diff options
author | Fabio Erculiani <lxnay@gentoo.org> | 2012-10-02 20:23:36 +0000 |
---|---|---|
committer | Fabio Erculiani <lxnay@gentoo.org> | 2012-10-02 20:23:36 +0000 |
commit | 34a94ec29356c7a8ea96babfe1e22ad56bca015e (patch) | |
tree | 45c5c0fa214fb1d0e5d9c581a9c47b95df686b22 /net-nds/389-ds-base | |
parent | stable ppc ppc64, bug #436810 (diff) | |
download | gentoo-2-34a94ec29356c7a8ea96babfe1e22ad56bca015e.tar.gz gentoo-2-34a94ec29356c7a8ea96babfe1e22ad56bca015e.tar.bz2 gentoo-2-34a94ec29356c7a8ea96babfe1e22ad56bca015e.zip |
version bump, closes #405127, #428178, #436768
(Portage version: 2.2.0_alpha123/cvs/Linux x86_64)
Diffstat (limited to 'net-nds/389-ds-base')
-rw-r--r-- | net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild (renamed from net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild) | 21 | ||||
-rw-r--r-- | net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild | 199 | ||||
-rw-r--r-- | net-nds/389-ds-base/ChangeLog | 11 | ||||
-rw-r--r-- | net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch | 28 | ||||
-rw-r--r-- | net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch | 367 |
5 files changed, 417 insertions, 209 deletions
diff --git a/net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild b/net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild index cb1c90e55a6a..9dc293126a49 100644 --- a/net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild +++ b/net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2012 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild,v 1.4 2012/05/03 04:24:37 jdhore Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild,v 1.1 2012/10/02 20:23:36 lxnay Exp $ EAPI=2 @@ -19,22 +19,21 @@ KEYWORDS="~amd64 ~x86" IUSE="autobind auto-dn-suffix debug doc +pam-passthru +dna +ldapi +bitwise +presence kerberos selinux" ALL_DEPEND="!>=sys-libs/db-5.0 + >=dev-libs/cyrus-sasl-2.1.19 + >=dev-libs/icu-3.4 dev-libs/nss[utils] dev-libs/nspr dev-libs/svrcore + dev-libs/openssl + dev-libs/libpcre:3 dev-libs/mozldap - >=dev-libs/cyrus-sasl-2.1.19 - >=dev-libs/icu-3.4 - >=sys-libs/db-4.5 + dev-perl/perl-mozldap >=net-analyzer/net-snmp-5.1.2 - dev-libs/openssl sys-apps/tcp-wrappers + >=sys-libs/db-4.5 sys-libs/pam sys-libs/zlib - dev-perl/perl-mozldap - dev-libs/libpcre:3 - kerberos? ( net-nds/openldap - >=app-crypt/mit-krb5-1.7-r100[openldap] ) + kerberos? ( net-nds/openldap >=app-crypt/mit-krb5-1.7-r100[openldap] ) selinux? ( >=sys-apps/policycoreutils-1.30.30 sec-policy/selinux-base-policy )" @@ -57,6 +56,10 @@ pkg_setup() { src_prepare() { epatch "${FILESDIR}/selinux.patch" + # Fix compilation against mozldap + epatch "${FILESDIR}/389-ds-base-1.2.11-fix-mozldap.patch" + # Upstream patch, will be in 1.2.11.16, fixes CVE-2012-4450 + epatch "${FILESDIR}/389-ds-base-1.2.11.16-cve-2012-4450.patch" # as per 389 documentation, when 64bit, export USE_64 use amd64 && export USE_64=1 diff --git a/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild b/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild deleted file mode 100644 index b6bb8ac18d08..000000000000 --- a/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild +++ /dev/null @@ -1,199 +0,0 @@ -# Copyright 1999-2012 