From ac6d8e583c51e5935d697e254e3869c63cbd483f Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mar 22 2013 17:06:07 +0000
Subject: Ticket 632 - 389-ds-base cannot handle Kerberos tickets with PAC


    Bug Description:  When FreeIPA is configured with AD trust support, Kerberos
                      tickets may also contain PAC which makes them bigger than
                      usually expected (bigger than 2048 B)

    Fix Description:  Make the default 64k(65536), and allow it to be configurable
                      using: nsslapd-sasl-max-buffer-size

    https://fedorahosted.org/389/ticket/632

    Reviewed by: nkinder(Thanks!)

---

diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index ed25bd8..8ef702d 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -152,6 +152,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2151 NAME 'nsslapd-plugin-depends-on-typ
 attributeTypes: ( 2.16.840.1.113730.3.1.2152 NAME 'nsds5ReplicaProtocolTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2154 NAME 'nsds5ReplicaBackoffMin' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2155 NAME 'nsds5ReplicaBackoffMax' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2156 NAME 'nsslapd-sasl-max-buffer-size' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 #
 # objectclasses
 #
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 13f5d8b..b7bc999 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -176,6 +176,8 @@ static int config_set_schemareplace ( const char *attrname, char *value,
 #define DEFAULT_PW_RESETFAILURECOUNT "600"
 #define DEFAULT_PW_LOCKDURATION "3600"
 #define DEFAULT_NDN_SIZE "20971520"
+#define DEFAULT_SASL_MAXBUFSIZE "65536"
+#define SLAPD_DEFAULT_SASL_MAXBUFSIZE 65536
 #ifdef MEMPOOL_EXPERIMENTAL
 #define DEFAULT_MEMPOOL_MAXFREELIST "1024"
 #endif
@@ -1033,6 +1035,11 @@ static struct config_get_and_set {
 		CONFIG_SPECIAL_UNHASHED_PW_SWITCH,
 		(ConfigGetFunc)config_get_unhashed_pw_switch, 
 		DEFAULT_UNHASHED_PW_SWITCH},
+	{CONFIG_SASL_MAXBUFSIZE, config_set_sasl_maxbufsize,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.sasl_max_bufsize,
+		CONFIG_INT, (ConfigGetFunc)config_get_sasl_maxbufsize,
+		DEFAULT_SASL_MAXBUFSIZE},
 	{CONFIG_SEARCH_RETURN_ORIGINAL_TYPE, config_set_return_orig_type_switch,
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.return_orig_type,
@@ -1468,6 +1475,7 @@ FrontendConfig_init () {
   cfg->ignore_vattrs = slapi_counter_new();
   cfg->sasl_mapping_fallback = slapi_counter_new();
   init_sasl_mapping_fallback = LDAP_OFF;
+  cfg->sasl_max_bufsize = SLAPD_DEFAULT_SASL_MAXBUFSIZE;
   cfg->unhashed_pw_switch = SLAPD_UNHASHED_PW_ON;
   init_return_orig_type = cfg->return_orig_type = LDAP_OFF;
 
@@ -1731,8 +1739,8 @@ int
 config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf, int apply )
 {
     slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-    long size;
     int retVal = LDAP_SUCCESS;
+    long size;
 
     size = atol(value);
     if(size < 0){
@@ -1753,6 +1761,29 @@ config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf,
 }
 
 int
+config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply )
+{
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+    int retVal = LDAP_SUCCESS;
+    int default_size = atoi(DEFAULT_SASL_MAXBUFSIZE);
+    int size;
+
+    size = atoi(value);
+    if(size < default_size){
+        PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "nsslapd-sasl-max-buffer-size is too low (%d), "
+            "setting to default value (%d).\n",size, default_size);
+        size = default_size;
+    }
+    if(apply){
+        CFG_LOCK_WRITE(slapdFrontendConfig);
+        slapdFrontendConfig->sasl_max_bufsize = size;
+        CFG_UNLOCK_WRITE(slapdFrontendConfig);
+    }
+
+    return retVal;
+}
+
+int
 config_set_return_orig_type_switch(const char *attrname, char *value, char *errorbuf, int apply)
 {
     slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
@@ -4228,6 +4259,19 @@ config_get_port(){
 }
 
 int
+config_get_sasl_maxbufsize()
+{
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+    int retVal;
+
+    CFG_LOCK_READ(slapdFrontendConfig);
+    retVal = slapdFrontendConfig->sasl_max_bufsize;
+    CFG_UNLOCK_READ(slapdFrontendConfig);
+
+    return retVal;
+}
+
+int
 config_get_ignore_vattrs()
 {
     slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 0bb923f..0da266b 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -397,6 +397,7 @@ int config_set_ndn_cache_enabled(const char *attrname, char *value, char *errorb
 int config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_unhashed_pw_switch(const char *attrname, char *value, char *errorbuf, int apply); 
 int config_set_return_orig_type_switch(const char *attrname, char *value, char *errorbuf, int apply);
+int config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply );
 
 #if !defined(_WIN32) && !defined(AIX)
 int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply );
@@ -564,6 +565,7 @@ int config_get_ignore_vattrs();
 int config_set_sasl_mapping_fallback(const char *attrname, char *value, char *errorbuf, int apply);
 int config_get_sasl_mapping_fallback();
 int config_get_unhashed_pw_switch();
+int config_get_sasl_maxbufsize();
 
 PLHashNumber hashNocaseString(const void *key);
 PRIntn hashNocaseCompare(const void *v1, const void *v2);
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 78031dc..9119c8a 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -674,7 +674,7 @@ void ids_sasl_server_new(Connection *conn)
     }
 
     /* Enable security for this connection */
-    secprops.maxbufsize = 2048; /* DBDB: hack */
+    secprops.maxbufsize = config_get_sasl_maxbufsize();
     secprops.max_ssf = 0xffffffff;
     secprops.min_ssf = config_get_minssf();
     /* If anonymous access is disabled, set the appropriate flag */
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index f1cd80e..a19e192 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -2073,6 +2073,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_ALLOWED_SASL_MECHS "nsslapd-allowed-sasl-mechanisms"
 #define CONFIG_IGNORE_VATTRS "nsslapd-ignore-virtual-attrs"
 #define CONFIG_SASL_MAPPING_FALLBACK "nsslapd-sasl-mapping-fallback"
+#define CONFIG_SASL_MAXBUFSIZE "nsslapd-sasl-max-buffer-size"
 #define CONFIG_SEARCH_RETURN_ORIGINAL_TYPE "nsslapd-search-return-original-type-switch"
 
 #ifdef MEMPOOL_EXPERIMENTAL
@@ -2297,6 +2298,7 @@ typedef struct _slapdFrontendConfig {
   int pagedsizelimit;
   char *default_naming_context; /* Default naming context (normalized) */
   char *allowed_sasl_mechs;     /* comma/space separated list of allowed sasl mechs */
+  int sasl_max_bufsize;         /* The max receive buffer size for SASL */
 
   /* disk monitoring */
   slapi_onoff_t disk_monitoring;