Commit 140bbef0 authored by Rocky Automation's avatar Rocky Automation 📺
Browse files

import 389-ds-base-1.4.3.8-7.module+el8.3.0+10310+6e88d919

parent 6da9342b
From 340b81a59cee365e7300e57c1ca5f4866373954c Mon Sep 17 00:00:00 2001
From: tbordaz <tbordaz@redhat.com>
Date: Wed, 16 Dec 2020 16:30:28 +0100
Subject: [PATCH 1/4] Issue 4480 - Unexpected info returned to ldap request
(#4491)
Bug description:
If the bind entry does not exist, the bind result info
reports that 'No such entry'. It should not give any
information if the target entry exists or not
Fix description:
Does not return any additional information during a bind
relates: https://github.com/389ds/389-ds-base/issues/4480
Reviewed by: William Brown, Viktor Ashirov, Mark Reynolds (thank you all)
Platforms tested: F31
---
dirsrvtests/tests/suites/basic/basic_test.py | 30 ++++++++++++++++++++
ldap/servers/slapd/back-ldbm/ldbm_config.c | 2 +-
ldap/servers/slapd/result.c | 2 +-
3 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py
index 120207321..e9afa1e7e 100644
--- a/dirsrvtests/tests/suites/basic/basic_test.py
+++ b/dirsrvtests/tests/suites/basic/basic_test.py
@@ -1400,6 +1400,36 @@ def test_dscreate_multiple_dashes_name(dscreate_long_instance):
assert not dscreate_long_instance.exists()
+def test_bind_invalid_entry(topology_st):
+ """Test the failing bind does not return information about the entry
+
+ :id: 5cd9b083-eea6-426b-84ca-83c26fc49a6f
+
+ :setup: Standalone instance
+
+ :steps:
+ 1: bind as non existing entry
+ 2: check that bind info does not report 'No such entry'
+
+ :expectedresults:
+ 1: pass
+ 2: pass
+ """
+
+ topology_st.standalone.restart()
+ INVALID_ENTRY="cn=foooo,%s" % DEFAULT_SUFFIX
+ try:
+ topology_st.standalone.simple_bind_s(INVALID_ENTRY, PASSWORD)
+ except ldap.LDAPError as e:
+ log.info('test_bind_invalid_entry: Failed to bind as %s (expected)' % INVALID_ENTRY)
+ log.info('exception description: ' + e.args[0]['desc'])
+ if 'info' in e.args[0]:
+ log.info('exception info: ' + e.args[0]['info'])
+ assert e.args[0]['desc'] == 'Invalid credentials'
+ assert 'info' not in e.args[0]
+ pass
+
+ log.info('test_bind_invalid_entry: PASSED')
if __name__ == '__main__':
# Run isolated
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c
index 88c186359..dee5fc088 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
@@ -1266,7 +1266,7 @@ ldbm_config_search_entry_callback(Slapi_PBlock *pb __attribute__((unused)),
if (attrs) {
for (size_t i = 0; attrs[i]; i++) {
if (ldbm_config_moved_attr(attrs[i])) {
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "at least one required attribute has been moved to the BDB scecific configuration entry");
+ slapi_pblock_set(pb, SLAPI_RESULT_TEXT, "at least one required attribute has been moved to the BDB scecific configuration entry");
break;
}
}
diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
index 61efb6f8d..40c5dcc57 100644
--- a/ldap/servers/slapd/result.c
+++ b/ldap/servers/slapd/result.c
@@ -355,7 +355,7 @@ send_ldap_result_ext(
if (text) {
pbtext = text;
} else {
- slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &pbtext);
+ slapi_pblock_get(pb, SLAPI_RESULT_TEXT, &pbtext);
}
if (operation == NULL) {
--
2.26.2
From 4fb3023a55529c9d5332e3425ae8da590a8ebb69 Mon Sep 17 00:00:00 2001
From: tbordaz <tbordaz@redhat.com>
Date: Mon, 1 Feb 2021 09:28:25 +0100
Subject: [PATCH 3/4] Issue 4581 - A failed re-indexing leaves the database in
broken state (#4582)
Bug description:
During reindex the numsubordinates attribute is not updated in parent entries.
The consequence is that the internal counter job->numsubordinates==0.
Later when indexing the ancestorid, the server can show the progression of this
indexing with a ratio using job->numsubordinates==0.
