January 2009 - 389-commits - Fedora Mailing-Lists

[Fedora-directory-commits] ldapserver/ldap/servers/slapd attr.c, 1.10, 1.11 attrlist.c, 1.7, 1.8 attrsyntax.c, 1.9, 1.10 entry.c, 1.20, 1.21 proto-slap.h, 1.44, 1.45 pw.c, 1.21, 1.22 schema.c, 1.19, 1.20 slapi-private.h, 1.33, 1.34

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25646/ldap/servers/slapd Modified Files: attr.c attrlist.c attrsyntax.c entry.c proto-slap.h pw.c schema.c slapi-private.h Log Message: Resolves: 474945 Summary: Consistently deal with attr syntax info struct ref count when fetcvhing and returning them to the global hashtables. Index: attr.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/attr.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- attr.c 13 Jan 2009 18:28:34 -0000 1.10 +++ attr.c 21 Jan 2009 00:00:32 -0000 1.11 @@ -226,11 +226,11 @@ Slapi_Attr * slapi_attr_init(Slapi_Attr *a, const char *type) { - return slapi_attr_init_locking_optional(a, type, PR_TRUE, PR_TRUE); + return slapi_attr_init_locking_optional(a, type, PR_TRUE); } Slapi_Attr * -slapi_attr_init_locking_optional(Slapi_Attr *a, const char *type, PRBool use_lock, PRBool ref_count) +slapi_attr_init_locking_optional(Slapi_Attr *a, const char *type, PRBool use_lock) { PR_ASSERT(a!=NULL); @@ -249,7 +249,7 @@ { basetype = tmp; /* basetype was malloc'd */ } - asi = attr_syntax_get_by_name_locking_optional(basetype, use_lock, ref_count); + asi = attr_syntax_get_by_name_locking_optional(basetype, use_lock); } if(NULL == asi) { @@ -260,7 +260,7 @@ * attribute type that has that syntax. */ asi = attr_syntax_get_by_name_locking_optional( - ATTR_WITH_DIRSTRING_SYNTAX, use_lock, ref_count); + ATTR_WITH_DIRSTRING_SYNTAX, use_lock); } else { Index: attrlist.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/attrlist.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- attrlist.c 10 Nov 2006 23:45:40 -0000 1.7 +++ attrlist.c 21 Jan 2009 00:00:32 -0000 1.8 @@ -63,11 +63,11 @@ int attrlist_find_or_create(Slapi_Attr **alist, const char *type, Slapi_Attr ***a) { - return attrlist_find_or_create_locking_optional(alist, type, a, PR_TRUE, PR_TRUE); + return attrlist_find_or_create_locking_optional(alist, type, a, PR_TRUE); } int -attrlist_find_or_create_locking_optional(Slapi_Attr **alist, const char *type, Slapi_Attr ***a, PRBool use_lock, PRBool ref_count) +attrlist_find_or_create_locking_optional(Slapi_Attr **alist, const char *type, Slapi_Attr ***a, PRBool use_lock) { int rc= 0; /* found */ if ( *a==NULL ) @@ -82,7 +82,7 @@ if( **a==NULL ) { **a = slapi_attr_new(); - slapi_attr_init_locking_optional(**a, type, use_lock, ref_count); + slapi_attr_init_locking_optional(**a, type, use_lock); rc= 1; /* created */ } return rc; Index: attrsyntax.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/attrsyntax.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- attrsyntax.c 19 Jan 2009 19:43:47 -0000 1.9 +++ attrsyntax.c 21 Jan 2009 00:00:32 -0000 1.10 @@ -78,7 +78,7 @@ static void attr_syntax_delete_no_lock( struct asyntaxinfo *asip, PRBool remove_from_oid_table ); static struct asyntaxinfo *attr_syntax_get_by_oid_locking_optional( const - char *oid, PRBool use_lock, PRBool ref_count); + char *oid, PRBool use_lock); #ifdef ATTR_LDAP_DEBUG static void attr_syntax_print(); @@ -236,12 +236,20 @@ struct asyntaxinfo * attr_syntax_get_by_oid(const char *oid) { - return attr_syntax_get_by_oid_locking_optional( oid, PR_TRUE, PR_TRUE); + return attr_syntax_get_by_oid_locking_optional( oid, PR_TRUE); } +/* + * A version of attr_syntax_get_by_oid() that allows you to bypass using + * a lock to access the global oid hash table. + * + * Note: once the caller is finished using it, the structure must be + * returned by calling attr_syntax_return_locking_optional() with the + * same use_lock parameter. + */ static struct asyntaxinfo * -attr_syntax_get_by_oid_locking_optional( const char *oid, PRBool use_lock, PRBool ref_count ) +attr_syntax_get_by_oid_locking_optional( const char *oid, PRBool use_lock ) { struct asyntaxinfo *asi = 0; if (oid2asi) @@ -250,7 +258,7 @@ asi = (struct asyntaxinfo *)PL_HashTableLookup_const(oid2asi, oid); if (asi) { - if(ref_count) PR_AtomicIncrement( &asi->asi_refcnt ); + PR_AtomicIncrement( &asi->asi_refcnt ); } if ( use_lock ) AS_UNLOCK_READ(oid2asi_lock); } @@ -290,12 +298,20 @@ struct asyntaxinfo * attr_syntax_get_by_name(const char *name) { - return attr_syntax_get_by_name_locking_optional(name, PR_TRUE, PR_TRUE); + return attr_syntax_get_by_name_locking_optional(name, PR_TRUE); } +/* + * A version of attr_syntax_get_by_name() that allows you to bypass using + * a lock around the global name hashtable. + * + * Note: once the caller is