Resolves: bug 262021

Bug Description: Migration script does not migrate nsDS5ReplicaCredentials correctly.
Reviewed by: nkinder (Thanks!)
Fix Description: 7.1 and earlier chaining and replication credentials were stored incorrectly on little endian machines (x86 and itanium).  They were "accidentally" stored correctly on big endian machines (sparc, pa-risc) because val == ntohl(val) on those platforms.  When migrating from a little endian machine, we need to decode the password using the broken algorithm and re-encode it using the good method.  We determine if the password is encode incorrectly by the following method: we use migratecred to decode and encode using the old path.  If the values are equal, this means the password was already encoded correctly and we don't need to fix it.  Otherwise, we set the flag that tells migratecred to fix it.  In order to decode the broken password correctly on big endian machines, we have to swap the byte order to convert the values to little endian.
Platforms tested: RHEL5 x86_64, RHEL5 i386, Solaris 9
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none

ldap/admin/src/scripts/DSMigration.pm.in

@@ -179,10 +179,20 @@ sub getNewDbDir {
 sub migrateCredentials {
     my ($ent, $attr, $mig, $inst) = @_;
     my $oldval = $ent->getValues($attr);
+
+    # Older versions of the server on x86 systems and other systems that do not use network byte order
+    # stored the credentials incorrectly.  The first step is to determine if this is the case.  We
+    # migrate using the same server root to see if we get the same output as we input.
+    debug(3, "In migrateCredentials - see how old credentials were encoded.\n");
+    my $testval = `@bindir@/migratecred -o $mig->{actualsroot}/$inst -n $mig->{actualsroot}/$inst -c \'$oldval\'`;
+    if ($testval ne $oldval) { # need to turn on the special flag
+        debug(3, "Credentials not encoded correctly.  oldval $oldval not equal to testval $testval.  The value will be re-encoded correctly.\n");
+        $ENV{MIGRATE_BROKEN_PWD} = "1"; # decode and re-encode correctly
+    }
+        
     debug(3, "Executing @bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c \'$oldval\' . . .\n");
-    $ENV{MIGRATE_BROKEN_PWD} = "1"; # passwords prior to 8.0 were encrypted incorrectly
     my $newval = `@bindir@/migratecred -o $mig->{actualsroot}/$inst -n @instconfigdir@/$inst -c \'$oldval\'`;
-    delete $ENV{MIGRATE_BROKEN_PWD}; # clear the flag
+    delete $ENV{MIGRATE_BROKEN_PWD}; # clear the flag, if set
     debug(3, "Converted old value [$oldval] to new value [$newval] for attr $attr in entry ", $ent->getDN(), "\n");
     return $newval;
 }

ldap/admin/src/scripts/Migration.pm.in

@@ -128,17 +128,7 @@ e.g.
 or
     "slapd.Suffix=dc=example, dc=com"
 Values passed in this manner will override values in an .inf file
-given with the -f argument.  If you need to specify the cleartext
-directory manager password (e.g. in order to do remote migration),
-you must specify the password for each instance in a section whose
-name is the instance name e.g.
- [slapd-ldap1]
- RootDNPwd=ldap1password
- [slapd-ldap2]
- RootDNPwd=ldap2password
-or on the command line like this:
- command ... slapd-ldap1.RootDNPwd=ldap1password \
-    slapd-ldap2.RootDNPwd=ldap2password ...
+given with the -f argument.
 
 actualsroot:
 This is used when you must migrate from one machine to another.  The
@@ -373,3 +363,10 @@ sub migrateSecurityFiles {
 # Mandatory TRUE return value.
 #
 1;
+
+# emacs settings
+# Local Variables:
+# mode:perl
+# indent-tabs-mode: nil
+# tab-width: 4
+# End:

ldap/servers/plugins/rever/des.c

@@ -492,7 +492,7 @@ char *
 migrateCredentials(char *oldpath, char *newpath, char *oldcred)
 {
 	static char *useBrokenUUID = "USE_BROKEN_UUID=1";
-	static char *disableBrokenUUID = "USE_BROKEN_UUID";
+	static char *disableBrokenUUID = "USE_BROKEN_UUID=0";
 	char *plain = NULL;
 	char *cipher = NULL;
 

ldap/servers/slapd/uuid.c

@@ -847,10 +847,16 @@ static void format_uuid_v1(guid_t * uuid, uuid_time_t timestamp, unsigned16 cloc
     memcpy(&uuid->node, &_state.genstate.node, sizeof (uuid->node));
 }
 
+/* when converting broken values, we may need to swap the bytes */
+#define BSWAP16(x) ((((x) >> 8) & 0xff) | (((x) & 0xff) << 8))
+#define BSWAP32(x) ((((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >>  8) | \
+                    (((x) & 0x0000ff00) <<  8) | (((x) & 0x000000ff) << 24))
+
 /* format_uuid_v3 -- make a UUID from a (pseudo)random 128 bit number
 */
 static void format_uuid_v3(guid_t * uuid, unsigned char hash[16]) 
 {
+	char *use_broken_uuid = getenv("USE_BROKEN_UUID");
 	/* Construct a version 3 uuid with the (pseudo-)random number
 	* plus a few constants. */
 
@@ -858,11 +864,18 @@ static void format_uuid_v3(guid_t * uuid, unsigned char hash[16])
 
 	/* when migrating, we skip the ntohl in order to read in old, 
 	   incorrectly formatted uuids */
-	if (!getenv("USE_BROKEN_UUID")) {
+	if (!use_broken_uuid || (*use_broken_uuid == '0')) {
 		/* convert UUID to local byte order */
 		uuid->time_low = PR_ntohl(uuid->time_low);
 		uuid->time_mid = PR_ntohs(uuid->time_mid);
 		uuid->time_hi_and_version = PR_ntohs(uuid->time_hi_and_version);
+	} else {
+#if defined(IS_BIG_ENDIAN)
+		/* convert UUID to b0rken byte order */
+		uuid->time_low = BSWAP32(uuid->time_low);
+		uuid->time_mid = BSWAP16(uuid->time_mid);
+		uuid->time_hi_and_version = BSWAP16(uuid->time_hi_and_version);
+#endif
 	}
 
 	/* put in the variant and version bits */