Division with 0 -> SIGFPE
Fix description:
if the numsubordinates is NULL, log a message without a division.
relates: https://github.com/389ds/389-ds-base/issues/4581
Reviewed by: Pierre Rogier, Mark Reynolds, Simon Pichugin, Teko Mihinto (thanks !!)
Platforms tested: F31
---
.../slapd/back-ldbm/db-bdb/bdb_import.c | 72 ++++++++++++++-----
1 file changed, 54 insertions(+), 18 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_import.c b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_import.c
index 15574e60f..9713b52f6 100644
--- a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_import.c
+++ b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_import.c
@@ -468,18 +468,30 @@ bdb_get_nonleaf_ids(backend *be, DB_TXN *txn, IDList **idl, ImportJob *job)
}
key_count++;
if (!(key_count % PROGRESS_INTERVAL)) {
- import_log_notice(job, SLAPI_LOG_INFO, "bdb_get_nonleaf_ids",
- "Gathering ancestorid non-leaf IDs: processed %d%% (ID count %d)",
- (key_count * 100 / job->numsubordinates), key_count);
+ if (job->numsubordinates) {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_get_nonleaf_ids",
+ "Gathering ancestorid non-leaf IDs: processed %d%% (ID count %d)",
+ (key_count * 100 / job->numsubordinates), key_count);
+ } else {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_get_nonleaf_ids",
+ "Gathering ancestorid non-leaf IDs: processed %d ancestors...",
+ key_count);
+ }
started_progress_logging = 1;
}
} while (ret == 0 && !(job->flags & FLAG_ABORT));
if (started_progress_logging) {
/* finish what we started logging */
- import_log_notice(job, SLAPI_LOG_INFO, "bdb_get_nonleaf_ids",
- "Gathering ancestorid non-leaf IDs: processed %d%% (ID count %d)",
- (key_count * 100 / job->numsubordinates), key_count);
+ if (job->numsubordinates) {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_get_nonleaf_ids",
+ "Gathering ancestorid non-leaf IDs: processed %d%% (ID count %d)",
+ (key_count * 100 / job->numsubordinates), key_count);
+ } else {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_get_nonleaf_ids",
+ "Gathering ancestorid non-leaf IDs: processed %d ancestors",
+ key_count);
+ }
}
import_log_notice(job, SLAPI_LOG_INFO, "bdb_get_nonleaf_ids",
"Finished gathering ancestorid non-leaf IDs.");
@@ -660,9 +672,15 @@ bdb_ancestorid_default_create_index(backend *be, ImportJob *job)
key_count++;
if (!(key_count % PROGRESS_INTERVAL)) {
- import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_default_create_index",
- "Creating ancestorid index: processed %d%% (ID count %d)",
- (key_count * 100 / job->numsubordinates), key_count);
+ if (job->numsubordinates) {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_default_create_index",
+ "Creating ancestorid index: processed %d%% (ID count %d)",
+ (key_count * 100 / job->numsubordinates), key_count);
+ } else {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_default_create_index",
+ "Creating ancestorid index: processed %d ancestors...",
+ key_count);
+ }
started_progress_logging = 1;
}
@@ -743,9 +761,15 @@ out:
if (ret == 0) {
if (started_progress_logging) {
/* finish what we started logging */
- import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_default_create_index",
- "Creating ancestorid index: processed %d%% (ID count %d)",
- (key_count * 100 / job->numsubordinates), key_count);
+ if (job->numsubordinates) {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_default_create_index",
+ "Creating ancestorid index: processed %d%% (ID count %d)",
+ (key_count * 100 / job->numsubordinates), key_count);
+ } else {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_default_create_index",
+ "Creating ancestorid index: processed %d ancestors",
+ key_count);
+ }
}
import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_default_create_index",
"Created ancestorid index (old idl).");
@@ -869,9 +893,15 @@ bdb_ancestorid_new_idl_create_index(backend *be, ImportJob *job)
key_count++;