finished using it, the structure must be + * returned by calling attr_syntax_return_locking_optional() with the + * same use_lock parameter. + */ struct asyntaxinfo * -attr_syntax_get_by_name_locking_optional(const char *name, PRBool use_lock, PRBool ref_count) +attr_syntax_get_by_name_locking_optional(const char *name, PRBool use_lock) { struct asyntaxinfo *asi = 0; if (name2asi) @@ -303,12 +319,12 @@ if ( use_lock ) AS_LOCK_READ(name2asi_lock); asi = (struct asyntaxinfo *)PL_HashTableLookup_const(name2asi, name); if ( NULL != asi ) { - if(ref_count) PR_AtomicIncrement( &asi->asi_refcnt ); + PR_AtomicIncrement( &asi->asi_refcnt ); } if ( use_lock ) AS_UNLOCK_READ(name2asi_lock); } if (!asi) /* given name may be an OID */ - asi = attr_syntax_get_by_oid_locking_optional(name, use_lock, ref_count); + asi = attr_syntax_get_by_oid_locking_optional(name, use_lock); return asi; } @@ -343,6 +359,8 @@ AS_LOCK_WRITE(name2asi_lock); /* get a write lock */ if ( asi->asi_marked_for_delete ) /* one final check */ { + /* ref count is 0 and it's flagged for + * deletion, so it's safe to free now */ attr_syntax_free(asi); } AS_UNLOCK_WRITE(name2asi_lock); @@ -427,6 +445,10 @@ if ( asi->asi_refcnt > 0 ) { asi->asi_marked_for_delete = PR_TRUE; } else { + /* This is ok, but the correct thing is to call delete first, + * then to call return. The last return will then take care of + * the free. The only way this free would happen here is if + * you return the syntax before calling delete. */ attr_syntax_free(asi); } } @@ -450,7 +472,7 @@ char *r; - if((asi=attr_syntax_get_by_name_locking_optional(s, PR_TRUE, PR_FALSE)) != NULL ) { + if((asi=attr_syntax_get_by_name(s)) != NULL ) { r = slapi_ch_strdup(asi->asi_name); attr_syntax_return( asi ); } @@ -480,7 +502,7 @@ return 0; } -/* check syntax without incrementing refcount -- handles locking itself */ +/* check syntax */ static void * attr_syntax_get_plugin_by_name_with_default( const char *type ) @@ -491,14 +513,13 @@ /* * first we look for this attribute type explictly */ - if ( (asi = attr_syntax_get_by_name_locking_optional(type, PR_TRUE, PR_FALSE)) == NULL ) { + if ( (asi = attr_syntax_get_by_name(type)) == NULL ) { /* * no syntax for this type... return DirectoryString * syntax. we accomplish this by looking up a well known * attribute type that has that syntax. */ - asi = attr_syntax_get_by_name_locking_optional( - ATTR_WITH_DIRSTRING_SYNTAX, PR_TRUE, PR_FALSE); + asi = attr_syntax_get_by_name(ATTR_WITH_DIRSTRING_SYNTAX); } if ( NULL != asi ) { plugin = asi->asi_plugin; @@ -548,7 +569,7 @@ /* make sure the oid is unique */ if ( NULL != ( oldas_from_oid = attr_syntax_get_by_oid_locking_optional( - asip->asi_oid, !nolock, PR_TRUE))) { + asip->asi_oid, !nolock))) { if ( 0 == (asip->asi_flags & SLAPI_ATTR_FLAG_OVERRIDE)) { /* failure - OID is in use; no override flag */ rc = LDAP_TYPE_OR_VALUE_EXISTS; @@ -560,13 +581,15 @@ * the primary name and OID point to the same schema definition. */ if ( NULL != ( oldas_from_name = attr_syntax_get_by_name_locking_optional( - asip->asi_name, !nolock, PR_TRUE))) { + asip->asi_name, !nolock))) { if ( 0 == (asip->asi_flags & SLAPI_ATTR_FLAG_OVERRIDE) || ( oldas_from_oid != oldas_from_name )) { /* failure; no override flag OR OID and name don't match */ rc = LDAP_TYPE_OR_VALUE_EXISTS; goto cleanup_and_return; } + /* Flag for deletion. We are going to override this attr */ + attr_syntax_delete(oldas_from_name); } else if ( NULL != oldas_from_oid ) { /* failure - OID is in use but name does not exist */ rc = LDAP_TYPE_OR_VALUE_EXISTS; @@ -580,15 +603,17 @@ if ( NULL != ( tmpasi = attr_syntax_get_by_name_locking_optional( - asip->asi_aliases[i], !nolock,PR_TRUE))) { + asip->asi_aliases[i], !nolock))) { if (asip->asi_flags & SLAPI_ATTR_FLAG_OVERRIDE) { + /* Flag for tmpasi for deletion. It will be free'd + * when attr_syntax_return is called. */ attr_syntax_delete(tmpasi); } else { /* failure - one of the aliases is already in use */ rc = LDAP_TYPE_OR_VALUE_EXISTS; } - attr_syntax_return( tmpasi ); + attr_syntax_return_locking_optional( tmpasi, !nolock ); if ( LDAP_SUCCESS != rc ) { goto cleanup_and_return; } @@ -605,8 +630,8 @@ attr_syntax_add_by_name( asip, !nolock); cleanup_and_return: - attr_syntax_return( oldas_from_oid ); - attr_syntax_return( oldas_from_name ); + attr_syntax_return_locking_optional( oldas_from_oid, !nolock ); + attr_syntax_return_locking_optional( oldas_from_name, !nolock ); return rc; } Index: entry.