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild,v 1.2 2012/05/03 04:24:37 jdhore Exp $ - -EAPI=2 - -WANT_AUTOMAKE="1.9" -MY_P=${P/_alpha/.a} -MY_P=${MY_P/_rc/.rc} -inherit eutils multilib flag-o-matic autotools - -DESCRIPTION="389 Directory Server (core librares and daemons )" -HOMEPAGE="http://port389.org/" -SRC_URI="http://directory.fedoraproject.org/sources/${MY_P}.tar.bz2" - -LICENSE="GPL-2-with-exceptions" -SLOT="0" -KEYWORDS="~amd64 ~x86" -IUSE="autobind auto-dn-suffix debug doc +pam-passthru +dna +ldapi +bitwise +presence kerberos selinux" - -ALL_DEPEND="!>=sys-libs/db-5.0 - dev-libs/nss[utils] - dev-libs/nspr - dev-libs/svrcore - dev-libs/mozldap - >=dev-libs/cyrus-sasl-2.1.19 - >=dev-libs/icu-3.4 - >=sys-libs/db-4.5 - >=net-analyzer/net-snmp-5.1.2 - dev-libs/openssl - sys-apps/tcp-wrappers - sys-libs/pam - sys-libs/zlib - dev-perl/perl-mozldap - dev-libs/libpcre:3 - kerberos? ( net-nds/openldap - >=app-crypt/mit-krb5-1.7-r100[openldap] ) - selinux? ( >=sys-apps/policycoreutils-1.30.30 - sec-policy/selinux-base-policy )" - -DEPEND="${ALL_DEPEND} - virtual/pkgconfig - sys-devel/libtool - doc? ( app-doc/doxygen ) - selinux? ( sys-devel/m4 >=sys-apps/checkpolicy-1.30.12 ) - sys-apps/sed" -RDEPEND="${ALL_DEPEND} - virtual/perl-Time-Local - virtual/perl-MIME-Base64" - -S="${WORKDIR}/${MY_P}" - -pkg_setup() { - enewgroup dirsrv - enewuser dirsrv -1 -1 -1 dirsrv -} - -src_prepare() { - epatch "${FILESDIR}/selinux.patch" - - # as per 389 documentation, when 64bit, export USE_64 - use amd64 && export USE_64=1 - - sed -i -e 's/nobody/dirsrv/g' configure.ac || die "sed failed on configure.ac" - eautoreconf - - # enable nsslapd-allow-unauthenticated-binds by default - sed -i '/^nsslapd-allow-unauthenticated-binds/ s/off/on/' "${S}"/ldap/ldif/template-dse.ldif.in || \ - die "cannot tweak default setting: nsslapd-allow-unauthenticated-binds" - -} - -src_configure() { - local myconf="" - - use auto-dn-suffix && myconf="${myconf} --enable-auto-dn-suffix" - use selinux && myconf="${myconf} --with-selinux" - - econf \ - $(use_enable debug) \ - $(use_enable pam-passthru) \ - $(use_enable ldapi) \ - $(use_enable autobind) \ - $(use_enable dna) \ - $(use_enable bitwise) \ - $(use_enable presence) \ - $(use_with kerberos) \ - --enable-maintainer-mode \ - --enable-autobind \ - --with-fhs \ - $myconf || die "econf failed" -} - -src_compile() { - append-lfs-flags - - # Use -j1 otherwise libacl-plugin.so could fail to install properly - emake -j1 || die "compile failed" - if use selinux; then - emake -f selinux/Makefile || die " build selinux policy failed" - fi -} - -src_install () { - # Use -j1 otherwise libacl-plugin.so could fail to install properly - emake -j1 DESTDIR="${D}" install || die "emake install failed" - - if use selinux;then - emake -f selinux/Makefile DESTDIR="${D}" install || die "Install selinux policy failed" - fi - - # install not installed header - insinto /usr/include/dirsrv - doins ldap/servers/slapd/slapi-plugin.h - - # for build free-ipa require winsync-plugin - doins ldap/servers/plugins/replication/winsync-plugin.h - doins ldap/servers/plugins/replication/repl-session-plugin.h - - # make sure perl scripts have a proper shebang - cd "${D}"/usr/share/dirsrv/script-templates/ - - for i in $(find ./ -iname '*.pl') ;do - sed -i -e 's/#{{PERL-EXEC}}/#\!