upstream/oracle/userland-gate: components/krb5/patches/062-ldap-fixes.patch@1d033832c5e7


#
# Fix up some issues with the KDB LDAP backend.  One involves providing a
# default for the service password and is associated with this ticket: Ticket
# #8295 kdb5_ldap_stash_service_password() stash file logic needs tweaking
#
# Another issue deals with potential memory leaks:
# Ticket #8331 potential memleak of pol_entry->name in populate_policy()
#
# I've also alerted MIT to the fact that the ldap_handle.c code can leak LDAP
# handles.  They've said I don't need to open a ticket on this since it isn't
# user visible:
#
# On 12/23/2015 02:43 PM, Will Fiveash wrote:
# > On Fri, Dec 18, 2015 at 07:47:49PM -0500, Greg Hudson wrote:
# >> On 12/18/2015 07:27 PM, Will Fiveash wrote:
# >>> Shouldn't the code unbind the ldap_handle?
# >>
# >> Probably.  In practice the KDC process is going to exit anyway, so it's
# >> not a leak with any consequences.
# >>
# >> That whole area of code is a bit of a mess; it maintains a pool of LDAP
# >> handles but we only ever use the first one.  (Or that was my reading the
# >> last time I looked at it.)
# >
# > Should I open a ticket on this?
# 
# I think we don't need a ticket for this, since it isn't really a
# user-visible bug.
# Patch source: in-house
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -533,6 +533,8 @@ passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the
 \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the
 \fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names
 for SASL authentication.  This file must be kept secure.
+If \fBldap_service_password_file\fP is not specified the default
+of \fB@LOCALSTATEDIR@\fP\fB/krb5\fP\fB/service_passwd\fP is used.
 .TP
 .B \fBunlockiter\fP
 If set to \fBtrue\fP, this DB2\-specific tag causes iteration
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -125,7 +125,8 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
         }
 
         profile_get_string (util_context->profile, KDB_MODULE_SECTION, section,
-                            "ldap_service_password_file", NULL, &file_name);
+                            "ldap_service_password_file",
+                            DEF_SERVICE_PASSWD_FILE, &file_name);
     }
 done:
 
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h
@@ -32,8 +32,6 @@
 #define MAX_LEN                 1024
 #define MAX_SERVICE_PASSWD_LEN  256
 
-#define DEF_SERVICE_PASSWD_FILE KDC_DIR "/service_passwd"
-
 extern int tohex(krb5_data, krb5_data *);
 
 extern void kdb5_ldap_stash_service_password(int argc, char **argv);
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c
@@ -176,6 +176,7 @@ krb5_ldap_cleanup_handles(krb5_ldap_server_info *ldap_server_info)
         ldap_server_handle = ldap_server_info->ldap_server_handles;
         ldap_server_info->ldap_server_handles = ldap_server_handle->next;
         /* ldap_unbind_s(ldap_server_handle); */
+        ldap_unbind_s(ldap_server_handle->ldap_handle);
         free (ldap_server_handle);
         ldap_server_handle = NULL;
     }
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -360,6 +360,17 @@ krb5_ldap_read_server_params(krb5_context context, char *conf_section,
                                   &ldap_context->service_password_file);
         if (ret)
             return ret;
+
+        if (ldap_context->service_password_file == NULL) {
+            ret = profile_get_string (context->profile, KDB_MODULE_DEF_SECTION,
+                                     KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE,
+                                     NULL,
+                                     DEF_SERVICE_PASSWD_FILE,
+                                     &ldap_context->service_password_file);
+
+            if (ret)
+                return ret;
+        }
     }
 
     if (ldap_context->sasl_mech == NULL) {
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.h
@@ -36,6 +36,8 @@
 #ifndef _HAVE_LDAP_MISC_H
 #define _HAVE_LDAP_MISC_H 1
 
+#define DEF_SERVICE_PASSWD_FILE KDC_DIR "/service_passwd"
+
 /* misc functions */
 
 krb5_boolean
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
@@ -461,7 +461,8 @@ krb5_ldap_iterate_password_policy(krb5_context context, char *match_expr,
     }
 
 cleanup:
-    free(entry);
+    if (st && entry)
+        krb5_ldap_free_password_policy(context, entry);
     free(policy);
     ldap_msgfree(result);
     krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
author	Shawn Emery <shawn.emery@oracle.com>
	Tue, 09 Aug 2016 21:10:38 -0700
changeset 6599	1d033832c5e7
parent 5490	9bf0bc57423a
child 6978	14cbeb78966a
permissions	-rw-r--r--