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/entry.c,v retrieving revision 1.20 retrieving revision 1.21 diff -u -r1.20 -r1.21 --- entry.c 5 Dec 2008 22:41:52 -0000 1.20 +++ entry.c 21 Jan 2009 00:00:32 -0000 1.21 @@ -304,7 +304,7 @@ switch(attr_state) { case ATTRIBUTE_PRESENT: - if(attrlist_find_or_create_locking_optional(&e->e_attrs, type, &a, PR_FALSE, PR_TRUE)==0 /* Found */) + if(attrlist_find_or_create_locking_optional(&e->e_attrs, type, &a, PR_FALSE)==0 /* Found */) { LDAPDebug (LDAP_DEBUG_ANY, "str2entry_fast: Error. Non-contiguous attribute values for %s\n", type, 0, 0); PR_ASSERT(0); @@ -312,7 +312,7 @@ } break; case ATTRIBUTE_DELETED: - if(attrlist_find_or_create_locking_optional(&e->e_deleted_attrs, type, &a, PR_FALSE, PR_TRUE)==0 /* Found */) + if(attrlist_find_or_create_locking_optional(&e->e_deleted_attrs, type, &a, PR_FALSE)==0 /* Found */) { LDAPDebug (LDAP_DEBUG_ANY, "str2entry_fast: Error. Non-contiguous deleted attribute values for %s\n", type, 0, 0); PR_ASSERT(0); @@ -940,7 +940,7 @@ { int maxvals = 0; Slapi_Attr **a= NULL; - attrlist_find_or_create_locking_optional(alist, sa->sa_type, &a, PR_FALSE, PR_TRUE); + attrlist_find_or_create_locking_optional(alist, sa->sa_type, &a, PR_FALSE); valuearray_add_valuearray_fast( /* JCM should be calling a valueset function */ &(*a)->a_present_values.va, /* JCM .va is private */ sa->sa_present_values.va, Index: proto-slap.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v retrieving revision 1.44 retrieving revision 1.45 diff -u -r1.44 -r1.45 --- proto-slap.h 2 Dec 2008 15:29:30 -0000 1.44 +++ proto-slap.h 21 Jan 2009 00:00:32 -0000 1.45 @@ -76,7 +76,7 @@ void attrlist_free(Slapi_Attr *alist); int attrlist_find_or_create(Slapi_Attr **alist, const char *type, Slapi_Attr ***a); -int attrlist_find_or_create_locking_optional(Slapi_Attr **alist, const char *type, Slapi_Attr ***a, PRBool use_lock, PRBool ref_count); +int attrlist_find_or_create_locking_optional(Slapi_Attr **alist, const char *type, Slapi_Attr ***a, PRBool use_lock); void attrlist_merge( Slapi_Attr **alist, const char *type, struct berval **vals ); void attrlist_merge_valuearray( Slapi_Attr **alist, const char *type, Slapi_Value **vals ); int attrlist_delete( Slapi_Attr **attrs, const char *type ); @@ -110,7 +110,7 @@ void attr_syntax_delete_all_not_flagged( unsigned long flag ); struct asyntaxinfo *attr_syntax_get_by_oid ( const char *oid ); struct asyntaxinfo *attr_syntax_get_by_name ( const char *name ); -struct asyntaxinfo *attr_syntax_get_by_name_locking_optional ( const char *name, PRBool use_lock, PRBool ref_count ); +struct asyntaxinfo *attr_syntax_get_by_name_locking_optional ( const char *name, PRBool use_lock ); /* * Call attr_syntax_return() when you are done using a value returned * by attr_syntax_get_by_oid() or attr_syntax_get_by_name(). Index: pw.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/pw.c,v retrieving revision 1.21 retrieving revision 1.22 diff -u -r1.21 -r1.22 --- pw.c 16 Jan 2009 17:54:38 -0000 1.21 +++ pw.c 21 Jan 2009 00:00:32 -0000 1.22 @@ -160,7 +160,6 @@ /* Checks if the specified value is encoded. Returns 1 if it is and 0 otherwise */ -/* NGK - Use this for checking if the password is hashed */ int slapi_is_encoded (char *value) { struct pw_scheme *is_hashed = NULL; Index: schema.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/schema.c,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- schema.c 19 Jan 2009 21:27:24 -0000 1.19 +++ schema.c 21 Jan 2009 00:00:32 -0000 1.20 @@ -2443,6 +2443,7 @@ LDAPDebug( LDAP_DEBUG_TRACE, "schema_replace_attributes:" " replacing type %s (OID %s)\n", newasip->asi_name, newasip->asi_oid, 0 ); + /* flag for deletion */ attr_syntax_delete( oldasip ); } @@ -3149,7 +3150,8 @@ /* * if asipp is NULL, the attribute type is added to the global set of schema. - * if asipp is not NULL, the AT is not added but *asipp is set. + * if asipp is not NULL, the AT is not added but *asipp is set. When you are + * finished with *asipp, use attr_syntax_free() to dispose of it. * * schema_flags: Any or none of the following bits could be set * DSE_SCHEMA_NO_CHECK -- schema won't be checked Index: slapi-private.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-private.h,v retrieving revision 1.33 retrieving revision 1.34 diff -u -r1.33 -r1.34 --- slapi-private.h 9 Jan 2009 23:10:17 -0000 1.33 +++ slapi-private.h 21 Jan 2009 00:00:32 -0000 1.34 @@ -344,7 +344,7 @@ int entry_add_dncsn_ext(Slapi_Entry *entry, const CSN *csn, PRUint32 flags); /* attr.c */ -Slapi_Attr *slapi_attr_init_locking_optional(Slapi_Attr *a, const char *type, PRBool use_lock, PRBool ref_count); +Slapi_Attr *slapi_attr_init_locking_optional(Slapi_Attr *a, const char *type, PRBool use_lock); int attr_set_csn( Slapi_Attr *a, const CSN *csn); int attr_set_deletion_csn( Slapi_Attr *a, const CSN *csn); const CSN *attr_get_deletion_csn(const Slapi_Attr *a);

