From d4327cffcb79d2b4c46f4d31b4477e29a9ea0de0 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Apr 27 2012 19:58:57 +0000 Subject: Ticket #214 - Adding Replication agreement should complain if required nsds5ReplicaCredentials not supplied Bug Description: the server allows you to add replication agreements for SIMPLE & SASL/DIGEST-MD5 without supplying a bind DN or password. The console enforces this, but not through the command line. Fix Description: If the authentication method is not SSL Client Auth or SASL/GSSAPI, then make sure a bind DN and password are supplied. https://fedorahosted.org/389/ticket/214 Reviewed by: Noriko! --- diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c index bfde962..cdd074e 100644 --- a/ldap/servers/plugins/replication/repl5_agmt.c +++ b/ldap/servers/plugins/replication/repl5_agmt.c @@ -219,6 +219,26 @@ agmt_is_valid(Repl_Agmt *ra) slapi_sdn_get_dn(ra->dn), type_nsds5TransportInfo, type_nsds5ReplicaBindMethod); return_value = 0; } + /* + * If we are not using GSSAPI or SSL Client Auth, then a bind dn and password must be present + */ + if(BINDMETHOD_SASL_GSSAPI != ra->bindmethod && BINDMETHOD_SSL_CLIENTAUTH != ra->bindmethod){ + if(strcmp(ra->binddn,"") == 0 || ra->creds->bv_val == NULL){ + char *auth_mech; + + if(ra->bindmethod == BINDMETHOD_SIMPLE_AUTH){ + auth_mech = "SIMPLE"; + } else if (ra->bindmethod == BINDMETHOD_SASL_DIGEST_MD5){ + auth_mech = "SASL/DIGEST-MD5"; + } else { + auth_mech = "Unknown"; + } + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "Replication agreement \"%s\" " + "is malformed: a bind DN and password must be supplied for authentication " + "method \"%s\"\n", slapi_sdn_get_dn(ra->dn), auth_mech); + return_value = 0; + } + } return return_value; } @@ -227,10 +247,9 @@ Repl_Agmt * agmt_new_from_entry(Slapi_Entry *e) { Repl_Agmt *ra; - char *tmpstr; Slapi_Attr *sattr; + char *tmpstr; char **denied_attrs = NULL; - char *auto_initialize = NULL; char *val_nsds5BeginReplicaRefresh = "start";