summaryrefslogtreecommitdiff
path: root/usr.sbin/ldapd
AgeCommit message (Collapse)Author
2023-06-26Improve the conn_err() bufferevent error callback. To better report errors.Claudio Jeker
OK kn@
2023-04-30avoid use after freeJonathan Gray
ok jmatthew@
2023-03-08Delete obsolete /* ARGSUSED */ lint comments.Philip Guenther
ok miod@ millert@
2023-03-02improve the Nd lines such that the format is consistent for theJason McIntyre
various *d, *conf, *ctl files (where relevant) and simple; also makes "man -k routing" more useful; help from claudio and florian ok claudio florian millert
2023-03-01Change fatal() to fatalx() since the errno has no meaning here.Claudio Jeker
OK tb@
2023-02-03Add void to conn_close_any()Theo Buehler
This makes the function definition match the prototype and silences a clang-15 warning.
2022-10-12avoid use after free in error pathsJonathan Gray
ok miod@ martijn@
2022-06-29Use strncasecmp instead of strncmp when comparing the password scheme.Martijn van Duren
This change could theoretically affect some people who actually have one of the scheme's in lower case in their password, but this is extremely unlikely in the real world. Pointed out by David Diggles (david <at> elven <dot> com <dot> au) OK sthen@
2022-02-10unveil _PATH_LOGIN_CONF_DRobert Nagy
2021-12-20When removing the last value from an attribute in ldap_del_values()Claudio Jeker
the actuall attribute needs to removed instead of leaving back an empty attribute. Empty attributes are not valid and fail later on in ldap_modify(). By calling ldap_del_attribute() in this case properly removes the attribute and with that validate_entry() no longer fails later on. OK jmatthew@
2021-12-20Add some debug messages in validate_entry() that explain whyClaudio Jeker
LDAP_INVALID_SYNTAX is returned. OK jmatthew@
2021-12-19log_warn -> log_warnx since the warning printed uses tls_error()Claudio Jeker
and therefor printing the errno as well makes no sense.
2021-12-15include unistd.h directly rather than pulling it in via zlib's zconf.hTheo Buehler
(needed for getdtablecount).
2021-12-15ldapd always uses O_CREAT when reopening database files, so the databaseJonathan Matthew
directory must be unveiled with "rwc" rather than just "rw". ok deraadt@ mestre@
2021-12-15PATH_MAX+1 rarely makes sense, and abort if this happens in the imsg.Theo de Raadt
ok jmatthew millert
2021-12-13including sys/cdefs.h manually started as a result of netbsd trying toTheo de Raadt
macro-build a replacement for sccsid, and was done without any concern for namespace damage. Unfortunately this practice started infecting other code as others were unaware they didn't need the file. ok millert guenther
2021-10-15Don't declare variables as "unsigned char *" that are passed toChristian Weisgerber
functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
2021-10-07Call normalize_dn() on the newly added namespace so that later comparesClaudio Jeker
with normalized basedns work. Seems all other DN attributes in parse.y pass through normalize_dn() so this seems to be the last one missing out. With this configs using capitalized namespace DN like o=OpenBSD,c=CA will actually work. OK kn@ gsoares@
2021-10-07Change host() error check to the more simple for of != 1.Claudio Jeker
Host() return 1 on success and 0 or -1 on failure. OK kn@ gsoares@
2021-07-14Remove unneeded calls to tls_init(3)kn
As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove explicit tls_init() calls from base to not give the impression of it being needed. Feedback tb OK Tests mestre
2021-07-12Change the error reporting pattern throughout the tree when unveilBob Beck
fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@
2021-05-02Fix having hostnames in the listen on statement. Regression introduced inMartijn van Duren
r1.39. Issue originally reported by Anton Kasimov via rob@. OK claudio@
2021-04-20Move TAILQ initialization to files where they are used.dv
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units. ok bluhm@, tb@
2021-01-28Add ldap(1) to the SEE ALSO section. OK deraadt@Todd C. Miller
2021-01-27Unveil ldapd. Follow recent precedent and elect to forego the unlinking ofrob
some objects at shutdown thereby allowing for a tighter unveil. Feedbackup from deraadt@ and martijn@. OK deraadt@
2021-01-27these programs (with common ancestry) had a -fno-common problem relatedTheo de Raadt
to privsep_procid. ok mortimer
2021-01-17Comply with man page intent of -dvv enabling BER level logging.rob
Tweak and ok martijn@
2021-01-09Remove locally imposed limit on sockets.rob
Suggested by martijn@, ok claudio@
2020-12-30getifaddrs() can return entries where ifa_addr is NULL. Check for thisSebastian Benoit
before accessing anything in ifa_addr. ok claudio@
2020-11-29Silence -Wsign-compare whining in bsnprintf()Theo Buehler
This warning was present since an incorrect cast was removed in r1.11. Add the cast to the correct place, i.e., cast to the wider type. ok florian martijn
2020-11-29Fix cert and key path inference for absolute pathsTheo Buehler
ldapd infers certificate and key paths from the configured certificate string. It appends ".crt" and ".key", respectively, and in the case of a relative path it also prepends "/etc/ldap/certs/". A logic error results in prepending "/etc/ldap/certs/" also for absolute paths. Avoid this by making the whole thing readable at the cost of a bit of verbosity. Problem reported by Maksim Rodin on misc@, thanks! Initial fix from me, committing an improved version on behalf of martijn. ok jmatthew, tb
2020-09-19Add a bsd.schema including a shadowPassword and an sshPublicKeyTheo Buehler
attribute that can be used to extend existing LDAP users with the additional bsdAccount objectclass. The former is useful for ypldap+ldapd setups without login_ldap and the latter makes it easier to use sshd's AuthorizedKeysCommand. Originally from reyk, revived by Aisha Tammy, with input from many, especially Robert Klein.