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd schema.c, 1.18, 1.19

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11731/ldap/servers/slapd Modified Files: schema.c Log Message: Resolves: 480384 Summary: Allow attribute aliases to be used as SUP attribute in attributetype definitions. Index: schema.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/schema.c,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- schema.c 4 Dec 2008 22:33:29 -0000 1.18 +++ schema.c 19 Jan 2009 21:27:24 -0000 1.19 @@ -3111,7 +3111,16 @@ if(asi->asi_name != NULL) { if (strcasecmp (asi->asi_name, aew->sup ) == 0) { aew->rc=0; - } + } else if (asi->asi_aliases) { + int i = 0; + + /* Loop through aliases to see if any match */ + for (i=0; asi->asi_aliases[i] != NULL; i++) { + if (strcasecmp (asi->asi_aliases[i], aew->sup ) == 0) { + aew->rc=0; + } + } + } } } }

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd attrsyntax.c, 1.8, 1.9

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30232/ldap/servers/slapd Modified Files: attrsyntax.c Log Message: Resolves: 474945 Summary: Fixed assertion when improperly deleting syntaxinfo. Index: attrsyntax.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/attrsyntax.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- attrsyntax.c 15 Oct 2008 06:30:03 -0000 1.8 +++ attrsyntax.c 19 Jan 2009 19:43:47 -0000 1.9 @@ -567,7 +567,6 @@ rc = LDAP_TYPE_OR_VALUE_EXISTS; goto cleanup_and_return; } - attr_syntax_delete(oldas_from_name); } else if ( NULL != oldas_from_oid ) { /* failure - OID is in use but name does not exist */ rc = LDAP_TYPE_OR_VALUE_EXISTS;

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] console/src/com/netscape/management/client/security/csr CertRequestInfoPage.java, 1.1.1.1, 1.2

by Richard Allen Megginson

Author: rmeggins Update of /cvs/dirsec/console/src/com/netscape/management/client/security/csr In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25025/console/src/com/netscape/management/client/security/csr Modified Files: CertRequestInfoPage.java Log Message: Resolves: bug 480251 Bug Description: rhds80 console - ssl - csr wizard really wants a country/region string Reviewed by: nkinder (Thanks!) Fix Description: Have to make sure the string is long enough before taking the substring Platforms tested: RHEL5 Flag Day: no Doc impact: no Index: CertRequestInfoPage.java =================================================================== RCS file: /cvs/dirsec/console/src/com/netscape/management/client/security/csr/CertRequestInfoPage.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- CertRequestInfoPage.java 18 Jul 2005 00:34:18 -0000 1.1.1.1 +++ CertRequestInfoPage.java 16 Jan 2009 19:38:25 -0000 1.2 @@ -186,8 +186,20 @@ _sessionData.put("organization", o.getText()); _sessionData.put("org_unit", ou.getText()); _sessionData.put("locality", l.getText()); - _sessionData.put("country" , (c.getSelectedItem() != null)?((String)(c.getSelectedItem())).substring(0, 2):""); - _sessionData.put("state" , (st.getSelectedItem()!=null)?((String)(st.getSelectedItem())).substring(0,2):""); + String c_str = (String)c.getSelectedItem(); + if ((c_str != null) && (c_str.length() >= 2)) { + c_str = c_str.substring(0, 2); + } else { + c_str = ""; + } + _sessionData.put("country" , c_str); + String st_str = (String)st.getSelectedItem(); + if ((st_str != null) && (st_str.length() >= 2)) { + st_str = st_str.substring(0, 2); + } else { + st_str = ""; + } + _sessionData.put("state" , st_str); setDN();