\/usr\/bin\/perl/' $i || die - done - - # remove redhat style init script - rm -rf "${D}"/etc/rc.d || die - rm -rf "${D}"/etc/default || die - - # and install gentoo style init script - newinitd "${FILESDIR}"/389-ds.initd 389-ds - newinitd "${FILESDIR}"/389-ds-snmp.initd 389-ds-snmp - - # install Gentoo-specific start/stop scripts - rm -f "${D}"/usr/sbin/{re,}start-dirsrv || die "cannot remove 389 start/stop executables" - exeinto /usr/sbin - doexe "${FILESDIR}"/{re,}start-dirsrv - - # cope with libraries being in /usr/lib/dirsrv - dodir /etc/env.d - echo "LDPATH=/usr/$(get_libdir)/dirsrv" > "${D}"/etc/env.d/08dirsrv - - # create the directory where our log file and database - diropts -m 0755 - dodir /var/lib/dirsrv - keepdir /var/lib/dirsrv - dodir /var/lock/dirsrv - keepdir /var/lock/dirsrv - # snmp agent, required directory - keepdir /var/agentx - dodir /var/agentx - - if use doc; then - cd "${S}" - doxygen slapi.doxy || die "cannot run doxygen" - dohtml -r docs/html - fi -} - -pkg_postinst() { - if use selinux; then - if has "loadpolicy" $FEATURES; then - einfo "Inserting the following modules into the module store" - cd /usr/share/selinux/targeted # struct policy not supported - semodule -s dirsrv -i dirsrv.pp - else - elog - elog "Policy has not been loaded. It is strongly suggested" - elog "that the policy be loaded before continuing!!" - elog - elog "Automatic policy loading can be enabled by adding" - elog "\"loadpolicy\" to the FEATURES in make.conf." - elog - ebeep 4 - fi - fi - - elog - elog "If you are planning to use 389-ds-snmp (ldap-agent)," - elog "make sure to properly configure: /etc/dirsrv/config/ldap-agent.conf" - elog "adding proper 'server' entries, and adding the lines below to" - elog " => /etc/snmp/snmpd.conf" - elog - elog "master agentx" - elog "agentXSocket /var/agentx/master" - elog - elog - elog "To start 389 Directory Server (LDAP service) at boot:" - elog - elog " rc-update add 389-ds default" - elog - - elog "If you are upgrading from previous 1.2.6 release candidates" - elog "please see:" - elog "http://directory.fedoraproject.org/wiki/Subtree_Rename#warning:_upgrade_from_389_v1.2.6_.28a.3F.2C_rc1_.7E_rc6.29_to_v1.2.6_rc6_or_newer" - elog - -} diff --git a/net-nds/389-ds-base/ChangeLog b/net-nds/389-ds-base/ChangeLog index a9822c80cca0..fe906aed3134 100644 --- a/net-nds/389-ds-base/ChangeLog +++ b/net-nds/389-ds-base/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for net-nds/389-ds-base # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/ChangeLog,v 1.21 2012/05/03 04:24:37 jdhore Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/ChangeLog,v 1.22 2012/10/02 20:23:36 lxnay Exp $ + +*389-ds-base-1.2.11.15 (02 Oct 2012) + + 02 Oct 2012; Fabio Erculiani <lxnay@gentoo.org> + +389-ds-base-1.2.11.15.ebuild, + +files/389-ds-base-1.2.11.16-cve-2012-4450.patch, + +files/389-ds-base-1.2.11-fix-mozldap.patch, -389-ds-base-1.2.8.3.ebuild, + -389-ds-base-1.2.9.6.ebuild: + version bump, closes #405127, #428178, #436768 03 May 2012; Jeff Horelick <jdhore@gentoo.org> 389-ds-base-1.2.8.3.ebuild, 389-ds-base-1.2.9.6.ebuild: diff --git