From 7f3f97867e184a71f3988eed2365699d547687c6 Mon Sep 17 00:00:00 2001 From: German Parente Date: Jan 17 2019 13:17:35 +0000 Subject: Fix for ticket 50059: If an object is nsds5replica, it must be cn=replica Bug Description: We should enforce that if an object is of type nsds5replica, it must be named cn=replica. This has caused some confusion where people have misconfigured their system by trying alternate names. Fix Description: Check that rdn of replica dn is exactly REPLICA_RDN https://pagure.io/389-ds-base/issue/50059 Author: German Parente Review by: ??? --- diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c index eb5e5a4..7ac7e04 100644 --- a/ldap/servers/plugins/replication/repl5_replica_config.c +++ b/ldap/servers/plugins/replication/repl5_replica_config.c @@ -188,6 +188,11 @@ replica_config_destroy() CONFIG_FILTER, replica_config_post_modify); } +#define MSG_NOREPLICARDN "no replica rdn\n" +#define MSG_NOREPLICANORMRDN "no replica normalized rdn\n" +#define MSG_CNREPLICA "replica rdn %s should be %s\n" +#define MSG_ALREADYCONFIGURED "replica already configured for %s\n" + static int replica_config_add(Slapi_PBlock *pb __attribute__((unused)), Slapi_Entry *e, @@ -199,15 +204,48 @@ replica_config_add(Slapi_PBlock *pb __attribute__((unused)), Replica *r = NULL; multimaster_mtnode_extension *mtnode_ext; char *replica_root = (char *)slapi_entry_attr_get_charptr(e, attr_replicaRoot); - char buf[SLAPI_DSE_RETURNTEXT_SIZE]; - char *errortext = errorbuf ? errorbuf : buf; + char *errortext = NULL; + Slapi_RDN *replicardn; - if (errorbuf) { - errorbuf[0] = '\0'; + if (errorbuf != NULL) { + errortext = errorbuf; } *returncode = LDAP_SUCCESS; + /* check rdn is "cn=replica" */ + replicardn = slapi_rdn_new_sdn(slapi_entry_get_sdn(e)); + if (replicardn) { + char *nrdn = slapi_rdn_get_nrdn(replicardn); + if (nrdn == NULL) { + if (errortext != NULL) { + strcpy(errortext, MSG_NOREPLICANORMRDN); + } + slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_add - "MSG_NOREPLICANORMRDN); + slapi_rdn_free(&replicardn); + *returncode = LDAP_UNWILLING_TO_PERFORM; + return SLAPI_DSE_CALLBACK_ERROR; + } else { + if (strcmp(nrdn,REPLICA_RDN)!=0) { + if (errortext != NULL) { + PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,MSG_CNREPLICA, nrdn, REPLICA_RDN); + } + slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name,"replica_config_add - "MSG_CNREPLICA, nrdn, REPLICA_RDN); + slapi_rdn_free(&replicardn); + *returncode = LDAP_UNWILLING_TO_PERFORM; + return SLAPI_DSE_CALLBACK_ERROR; + } + slapi_rdn_free(&replicardn); + } + } else { + if (errortext != NULL) { + strcpy(errortext, MSG_NOREPLICARDN); + } + slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_add - "MSG_NOREPLICARDN); + *returncode = LDAP_UNWILLING_TO_PERFORM; + return SLAPI_DSE_CALLBACK_ERROR; + } + PR_Lock(s_configLock); /* add the dn to the dn hash so we can tell this replica is being configured */ @@ -217,8 +255,10 @@ replica_config_add(Slapi_PBlock *pb __attribute__((unused)), PR_ASSERT(mtnode_ext); if (mtnode_ext->replica) { - PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "replica already configured for %s", replica_root); - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_add - %s\n", errortext); + if ( errortext != NULL ) { + PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, MSG_ALREADYCONFIGURED, replica_root); + } + slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_add - "MSG_ALREADYCONFIGURED, replica_root); *returncode = LDAP_UNWILLING_TO_PERFORM; goto done; }