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd pw.c, 1.20, 1.21

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10264/ldap/servers/slapd Modified Files: pw.c Log Message: Resolves: 204626 Summary: Reject pre-hashed password from unprivileged users when password syntax checking is enabled. Don't check password syntax for pre-hashed password from privileged users. Index: pw.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/pw.c,v retrieving revision 1.20 retrieving revision 1.21 diff -u -r1.20 -r1.21 --- pw.c 16 Jan 2009 05:26:42 -0000 1.20 +++ pw.c 16 Jan 2009 17:54:38 -0000 1.21 @@ -740,17 +740,24 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, char **old_pw, Slapi_Entry *e, int mod_op, Slapi_Mods *smods) { - Slapi_Attr* attr; - int i, pwresponse_req = 0; - char *dn= (char*)slapi_sdn_get_ndn(sdn); /* jcm - Had to cast away const */ - char *pwd = NULL; - char *p = NULL; - char errormsg[ BUFSIZ ]; - passwdPolicy *pwpolicy = NULL; + Slapi_Attr *attr; + int i, pwresponse_req = 0; + int is_replication = 0; + int internal_op = 0; + char *dn= (char*)slapi_sdn_get_ndn(sdn); /* jcm - Had to cast away const */ + char *pwd = NULL; + char *p = NULL; + char errormsg[ BUFSIZ ]; + passwdPolicy *pwpolicy = NULL; + Slapi_Operation *operation = NULL; pwpolicy = new_passwdPolicy(pb, dn); slapi_pblock_get ( pb, SLAPI_PWPOLICY, &pwresponse_req ); + slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_replication); + slapi_pblock_get(pb, SLAPI_OPERATION, &operation); + internal_op = slapi_operation_is_flag_set(operation, SLAPI_OP_FLAG_INTERNAL); + if ( pwpolicy->pw_syntax == 1 ) { for ( i = 0; vals[ i ] != NULL; ++i ) { int syntax_violation = 0; @@ -764,18 +771,29 @@ int max_repeated = 0; int num_categories = 0; - /* NGK - Check if password is already hashed and reject if so. */ - /* NGK - Allow if root or if replication user */ - if (slapi_is_encoded(slapi_value_get_string(vals[i]))) { - PR_snprintf( errormsg, BUFSIZ, - "invalid password syntax - pre-hashed passwords are not allowed"); - if ( pwresponse_req == 1 ) { - slapi_pwpolicy_make_response_control ( pb, -1, -1, - LDAP_PWPOLICY_INVALIDPWDSYNTAX ); + /* Check if password is already hashed and reject if so. We + * We need to allow the root DN and replicated ops to send + * pre-hashed passwords. We also check for a connection object + * when processing an internal operation to handle a special + * case for the password modify extended operation. */ + if (slapi_is_encoded((char *)slapi_value_get_string(vals[i]))) { + if ((!is_replication && ((internal_op && pb->pb_conn && !slapi_dn_isroot(pb->pb_conn->c_dn)) || + (!internal_op && !pb->pb_requestor_isroot)))) { + PR_snprintf( errormsg, BUFSIZ, + "invalid password syntax - pre-hashed passwords are not allowed"); + if ( pwresponse_req == 1 ) { + slapi_pwpolicy_make_response_control ( pb, -1, -1, + LDAP_PWPOLICY_INVALIDPWDSYNTAX ); + } + pw_send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL, errormsg, 0, NULL ); + delete_passwdPolicy(&pwpolicy); + return( 1 ); + } else { + /* We want to skip syntax checking since this is a pre-hashed + * password from replication or the root DN. */ + delete_passwdPolicy(&pwpolicy); + return( 0 ); } - pw_send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL, errormsg, 0, NULL ); - delete_passwdPolicy(&pwpolicy); - return( 1 ); } /* check for the minimum password length */

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd passwd_extop.c, 1.19, 1.20 pw.c, 1.19, 1.20