if (!(key_count % PROGRESS_INTERVAL)) {
- import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_new_idl_create_index",
- "Creating ancestorid index: progress %d%% (ID count %d)",
- (key_count * 100 / job->numsubordinates), key_count);
+ if (job->numsubordinates) {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_new_idl_create_index",
+ "Creating ancestorid index: progress %d%% (ID count %d)",
+ (key_count * 100 / job->numsubordinates), key_count);
+ } else {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_new_idl_create_index",
+ "Creating ancestorid index: progress %d ancestors...",
+ key_count);
+ }
started_progress_logging = 1;
}
@@ -932,9 +962,15 @@ out:
if (ret == 0) {
if (started_progress_logging) {
/* finish what we started logging */
- import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_new_idl_create_index",
- "Creating ancestorid index: processed %d%% (ID count %d)",
- (key_count * 100 / job->numsubordinates), key_count);
+ if (job->numsubordinates) {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_new_idl_create_index",
+ "Creating ancestorid index: processed %d%% (ID count %d)",
+ (key_count * 100 / job->numsubordinates), key_count);
+ } else {
+ import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_new_idl_create_index",
+ "Creating ancestorid index: processed %d ancestors",
+ key_count);
+ }
}
import_log_notice(job, SLAPI_LOG_INFO, "bdb_ancestorid_new_idl_create_index",
"Created ancestorid index (new idl).");
--
2.26.2
From 861f17d2cb50fc649feee004be1ce08d2e3873f8 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 9 Feb 2021 14:02:59 -0500
Subject: [PATCH 4/4] Issue 4609 - CVE - info disclosure when authenticating
Description: If you bind as a user that does not exist. Error 49 is returned
instead of error 32. As error 32 discloses that the entry does
not exist. When you bind as an entry that does not have userpassword
set then error 48 (inappropriate auth) is returned, but this
discloses that the entry does indeed exist. Instead we should
always return error 49, even if the password is not set in the
entry. This way we do not disclose to an attacker if the Bind
DN exists or not.
Relates: https://github.com/389ds/389-ds-base/issues/4609
Reviewed by: tbordaz(Thanks!)
---
dirsrvtests/tests/suites/basic/basic_test.py | 72 +++++++++++++++++++-
ldap/servers/slapd/back-ldbm/ldbm_bind.c | 4 +-
ldap/servers/slapd/dse.c | 7 +-
3 files changed, 78 insertions(+), 5 deletions(-)
diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py
index e9afa1e7e..6244782fa 100644
--- a/dirsrvtests/tests/suites/basic/basic_test.py
+++ b/dirsrvtests/tests/suites/basic/basic_test.py
@@ -13,7 +13,7 @@
from subprocess import check_output, PIPE, run
from lib389 import DirSrv
-from lib389.idm.user import UserAccounts
+from lib389.idm.user import UserAccount, UserAccounts
import pytest
from lib389.tasks import *
from lib389.utils import *
@@ -1062,6 +1062,76 @@ def test_search_ou(topology_st):
assert len(entries) == 0
+def test_bind_invalid_entry(topology_st):
+ """Test the failing bind does not return information about the entry
+
+ :id: 5cd9b083-eea6-426b-84ca-83c26fc49a6f
+ :customerscenario: True
+ :setup: Standalone instance
+ :steps:
+ 1: bind as non existing entry
+ 2: check that bind info does not report 'No such entry'
+ :expectedresults:
+ 1: pass
+ 2: pass
+ """
+
+ topology_st.standalone.restart()
+ INVALID_ENTRY="cn=foooo,%s" % DEFAULT_SUFFIX
+ try:
+ topology_st.standalone.simple_bind_s(INVALID_ENTRY, PASSWORD)
+ except ldap.LDAPError as e:
+ log.info('test_bind_invalid_entry: Failed to bind as %s (expected)' % INVALID_ENTRY)
+ log.info('exception description: ' + e.args[0]['desc'])
+ if 'info' in e.args[0]:
+ log.info('exception info: ' + e.args[0]['info'])
+ assert e.args[0]['desc'] == 'Invalid credentials'
+ assert 'info' not in e.args[0]
+ pass
+
+ log.info('test_bind_invalid_entry: PASSED')
+
+ # reset credentials
+ topology_st.standalone.simple_bind_s(DN_DM, PW_DM)
