From 42ba3dce6a6b80ecc1050f77fd2e187b4dc65a72 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Dec 12 2013 20:26:34 +0000
Subject: Ticket 47613 - Issues setting allowed mechanisms


Bug Description:  Adding an empty value for nsslapd-allowed-sasl-mechanisms blocks all
                  sasl authentication.  Also changing the allowed sasl mechansism does
                  require a restart after making a change.

Fix Description:  Reject an empty values for nsslapd-allowed-sasl-mechanisms, and allow
                  config changes to occur without restarting the server.

https://fedorahosted.org/389/ticket/47613

Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 43959232f792db2b79e614f6db78f7569920fdc1)

---

diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c
index bd1566e..b54062d 100644
--- a/ldap/servers/slapd/configdse.c
+++ b/ldap/servers/slapd/configdse.c
@@ -81,7 +81,6 @@ static const char *requires_restart[] = {
 #endif
     "cn=config:" CONFIG_RETURN_EXACT_CASE_ATTRIBUTE,
     "cn=config:" CONFIG_SCHEMA_IGNORE_TRAILING_SPACES,
-    "cn=config:nsslapd-allowed-sasl-mechanisms",
     "cn=config,cn=ldbm:nsslapd-idlistscanlimit",
     "cn=config,cn=ldbm:nsslapd-parentcheck",
     "cn=config,cn=ldbm:nsslapd-dbcachesize",
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 9b63fe0..283e9a3 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -6816,8 +6816,7 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
 {
     slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
 
-    if(!apply || slapdFrontendConfig->allowed_sasl_mechs){
-        /* we only set this at startup, if we try again just return SUCCESS */
+    if(!apply){
         return LDAP_SUCCESS;
     }
 
@@ -6832,6 +6831,7 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
     }
 
     CFG_LOCK_WRITE(slapdFrontendConfig);
+    slapi_ch_free_string(&slapdFrontendConfig->allowed_sasl_mechs);
     slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
     CFG_UNLOCK_WRITE(slapdFrontendConfig);
 
@@ -7618,7 +7618,11 @@ invalid_sasl_mech(char *str)
     int i;
 
     if(str == NULL){
-        return 0;
+        return 1;
+    }
+    if(strlen(str) < 1){
+        /* ignore empty values */
+        return 1;
     }
 
     /*