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15940/ldap/servers/slapd Modified Files: passwd_extop.c pw.c Log Message: Resolves: 248924 Summary: Make password modify extended operation reset expired passwords. Index: passwd_extop.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- passwd_extop.c 15 Jan 2009 18:24:48 -0000 1.19 +++ passwd_extop.c 16 Jan 2009 05:26:42 -0000 1.20 @@ -143,8 +143,8 @@ /* Construct Mods pblock and perform the modify operation * Sets result of operation in SLAPI_PLUGIN_INTOP_RESULT */ -static int passwd_apply_mods(const char *dn, Slapi_Mods *mods, LDAPControl **req_controls, - LDAPControl ***resp_controls) +static int passwd_apply_mods(Slapi_PBlock *pb_orig, const char *dn, Slapi_Mods *mods, + LDAPControl **req_controls, LDAPControl ***resp_controls) { Slapi_PBlock pb; LDAPControl **req_controls_copy = NULL; @@ -168,7 +168,19 @@ pw_get_componentID(), /* PluginID */ 0); /* Flags */ + /* We copy the connection from the original pblock into the + * pblock we use for the internal modify operation. We do + * this to allow the password policy code to be able to tell + * that the password change was initiated by the user who + * sent the extended operation instead of always assuming + * that it was done by the root DN. */ + pb.pb_conn = pb_orig->pb_conn; + ret =slapi_modify_internal_pb (&pb); + + /* We now clean up the connection that we copied into the + * new pblock. We want to leave it untouched. */ + pb.pb_conn = NULL; slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); @@ -195,8 +207,8 @@ /* Modify the userPassword attribute field of the entry */ -static int passwd_modify_userpassword(Slapi_Entry *targetEntry, const char *newPasswd, - LDAPControl **req_controls, LDAPControl ***resp_controls) +static int passwd_modify_userpassword(Slapi_PBlock *pb_orig, Slapi_Entry *targetEntry, + const char *newPasswd, LDAPControl **req_controls, LDAPControl ***resp_controls) { char *dn = NULL; int ret = 0; @@ -209,7 +221,7 @@ slapi_mods_add_string(&smods, LDAP_MOD_REPLACE, SLAPI_USERPWD_ATTR, newPasswd); - ret = passwd_apply_mods(dn, &smods, req_controls, resp_controls); + ret = passwd_apply_mods(pb_orig, dn, &smods, req_controls, resp_controls); slapi_mods_done(&smods); @@ -770,7 +782,7 @@ slapi_pblock_get(pb, SLAPI_REQCONTROLS, &req_controls); /* Now we're ready to make actual password change */ - ret = passwd_modify_userpassword(targetEntry, newPasswd, req_controls, &resp_controls); + ret = passwd_modify_userpassword(pb, targetEntry, newPasswd, req_controls, &resp_controls); /* Set the response controls if necessary. We want to do this now * so it is set for both the success and failure cases. The pblock Index: pw.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/pw.c,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- pw.c 24 Nov 2008 17:16:55 -0000 1.19 +++ pw.c 16 Jan 2009 05:26:42 -0000 1.20 @@ -160,6 +160,7 @@ /* Checks if the specified value is encoded. Returns 1 if it is and 0 otherwise */ +/* NGK - Use this for checking if the password is hashed */ int slapi_is_encoded (char *value) { struct pw_scheme *is_hashed = NULL; @@ -554,6 +555,11 @@ time_t cur_time; char *dn; passwdPolicy *pwpolicy = NULL; + int internal_op = 0; + Slapi_Operation *operation = NULL; + + slapi_pblock_get(pb, SLAPI_OPERATION, &operation); + internal_op = slapi_operation_is_flag_set(operation, SLAPI_OP_FLAG_INTERNAL); cur_time = current_time(); slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn ); @@ -588,12 +594,13 @@ /* Clear the passwordgraceusertime from the user entry */ slapi_mods_add_string(&smods, LDAP_MOD_REPLACE, "passwordgraceusertime", "0"); - /* if the password is reset by root, mark it the first time logon */ - - if ( pb->pb_requestor_isroot == 1 && - pwpolicy->pw_must_change){ + /* If the password is reset by root, mark it the first time logon. If this is an internal + * operation, we have a special case for the password modify extended operation where + * we stuff the actual user who initiated the password change in pb_conn. We check + * for this special case to ensure we reset the expiration date properly. */ + if ((internal_op && pwpolicy->pw_must_change && (!pb->pb_conn || slapi_dn_isroot(pb->pb_conn->c_dn))) || + (!internal_op && pwpolicy->pw_must_change && (pb->pb_requestor_isroot == 1))) { pw_exp_date = NO_TIME; - } else if ( pwpolicy->pw_exp == 1 ) { Slapi_Entry *pse = NULL; @@ -757,6 +764,20 @@ int max_repeated = 0; int num_categories = 0; + /* NGK - Check if password is already hashed and reject if so. */ + /* NGK - Allow if root or if replication user */ + if (slapi_is_encoded(slapi_value_get_string(vals[i]))) { + PR_snprintf( errormsg, BUFSIZ, + "invalid password syntax - pre-hashed passwords are not allowed"); + if ( pwresponse_req == 1 ) { + slapi_pwpolicy_make_response_control ( pb, -1, -1, + LDAP_PWPOLICY_INVALIDPWDSYNTAX ); + } + pw_send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL, errormsg, 0, NULL ); + delete_passwdPolicy(&pwpolicy); + return( 1 ); + } + /* check for the minimum password length */ if ( pwpolicy->pw_minlength > ldap_utf8characters((char *)slapi_value_get_string( vals[i] )) )