+
+
+def test_bind_entry_missing_passwd(topology_st):
+ """
+ :id: af209149-8fb8-48cb-93ea-3e82dd7119d2
+ :setup: Standalone Instance
+ :steps:
+ 1. Bind as database entry that does not have userpassword set
+ 2. Bind as database entry that does not exist
+ 1. Bind as cn=config entry that does not have userpassword set
+ 2. Bind as cn=config entry that does not exist
+ :expectedresults:
+ 1. Fails with error 49
+ 2. Fails with error 49
+ 3. Fails with error 49
+ 4. Fails with error 49
+ """
+ user = UserAccount(topology_st.standalone, DEFAULT_SUFFIX)
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
+ # Bind as the suffix root entry which does not have a userpassword
+ user.bind("some_password")
+
+ user = UserAccount(topology_st.standalone, "cn=not here," + DEFAULT_SUFFIX)
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
+ # Bind as the entry which does not exist
+ user.bind("some_password")
+
+ # Test cn=config since it has its own code path
+ user = UserAccount(topology_st.standalone, "cn=config")
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
+ # Bind as the config entry which does not have a userpassword
+ user.bind("some_password")
+
+ user = UserAccount(topology_st.standalone, "cn=does not exist,cn=config")
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
+ # Bind as an entry under cn=config that does not exist
+ user.bind("some_password")
+
+
@pytest.mark.bz1044135
@pytest.mark.ds47319
def test_connection_buffer_size(topology_st):
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_bind.c b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
index fa450ecd5..38d115a32 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_bind.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_bind.c
@@ -76,8 +76,8 @@ ldbm_back_bind(Slapi_PBlock *pb)
case LDAP_AUTH_SIMPLE: {
Slapi_Value cv;
if (slapi_entry_attr_find(e->ep_entry, "userpassword", &attr) != 0) {
- slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL,
- NULL, 0, NULL);
+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
+ slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
CACHE_RETURN(&inst->inst_cache, &e);
rc = SLAPI_BIND_FAIL;
goto bail;
diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
index 0e22d3cec..0d3268046 100644
--- a/ldap/servers/slapd/dse.c
+++ b/ldap/servers/slapd/dse.c
@@ -1443,7 +1443,8 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK);
if (ec == NULL) {
- slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL);
+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not exist");
+ slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
return (SLAPI_BIND_FAIL);
}
@@ -1451,7 +1452,8 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
case LDAP_AUTH_SIMPLE: {
Slapi_Value cv;
if (slapi_entry_attr_find(ec, "userpassword", &attr) != 0) {
- slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL);
+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set");
+ slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
slapi_entry_free(ec);
return SLAPI_BIND_FAIL;
}
@@ -1459,6 +1461,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this
slapi_value_init_berval(&cv, cred);
if (slapi_pw_find_sv(bvals, &cv) != 0) {
+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials");
slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
slapi_entry_free(ec);
value_done(&cv);
--
2.26.2
From 82db41ae6f76464a6ee3cbfdca8019bc809b3cf3 Mon Sep 17 00:00:00 2001
From: William Brown <william@blackhats.net.au>
Date: Thu, 26 Nov 2020 09:08:13 +1000
Subject: [PATCH] Issue 4460 - BUG - lib389 should use system tls policy
Bug Description: Due to some changes in dsrc for tlsreqcert
and how def open was structured in lib389, the system ldap.conf
policy was ignored.
Fix Description: Default to using the system ldap.conf policy
if undefined in lib389 or the tls_reqcert param in dsrc.
fixes: #4460
Author: William Brown <william@blackhats.net.au>
Review by: ???