2020-06-24Using the "ldaps" or "tls" keywords in ldapd.conf currently enables allTheo Buehler
protocols and ciphers. So you get a TLS server speaking TLSv1.0 and supporting cipher suites with RC4 and 3DES encryption, all of which should be considered broken. There is no way of disabling TLSv1.0 and TLSv1.1 in ldapd. All this is also not very clearly called out in the documentation. This commit switches the defaults to using the libtls defaults for both protocols and ciphers. If compatibility with the insecure legacy protocols and ciphers is needed, use the "legacy" keyword before "tls" or "ldaps" in ldapd.conf. tested by abieber. inoguchi agrees with the direction. ok beck
2020-03-05Fix ldapd datadir location.Martijn van Duren
Diff from roklein <at> roklein <dot> de OK claudio@
2020-02-10briefly mention /etc/examples/ in the FILES section of all theIngo Schwarze
manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many
2020-01-28usr.sbin/ldapd: replace TAILQ concatenation loop with TAILQ_CONCATbket
OK florian@
2019-10-26The starttls command doesn't have a value with its extended request.Martijn van Duren
The handling of this changed with libutil/ber.c r1.12 resulting in starttls failing. Found by several. Fix suggestion by roklein <at> roklein <dot> de OK claudio@
2019-10-24The ber_* namespace is used by liblber since time immemorial,Theo Buehler
so move our BER API to the unused ober_* prefix to avoid some breakage in ports. Problem diagnosed by jmatthew with ber_free() in samba, but there are many others as pointed out by sthen. tests & ok rob ok sthen (who had an almost identical diff for libutil) "go head hit it" deraadt
2019-07-03snprintf/vsnprintf return < 0 on error, rather than -1.Theo de Raadt
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-06-27Some asprintf() calls were checked < 0, rather than the precise == -1.Theo de Raadt
ok millert nicm tb, etc
2019-05-18Fix LDAP RFC reference in comment. Also noticed by martijn.rob
ok guenther@, claudio@
2019-05-11The BER API is currently used by ldap, ldapd, ldapctl, ypldap, snmpd, androb
snmpctl. Separate copies of ber.[ch] have existed and been maintained in sync in ldap, ldapd, ypldap and snmpd. This commit moves the BER API into /usr/lib/libutil. All current consumers already link libutil. ldapd and snmpd regress passes, and release builds. With help from tb@ and guenther@. ok deraadt@, tb@
2019-04-27Only apply sign extension when less than eight bytes have been consumed. Thisrob
fixes a problem when handling large negative integers. ok claudio@
2019-03-31Avoid calling dup2(oldd, newd) when oldd == newd. In that case theYASUOKA Masahiko
descriptor keeps CLOEXEC flag then it will be closed unexpectedly by exec(). ok tedu florian
2019-02-13(unsigned) means (unsigned int) which on ptrdiff_t or size_t or otherTheo de Raadt
larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
2018-12-05key.data is a void *, on gcc archs doing a %s printf with such a pointerClaudio Jeker
results in a warning. Use either the original string value or use a cast. This makes both clang and gcc happy. OK guenther@
2018-11-27Sync with ldap(1)Martijn van Duren
2018-11-20Fix when ber_free_elements is called with a NULL-value.Martijn van Duren
Found via snmpctl snmp walk 127.0.0.1 oid 1 OK claudio@
2018-11-04some tweaks from raf czlonka, plus one more from me;Jason McIntyre