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm ancestorid.c, 1.7, 1.8

by Noriko Hosoi

Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv960 Modified Files: ancestorid.c Log Message: Resolves: #469800 Summary: Slow import post-processing with large number of non-leaf entries (comment #15) Change description: Fixed ldbm_ancestorid_new_idl_create_index so that the ancestor key has the value including all the descendent ids in the IDlist. The code checked in previously only stores the direct children and their children. Index: ancestorid.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ancestorid.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- ancestorid.c 3 Dec 2008 19:14:18 -0000 1.7 +++ ancestorid.c 15 Jan 2009 22:44:40 -0000 1.8 @@ -455,35 +455,38 @@ /* Insert into ancestorid for this node */ ret = idl_store_block(be, db_aid, &key, children, txn, ai_aid); - if (ret != 0) { - idl_free(children); - break; - } - - /* Get parentid for this entry */ - ret = ldbm_parentid(be, txn, id, &parentid); if (ret != 0) { idl_free(children); break; } - /* A suffix entry does not have a parent */ - if (parentid == NOID) { - idl_free(children); - continue; + /* Get parentid(s) for this entry */ + while (1) { + ret = ldbm_parentid(be, txn, id, &parentid); + if (ret != 0) { + idl_free(children); + goto out; + } + + /* A suffix entry does not have a parent */ + if (parentid == NOID) { + idl_free(children); + break; + } + + /* Reset the key to the parent id */ + key.size = PR_snprintf(key.data, key.ulen, "%c%lu", + EQ_PREFIX, (u_long)parentid); + key.size++; + + /* Insert into ancestorid for this node's parent */ + ret = idl_store_block(be, db_aid, &key, children, txn, ai_aid); + if (ret != 0) { + idl_free(children); + goto out; + } + id = parentid; } - - /* Reset the key to the parent id */ - key.size = PR_snprintf(key.data, key.ulen, "%c%lu", - EQ_PREFIX, (u_long)parentid); - key.size++; - - /* Insert into ancestorid for this node's parent */ - ret = idl_store_block(be, db_aid, &key, children, txn, ai_aid); - idl_free(children); - if (ret != 0) { - break; - } } while (nids > 0); if (ret != 0) {

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/schema 05rfc2247.ldif, 1.4, 1.5 28pilot.ldif, 1.5, 1.6

by Richard Allen Megginson

Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/schema In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9756 Modified Files: 05rfc2247.ldif 28pilot.ldif Log Message: Resolves: bug 179956 Description: aRecord not defined Index: 05rfc2247.ldif =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/schema/05rfc2247.ldif,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- 05rfc2247.ldif 19 Apr 2005 22:07:27 -0000 1.4 +++ 05rfc2247.ldif 15 Jan 2009 20:28:30 -0000 1.5 @@ -43,9 +43,6 @@ # dn: cn=schema attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'RFC 2247' ) -attributeTypes: ( 0.9.2342.19200300.100.1.26 NAME 'dNSRecord' DESC 'Pilot attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Internet directory pilot' ) attributeTypes: ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'RFC 1274' ) objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST dc X-ORIGIN 'RFC 2247' ) objectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST dc MAY ( associatedName $ businessCategory $ description $ destinationIndicator $ facsimileTelephoneNumber $ internationaliSDNNumber $ l $ o $ physicalDeliveryOfficeName $ postOfficeBox $ postalAddress $ postalCode $ preferredDeliveryMethod $ registeredAddress $ searchGuide $ seeAlso $ st $ street $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ userPassword $ x121Address ) X-ORIGIN 'RFC 2247' ) -objectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' DESC 'Pilot objectclass' SUP domain MAY ( cn $ sn ) X-ORIGIN 'Internet directory pilot' ) -objectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'DNSDomain' DESC 'Pilot objectclass' SUP domain MAY dNSRecord X-ORIGIN 'Internet directory pilot' ) Index: 28pilot.ldif =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/schema/28pilot.ldif,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- 28pilot.ldif 12 Jan 2009 23:49:44 -0000 1.5 +++ 28pilot.ldif 15 Jan 2009 20:28:30 -0000 1.6 @@ -82,12 +82,20 @@ attributeTypes: ( 0.9.2342.19200300.100.1.4 NAME 'info' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 1274' ) attributeTypes: ( 0.9.2342.19200300.100.1.8 NAME 'userClass' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 1274' ) attributeTypes: ( 0.9.2342.19200300.100.1.9 NAME 'host' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 1274' ) +attributeTypes: ( 0.9.2342.19200300.100.1.26 NAME ( 'ARecord' 'DNSRecord' ) DESC 'Pilot attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Internet directory pilot' ) +attributeTypes: ( 0.9.2342.19200300.100.1.27 NAME ( 'MDRecord' ) DESC 'Pilot attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Internet directory pilot' ) +attributeTypes: ( 0.9.2342.19200300.100.1.28 NAME ( 'MXRecord' ) DESC 'Pilot attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Internet directory pilot' ) +attributeTypes: ( 0.9.2342.19200300.100.1.29 NAME ( 'NSRecord' ) DESC 'Pilot attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Internet directory pilot' ) +attributeTypes: ( 0.9.2342.19200300.100.1.30 NAME ( 'SOARecord' ) DESC 'Pilot attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Internet directory pilot' ) +attributeTypes: ( 0.9.2342.19200300.100.1.31 NAME ( 'CNAMERecord' ) DESC 'Pilot attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Internet directory pilot' ) objectClasses: ( 0.9.2342.19200300.100.4.3 NAME 'pilotObject' DESC 'Standard LDAP objectclass' SUP top MAY ( audio $ dITRedirect $ info $ jpegPhoto $ lastModifiedBy $ lastModifiedTime $ manager $ photo $ uniqueIdentifier ) X-ORIGIN 'RFC 1274' ) objectClasses: ( 0.9.2342.19200300.100.4.4 NAME 'newPilotPerson' DESC 'Pilot objectclass' SUP person MAY ( businessCategory $ drink $ homePhone $ homePostalAddress $ janetMailbox $ mail $ mailPreferenceOption $ mobile $ organizationalStatus $ otherMailbox $ pager $ personalSignature $ personalTitle $ preferredDeliveryMethod $ roomNumber $ secretary $ textEncodedORAddress $ uid $ userClass ) X-ORIGIN 'Internet White Pages Pilot' ) objectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' DESC 'Standard LDAP objectclass' SUP top MUST ( uid ) MAY ( description $ host $ l $ o $ ou $ seeAlso ) X-ORIGIN 'RFC 1274' ) objectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' DESC 'Standard LDAP objectclass' SUP pilotObject MUST ( documentIdentifier ) MAY ( abstract $ authorCN $ authorSN $ cn $ description $ documentAuthor $ documentLocation $ documentPublisher $ documentStore $ documentTitle $ documentVersion $ keywords $ l $ o $ obsoletedByDocument $ obsoletesDocument $ ou $ seeAlso $ subject $ updatedByDocument $ updatesDocument ) X-ORIGIN 'RFC 1274' ) objectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' DESC 'Standard LDAP objectclass' SUP top MUST ( cn ) MAY ( description $ roomNumber $ seeAlso $ telephoneNumber ) X-ORIGIN 'RFC 1274' ) objectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' DESC 'Standard LDAP objectclass' SUP top MUST ( cn ) MAY ( description $ l $ o $ ou $ seeAlso $ telephoneNumber ) X-ORIGIN 'RFC 1274' ) +objectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' DESC 'Pilot objectclass' SUP domain MAY ( cn $ sn ) X-ORIGIN 'Internet directory pilot' ) +objectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'DNSDomain' DESC 'Pilot objectclass' SUP domain MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord ) X-ORIGIN 'Internet directory pilot' ) objectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST ( associatedDomain ) X-ORIGIN 'RFC 1274' ) objectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' DESC 'Standard LDAP objectclass' SUP country MUST ( co ) X-ORIGIN 'RFC 1274' ) objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST ( userPassword ) X-ORIGIN 'RFC 1274' )