a/net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch b/net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch new file mode 100644 index 000000000000..7c99085e3d3b --- /dev/null +++ b/net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch @@ -0,0 +1,28 @@ +commit f5bd0ed47523b39aedb6bcc1f9c0754371159a77 +Author: Rich Megginson <rmeggins at redhat.com> +Date: Fri Sep 14 09:20:18 2012 -0600 + + Ticket #461 - fix build problem with mozldap c sdk + + https://fedorahosted.org/389/ticket/461 + Reviewed by: rmeggins + Fixed by: cgrzemba + Branch: master + Fix Description: mozldap does not define LDAP_MOD_OP so define it + Platforms tested: RHEL6 x86_64 + Flag Day: no + Doc impact: no + +diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c +index bfd48b1..4736e82 100644 +--- a/ldap/servers/slapd/pw.c ++++ b/ldap/servers/slapd/pw.c +@@ -61,6 +61,9 @@ + #if defined( _WIN32 ) + #undef LDAPDebug + #endif /* _WIN32 */ ++#if defined( USE_MOZLDAP ) ++#define LDAP_MOD_OP (0x0007) ++#endif /* USE_MOZLDAP */ + + #include "slap.h" diff --git a/net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch b/net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch new file mode 100644 index 000000000000..54d9b1b975d7 --- /dev/null +++ b/net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch @@ -0,0 +1,367 @@ +From 5beb93d42efb807838c09c5fab898876876f8d09 Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi <nhosoi@totoro.usersys.redhat.com> +Date: Fri, 21 Sep 2012 19:35:18 +0000 +Subject: Trac Ticket #340 - Change on SLAPI_MODRDN_NEWSUPERIOR is not + + evaluated in acl + +https://fedorahosted.org/389/ticket/340 + +Bug Description: When modrdn operation was executed, only newrdn +change was passed to the acl plugin. Also, the change was used +only for the acl search, but not for the acl target in the items +in the acl cache. + +Fix Description: This patch also passes the newsuperior update +to the acl plugin. And the modrdn updates are applied to the +acl target in the acl cache. +--- +diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c +index 15e474e..3389404 100644 +--- a/ldap/servers/plugins/acl/acl.c ++++ b/ldap/servers/plugins/acl/acl.c +@@ -170,9 +170,9 @@ acl_access_allowed_modrdn( + * Test if have access to make the first rdn of dn in entry e. + */ + +-static int check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn, +- int access) { +- ++static int ++check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn, int access) ++{ + char **dns; + char **rdns; + int retCode = LDAP_INSUFFICIENT_ACCESS; +@@ -655,7 +655,8 @@ cleanup_and_ret: + + } + +-static void print_access_control_summary( char *source, int ret_val, char *clientDn, ++static void ++print_access_control_summary( char *source, int ret_val, char *clientDn, + struct acl_pblock *aclpb, + char *right, + char *attr, +@@ -1524,11 +1525,12 @@ acl_check_mods( + * + **************************************************************************/ + extern void +-acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change) ++acl_modified (Slapi_PBlock *pb, int optype, Slapi_DN *e_sdn, void *change) + { + struct berval **bvalue; + char **value; + int rv=0; /* returned value */ ++ const