---
src/lib389/lib389/__init__.py | 11 +++++++----
src/lib389/lib389/cli_base/dsrc.py | 16 +++++++++-------
2 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/src/lib389/lib389/__init__.py b/src/lib389/lib389/__init__.py
index 63d44b60a..dc18b2bfe 100644
--- a/src/lib389/lib389/__init__.py
+++ b/src/lib389/lib389/__init__.py
@@ -962,7 +962,7 @@ class DirSrv(SimpleLDAPObject, object):
# Now, we are still an allocated ds object so we can be re-installed
self.state = DIRSRV_STATE_ALLOCATED
- def open(self, uri=None, saslmethod=None, sasltoken=None, certdir=None, starttls=False, connOnly=False, reqcert=ldap.OPT_X_TLS_HARD,
+ def open(self, uri=None, saslmethod=None, sasltoken=None, certdir=None, starttls=False, connOnly=False, reqcert=None,
usercert=None, userkey=None):
'''
It opens a ldap bound connection to dirsrv so that online
@@ -1025,9 +1025,12 @@ class DirSrv(SimpleLDAPObject, object):
try:
# Note this sets LDAP.OPT not SELF. Because once self has opened
# it can NOT change opts on reused (ie restart)
- self.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, reqcert)
- self.log.debug("Using certificate policy %s", reqcert)
- self.log.debug("ldap.OPT_X_TLS_REQUIRE_CERT = %s", reqcert)
+ if reqcert is not None:
+ self.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, reqcert)
+ self.log.debug("Using lib389 certificate policy %s", reqcert)
+ else:
+ self.log.debug("Using /etc/openldap/ldap.conf certificate policy")
+ self.log.debug("ldap.OPT_X_TLS_REQUIRE_CERT = %s", self.get_option(ldap.OPT_X_TLS_REQUIRE_CERT))
except ldap.LDAPError as e:
self.log.fatal('TLS negotiation failed: %s', e)
raise e
diff --git a/src/lib389/lib389/cli_base/dsrc.py b/src/lib389/lib389/cli_base/dsrc.py
index 9cad23437..8a4a2a55d 100644
--- a/src/lib389/lib389/cli_base/dsrc.py
+++ b/src/lib389/lib389/cli_base/dsrc.py
@@ -45,7 +45,7 @@ def dsrc_arg_concat(args, dsrc_inst):
'tls_cacertdir': None,
'tls_cert': None,
'tls_key': None,
- 'tls_reqcert': ldap.OPT_X_TLS_HARD,
+ 'tls_reqcert': None,
'starttls': args.starttls,
'prompt': False,
'pwdfile': None,
@@ -134,21 +134,23 @@ def dsrc_to_ldap(path, instance_name, log):
dsrc_inst['binddn'] = config.get(instance_name, 'binddn', fallback=None)
dsrc_inst['saslmech'] = config.get(instance_name, 'saslmech', fallback=None)
if dsrc_inst['saslmech'] is not None and dsrc_inst['saslmech'] not in ['EXTERNAL', 'PLAIN']:
- raise Exception("%s [%s] saslmech must be one of EXTERNAL or PLAIN" % (path, instance_name))
+ raise ValueError("%s [%s] saslmech must be one of EXTERNAL or PLAIN" % (path, instance_name))
dsrc_inst['tls_cacertdir'] = config.get(instance_name, 'tls_cacertdir', fallback=None)
dsrc_inst['tls_cert'] = config.get(instance_name, 'tls_cert', fallback=None)
dsrc_inst['tls_key'] = config.get(instance_name, 'tls_key', fallback=None)
- dsrc_inst['tls_reqcert'] = config.get(instance_name, 'tls_reqcert', fallback='hard')
- if dsrc_inst['tls_reqcert'] not in ['never', 'allow', 'hard']:
- raise Exception("dsrc tls_reqcert value invalid. %s [%s] tls_reqcert should be one of never, allow or hard" % (instance_name,
- path))
+ dsrc_inst['tls_reqcert'] = config.get(instance_name, 'tls_reqcert', fallback=None)
if dsrc_inst['tls_reqcert'] == 'never':
dsrc_inst['tls_reqcert'] = ldap.OPT_X_TLS_NEVER
elif dsrc_inst['tls_reqcert'] == 'allow':
dsrc_inst['tls_reqcert'] = ldap.OPT_X_TLS_ALLOW
- else:
+ elif dsrc_inst['tls_reqcert'] == 'hard':
dsrc_inst['tls_reqcert'] = ldap.OPT_X_TLS_HARD
+ elif dsrc_inst['tls_reqcert'] is None:
+ # Use system value
+ pass
+ else:
+ raise ValueError("dsrc tls_reqcert value invalid. %s [%s] tls_reqcert should be one of never, allow or hard" % (instance_name, path))
dsrc_inst['starttls'] = config.getboolean(instance_name, 'starttls', fallback=False)
dsrc_inst['pwdfile'] = None
dsrc_inst['prompt'] = False
--
2.26.2
From 2d6ca042adcf0dc2bbf9b898d698bbf62514c4a5 Mon Sep 17 00:00:00 2001
From: Firstyear <william@blackhats.net.au>
Date: Fri, 4 Dec 2020 10:14:33 +1000
Subject: [PATCH] Issue 4460 - BUG - add machine name to subject alt names in
SSCA (#4472)
Bug Description: During SSCA creation, the server cert did not have
the machine name, which meant that the cert would not work without
reqcert = never.
