDAPV3);
+    if (ret != LDAP_SUCCESS) {
+        LOG_TRACE("ldap_str2dn(dn) failed ?!");
+        return;
+    }
+
+    ldap_rdn2str(ldn[0], &rdn, LDAP_DN_FORMAT_UFN);
+    *new_dn_string = slapi_ch_smprintf("%s,%s", rdn, slapi_sdn_get_dn(ds_suffix));
+    ldap_dnfree(ldn);
+    ldap_memfree(rdn);
+#endif
 
     LOG("<-- ipa_winsync_get_new_ds_user_dn_cb -- new dn [%s] -- end\n",
                     *new_dn_string);
diff --git a/ipa-client/ipa-client-common.h b/ipa-client/ipa-client-common.h
index 863b805..b738fb4 100644
--- a/ipa-client/ipa-client-common.h
+++ b/ipa-client/ipa-client-common.h
@@ -23,6 +23,10 @@
 #include <libintl.h>
 #define _(STRING) gettext(STRING)
 
+#ifndef discard_const
+#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
+#endif
+
 int init_gettext(void);
 
 #endif /* __IPA_CLIENT_COMMON_H */
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 96747a8..8f108de 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -57,10 +57,6 @@
 #define KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1"
 #define KEYTAB_RET_OID "2.16.840.1.113730.3.8.3.2"
 
-#ifndef discard_const
-#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
-#endif
-
 struct krb_key_salt {
     krb5_enctype enctype;
     krb5_int32 salttype;
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index 5c3d140..ff0fed9 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -18,7 +18,6 @@
  */
 
 #define _GNU_SOURCE
-#define LDAP_DEPRECATED 1
 
 #include <unistd.h>
 #include <stdlib.h>
@@ -178,6 +177,9 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
     int version = LDAP_VERSION3;
     int ret;
     int ldapdebug = 0;
+    char *uri;
+    struct berval bindpw_bv;
+
     if (debug) {
         ldapdebug=2;
         ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
@@ -186,7 +188,20 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
     if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, CAFILE) != LDAP_OPT_SUCCESS)
         goto fail;
 
-    ld = (LDAP *)ldap_init(hostname, 636);
+    ret = asprintf(&uri, "ldaps://%s:636", hostname);
+    if (ret == -1) {
+        fprintf(stderr, _("Out of memory!"));
+        goto fail;
+    }
+
+    ret = ldap_initialize(&ld, uri);
+    free(uri);
+    if(ret != LDAP_SUCCESS) {
+        fprintf(stderr, _("Unable to initialize connection to ldap server: %s"),
+                        ldap_err2string(ret));
+        goto fail;
+    }
+
     if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) {
         fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
         goto fail;
@@ -198,7 +213,12 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
         goto fail;
     }
 
-    ret = ldap_bind_s(ld, binddn, bindpw, LDAP_AUTH_SIMPLE);
+    bindpw_bv.bv_val = discard_const(bindpw);
+    bindpw_bv.bv_len = strlen(bindpw);
+
+    ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
+                           NULL, NULL, NULL);
+
     if (ret != LDAP_SUCCESS) {
         int err;
 
@@ -446,7 +466,10 @@ join_ldap(const char *ipaserver, char *hostname, const char ** binddn, const cha
     if ((rc = ldap_extended_operation_s(ld, JOIN_OID, &valrequest, NULL, NULL, &oidresult, &valresult)) != LDAP_SUCCESS) {
         if (!quiet)
             fprintf(stderr, _("principal not found in host entry\n"));
-        if (debug) ldap_perror(ld, "ldap_extended_operation_s");
+        if (debug) {
+            fprintf(stderr, "ldap_extended_operation_s failed: %s",
+                            ldap_err2string(rc));
+        }
         rval = 18;
         goto ldap_done;
     }
-- 
1.7.3.4

Attachment: jhrozek-freeipa-034-remove-LDAP-DEPRECATED.patch.sig
Description: PGP signature

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to