char* n_dn; + char* new_RDN; + char* parent_DN; + char* new_DN; +@@ -1537,10 +1539,12 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change) + int j; + Slapi_Attr *attr = NULL; + Slapi_Entry *e = NULL; +- Slapi_DN *e_sdn; + aclUserGroup *ugroup = NULL; + +- e_sdn = slapi_sdn_new_normdn_byval ( n_dn ); ++ if (NULL == e_sdn) { ++ return; ++ } ++ n_dn = slapi_sdn_get_dn(e_sdn); + /* Before we proceed, Let's first check if we are changing any groups. + ** If we are, then we need to change the signature + */ +@@ -1768,45 +1772,64 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change) + } + + break; +- }/* case op is modify*/ ++ }/* case op is modify*/ + +- case SLAPI_OPERATION_MODRDN: +- +- new_RDN = (char*) change; +- slapi_log_error (SLAPI_LOG_ACL, plugin_name, +- "acl_modified (MODRDN %s => \"%s\"\n", +- n_dn, new_RDN); ++ case SLAPI_OPERATION_MODRDN: ++ { ++ char **rdn_parent; ++ rdn_parent = (char **)change; ++ new_RDN = rdn_parent[0]; ++ parent_DN = rdn_parent[1]; + + /* compute new_DN: */ +- parent_DN = slapi_dn_parent (n_dn); +- if (parent_DN == NULL) { +- new_DN = new_RDN; ++ if (NULL == parent_DN) { ++ parent_DN = slapi_dn_parent(n_dn); ++ } ++ if (NULL == parent_DN) { ++ if (NULL == new_RDN) { ++ slapi_log_error (SLAPI_LOG_ACL, plugin_name, ++ "acl_modified (MODRDN %s => \"no change\"\n", ++ n_dn); ++ break; ++ } else { ++ new_DN = new_RDN; ++ } + } else { +- new_DN = slapi_create_dn_string("%s,%s", new_RDN, parent_DN); ++ if (NULL == new_RDN) { ++ Slapi_RDN *rdn= slapi_rdn_new(); ++ slapi_sdn_get_rdn(e_sdn, rdn); ++ new_DN = slapi_create_dn_string("%s,%s", slapi_rdn_get_rdn(rdn), ++ parent_DN); ++ slapi_rdn_free(&rdn); ++ } else { ++ new_DN = slapi_create_dn_string("%s,%s", new_RDN, parent_DN); ++ } + } ++ slapi_log_error (SLAPI_LOG_ACL, plugin_name, ++ "acl_modified (MODRDN %s => \"%s\"\n", n_dn, new_RDN); + + /* Change the acls */ +- acllist_acicache_WRITE_LOCK(); ++ acllist_acicache_WRITE_LOCK(); + /* acllist_moddn_aci_needsLock expects normalized new_DN, + * which is no need to be case-ignored */ + acllist_moddn_aci_needsLock ( e_sdn, new_DN ); + acllist_acicache_WRITE_UNLOCK(); + + /* deallocat the parent_DN */ +- if (parent_DN != NULL) { +- slapi_ch_free ( (void **) &new_DN ); +- slapi_ch_free ( (void **) &parent_DN ); ++ if (parent_DN != NULL) { ++ slapi_ch_free_string(&new_DN); ++ if (parent_DN != rdn_parent[1]) { ++ slapi_ch_free_string(&parent_DN); ++ } + } + break; +- +- default: ++ } /* case op is modrdn */ ++ default: + /* print ERROR */ + break; + } /*optype switch */ +- +- slapi_sdn_free ( &e_sdn ); +- + } ++ + /*************************************************************************** + * + * acl__scan_for_acis +diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h +index 4fa3e3f..28c38e7 100644 +--- a/ldap/servers/plugins/acl/acl.h ++++ b/ldap/servers/plugins/acl/acl.h +@@ -796,7 +796,8 @@ int acl_read_access_allowed_on_attr ( Slapi_PBlock *pb, Slapi_Entry *e, char + struct berval *val, int access); + void acl_set_acllist (Slapi_PBlock *pb, int scope, char *base); + void acl_gen_err_msg(int access, char *edn, char *attr, char **errbuf); +-void acl_modified ( Slapi_PBlock *pb, int optype, char *dn, void *change); ++void acl_modified (Slapi_PBlock *pb, int