Fix Description: Add the machine name as an alt name during SSCA
creation. It is not guaranteed this value is correct, but it
is better than nothing.
relates: https://github.com/389ds/389-ds-base/issues/4460
Author: William Brown <william@blackhats.net.au>
Review by: mreynolds389, droideck
---
src/lib389/lib389/instance/setup.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py
index 45c7dfdd4..21260ee20 100644
--- a/src/lib389/lib389/instance/setup.py
+++ b/src/lib389/lib389/instance/setup.py
@@ -870,7 +870,7 @@ class SetupDs(object):
tlsdb_inst = NssSsl(dbpath=os.path.join(etc_dirsrv_path, dir))
tlsdb_inst.import_rsa_crt(ca)
- csr = tlsdb.create_rsa_key_and_csr()
+ csr = tlsdb.create_rsa_key_and_csr(alt_names=[general['full_machine_name']])
(ca, crt) = ssca.rsa_ca_sign_csr(csr)
tlsdb.import_rsa_crt(ca, crt)
if general['selinux']:
--
2.26.2
......@@ -45,7 +45,7 @@ ExcludeArch: i686
Summary: 389 Directory Server (base)
Name: 389-ds-base
Version: 1.4.3.8
Release: %{?relprefix}6%{?prerel}%{?dist}
Release: %{?relprefix}7%{?prerel}%{?dist}
License: GPLv3+
URL: https://www.port389.org
Group: System Environment/Daemons
......@@ -207,7 +207,12 @@ Patch30: 0030-ticket-2058-Add-keep-alive-entry-after-on-line-initi.patc
Patch31: 0031-do-not-add-referrals-for-masters-with-different-data.patch
Patch32: 0032-Issue-4383-Do-not-normalize-escaped-spaces-in-a-DN.patch
Patch33: 0033-Issue-49300-entryUSN-is-duplicated-after-memberOf-op.patch
Patch34: 0034-Issue-4480-Unexpected-info-returned-to-ldap-request-.patch
Patch35: 0035-Issue-5442-Search-results-are-different-between-RHDS.patch
Patch36: 0036-Issue-4581-A-failed-re-indexing-leaves-the-database-.patch
Patch37: 0037-Issue-4609-CVE-info-disclosure-when-authenticating.patch
Patch38: 0038-Issue-4460-BUG-lib389-should-use-system-tls-policy.patch
Patch39: 0039-Issue-4460-BUG-add-machine-name-to-subject-alt-names.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
......@@ -825,15 +830,21 @@ exit 0
%doc README.md
%changelog
* Thu Mar 11 2021 Mark Reynolds <mreynolds@redhat.com> - 1.4.3.8-7
- Bump version to 1.4.3.8-7
- Resolves: Bug 1908705 - CVE-2020-35518 389-ds:1.4/389-ds-base: information disclosure during the binding of a DN
- Resolves: Bug 1936461 - A failed re-indexing leaves the database in broken state.
- Resolves: Bug 1912481 - Server-Cert.crt created using dscreate has Subject:CN =localhost instead of hostname.
* Thu Dec 3 2020 Mark Reynolds <mreynolds@redhat.com> - 1.4.3.8-6
- Bump version to 1.4.3.8-6
- Resolves: Bug 1851973 - Duplicate entryUSN numbers for different LDAP entries in the same backend
- Resolves: Bug 1888863 - group rdn with leading space char and add fails error 21 invalid syntax and delete fails error 32
- Resolves: Bug 1859228 - do not add referrals for masters with different data generation
- Resolves: Bug 1859227 - create keep alive entry after on line init
- Resolves: Bug 1896850 - NULL dereference in revert_cache()
- Resolves: Bug 1861504 - ds-replcheck crashes in offline mode
- Resolves: Bug 1898850 - Entries conflict not resolved by replication
- Resolves: Bug 1904348 - Duplicate entryUSN numbers for different LDAP entries in the same backend
- Resolves: Bug 1904349 - group rdn with leading space char and add fails error 21 invalid syntax and delete fails error 32
- Resolves: Bug 1904350 - do not add referrals for masters with different data generation
- Resolves: Bug 1904351 - create keep alive entry after on line init
- Resolves: Bug 1904352 - NULL dereference in revert_cache()
- Resolves: Bug 1904353 - ds-replcheck crashes in offline mode
- Resolves: Bug 1904347 - Entries conflict not resolved by replication
* Wed Aug 5 2020 Mark Reynolds <mreynolds@redhat.com> - 1.4.3.8-5
- Bump version to 1.4.3.8-5
......