optype, Slapi_DN *e_sdn, void *change); ++ + int acl_access_allowed_disjoint_resource( Slapi_PBlock *pb, Slapi_Entry *e, + char *attr, struct berval *val, int access ); + int acl_access_allowed_main ( Slapi_PBlock *pb, Slapi_Entry *e, char **attrs, +@@ -866,7 +867,7 @@ void acllist_print_tree ( Avlnode *root, int *depth, char *start, char *side); + AciContainer *acllist_get_aciContainer_new ( ); + void acllist_done_aciContainer ( AciContainer *); + +-aclUserGroup* aclg_find_userGroup (char *n_dn); ++aclUserGroup* aclg_find_userGroup (const char *n_dn); + void aclg_regen_ugroup_signature( aclUserGroup *ugroup); + void aclg_markUgroupForRemoval ( aclUserGroup *u_group ); + void aclg_reader_incr_ugroup_refcnt(aclUserGroup* u_group); +diff --git a/ldap/servers/plugins/acl/aclgroup.c b/ldap/servers/plugins/acl/aclgroup.c +index c694293..2231304 100644 +--- a/ldap/servers/plugins/acl/aclgroup.c ++++ b/ldap/servers/plugins/acl/aclgroup.c +@@ -213,7 +213,7 @@ aclg_reset_userGroup ( struct acl_pblock *aclpb ) + */ + + aclUserGroup* +-aclg_find_userGroup(char *n_dn) ++aclg_find_userGroup(const char *n_dn) + { + aclUserGroup *u_group = NULL; + int i; +diff --git a/ldap/servers/plugins/acl/acllist.c b/ldap/servers/plugins/acl/acllist.c +index 9b5363a..e8198af 100644 +--- a/ldap/servers/plugins/acl/acllist.c ++++ b/ldap/servers/plugins/acl/acllist.c +@@ -600,7 +600,6 @@ void + acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base) + { + Acl_PBlock *aclpb; +- int i; + AciContainer *root; + char *basedn = NULL; + int index; +@@ -671,11 +670,6 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base) + aclpb->aclpb_state &= ~ACLPB_SEARCH_BASED_ON_LIST ; + + acllist_acicache_READ_UNLOCK(); +- +- i = 0; +- while ( i < aclpb_max_selected_acls && aclpb->aclpb_base_handles_index[i] != -1 ) { +- i++; +- } + } + + /* +@@ -893,34 +887,50 @@ acllist_acicache_WRITE_LOCK( ) + int + acllist_moddn_aci_needsLock ( Slapi_DN *oldsdn, char *newdn ) + { +- +- + AciContainer *aciListHead; + AciContainer *head; ++ aci_t *acip; ++ const char *oldndn; + + /* first get the container */ + + aciListHead = acllist_get_aciContainer_new ( ); + slapi_sdn_free(&aciListHead->acic_sdn); +- aciListHead->acic_sdn = oldsdn; +- ++ aciListHead->acic_sdn = oldsdn; + + if ( NULL == (head = (AciContainer *) avl_find( acllistRoot, aciListHead, +- (IFP) __acllist_aciContainer_node_cmp ) ) ) { ++ (IFP) __acllist_aciContainer_node_cmp ) ) ) { + + slapi_log_error ( SLAPI_PLUGIN_ACL, plugin_name, +- "Can't find the acl in the tree for moddn operation:olddn%s\n", +- slapi_sdn_get_ndn ( oldsdn )); ++ "Can't find the acl in the tree for moddn operation:olddn%s\n", ++ slapi_sdn_get_ndn ( oldsdn )); + aciListHead->acic_sdn = NULL; + __acllist_free_aciContainer ( &aciListHead ); +- return 1; ++ return 1; + } + +- +- /* Now set the new DN */ +- slapi_sdn_done ( head->acic_sdn ); +- slapi_sdn_set_normdn_byval ( head->acic_sdn, newdn ); +- ++ /* Now set the new DN */ ++ slapi_sdn_set_normdn_byval(head->acic_sdn, newdn); ++ ++ /* If necessary, reset the target DNs, as well. */ ++ oldndn = slapi_sdn_get_ndn(oldsdn); ++ for (acip = head->acic_list; acip; acip = acip->aci_next) { ++ const char *ndn = slapi_sdn_get_ndn(acip->aci_sdn); ++ char *p = PL_strstr(ndn, oldndn); ++ if (p) { ++ if (p == ndn) { ++ /* target dn is identical, replace it with new DN*/ ++ slapi_sdn_set_normdn_byval(acip->aci_sdn, newdn); ++ } else { ++ /* target dn is a descendent of olddn, merge it with new DN*/ ++ char *mynewdn; ++ *p = '\0'; ++ mynewdn = slapi_ch_smprintf("%s%s", ndn, newdn); ++ slapi_sdn_set_normdn_passin(acip->aci_sdn, mynewdn); ++ } ++ } ++ } ++ + aciListHead->acic_sdn = NULL; + __acllist_free_aciContainer ( &aciListHead ); + +diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c +index 11e56a9..b79d0f2 100644 +--- a/ldap/servers/slapd/dn.c ++++ b/ldap/servers/slapd/dn.c +@@ -2097,7 +2097,7 @@ slapi_sdn_set_normdn_byval(Slapi_DN *sdn, const char *normdn) + slapi_sdn_done(sdn); + sdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN); + if(normdn == NULL) { +- sdn->dn = slapi_ch_strdup(normdn); ++ sdn->dn = NULL; + sdn->ndn_len = 0; + } else { + sdn->dn = slapi_ch_strdup(normdn); +diff --git a/ldap/servers/slapd/plugin_acl.c b/ldap/servers/slapd/plugin_acl.c +index b878156..3bc3f21 100644 +--- a/ldap/servers/slapd/plugin_acl.c ++++ b/ldap/servers/slapd/plugin_acl.c +@@ -134,11 +134,10 @@ int + plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) + { + struct slapdplugin *p; +- char *dn; + int rc = 0; +- void *change = NULL; +- Slapi_Entry *te = NULL; +- Slapi_DN *sdn = NULL; ++ void *change = NULL; ++ Slapi_Entry *te = NULL; ++ Slapi_DN *sdn = NULL; + Operation *operation; + + slapi_pblock_get (pb, SLAPI_OPERATION, &operation); +@@ -146,7 +145,7 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) + (void)slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn ); + + switch ( optype ) { +- case SLAPI_OPERATION_MODIFY: ++ case SLAPI_OPERATION_MODIFY: + (void)slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &change ); + break; + case SLAPI_OPERATION_ADD: +@@ -158,11 +157,27 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) + } + break; + case SLAPI_OPERATION_MODRDN: ++ { ++ void *mychange[2]; ++ char *newrdn = NULL; ++ Slapi_DN *psdn = NULL; ++ char *pdn = NULL; ++ + /* newrdn: "change" is normalized but not case-ignored */ + /* The acl plugin expects normalized newrdn, but no need to be case- + * ignored. */ +- (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change ); ++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn ); ++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &psdn ); ++ if (psdn) { ++ pdn = (char *)slapi_sdn_get_dn(psdn); ++ } else { ++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &pdn ); ++ } ++ mychange[0] = newrdn; ++ mychange[1] = pdn; ++ change = mychange; + break; ++ } + } + + if (NULL == sdn) { +@@ -172,10 +187,9 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype ) + } + + /* call the global plugins first and then the backend specific */ +- dn = (char*)slapi_sdn_get_ndn(sdn); /* jcm - Had to cast away const */ + for ( p = get_plugin_list(PLUGIN_LIST_ACL); p != NULL; p = p->plg_next ) { + if (plugin_invoke_plugin_sdn(p, SLAPI_PLUGIN_ACL_MODS_UPDATE, pb, sdn)){ +- rc = (*p->plg_acl_mods_update)(pb, optype, dn, change ); ++ rc = (*p->plg_acl_mods_update)(pb, optype, sdn, change ); + if ( rc != LDAP_SUCCESS ) break; + } + } +-- +cgit v0.9.0.2 |