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd extendop.c, 1.11, 1.12 modify.c, 1.20, 1.21 passwd_extop.c, 1.18, 1.19

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21352/ldap/servers/slapd Modified Files: extendop.c modify.c passwd_extop.c Log Message: Resolves: 184141 Summary: Make password modify extop work properly with the password policy control. Index: extendop.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/extendop.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- extendop.c 11 Dec 2008 23:05:23 -0000 1.11 +++ extendop.c 15 Jan 2009 18:24:48 -0000 1.12 @@ -311,6 +311,19 @@ goto free_and_return; } + /* decode the optional controls - put them in the pblock */ + if ( (lderr = get_ldapmessage_controls( pb, pb->pb_op->o_ber, NULL )) != 0 ) + { + char *dn = NULL; + slapi_pblock_get(pb, SLAPI_CONN_DN, &dn); + + op_shared_log_error_access (pb, "EXT", dn ? dn : "", "failed to decode LDAP controls"); + send_ldap_result( pb, lderr, NULL, NULL, 0, NULL ); + + slapi_ch_free_string(&dn); + goto free_and_return; + } + slapi_pblock_set( pb, SLAPI_EXT_OP_REQ_OID, extoid ); slapi_pblock_set( pb, SLAPI_EXT_OP_REQ_VALUE, &extval ); rc = plugin_call_exop_plugins( pb, extoid ); Index: modify.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/modify.c,v retrieving revision 1.20 retrieving revision 1.21 diff -u -r1.20 -r1.21 --- modify.c 5 Dec 2008 22:41:52 -0000 1.20 +++ modify.c 15 Jan 2009 18:24:48 -0000 1.21 @@ -437,21 +437,30 @@ static int modify_internal_pb (Slapi_PBlock *pb) { - LDAPControl **controls; + LDAPControl **controls; + LDAPControl *pwpolicy_ctrl; Operation *op; - int opresult = 0; + int opresult = 0; LDAPMod **normalized_mods = NULL; LDAPMod **mods; LDAPMod **mod; Slapi_Mods smods; - int pw_change = 0; - char *old_pw = NULL; + int pw_change = 0; + char *old_pw = NULL; PR_ASSERT (pb != NULL); slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods); slapi_pblock_get(pb, SLAPI_CONTROLS_ARG, &controls); + /* See if pwpolicy control is present. We need to do + * this before we call op_shared_allow_pw_change() since + * it looks for SLAPI_PWPOLICY in the pblock to determine + * if the response contorl is needed. */ + pwpolicy_ctrl = slapi_control_present( controls, + LDAP_X_CONTROL_PWPOLICY_REQUEST, NULL, NULL ); + slapi_pblock_set( pb, SLAPI_PWPOLICY, &pwpolicy_ctrl ); + if(mods == NULL) { opresult = LDAP_PARAM_ERROR; Index: passwd_extop.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- passwd_extop.c 11 Dec 2008 23:05:23 -0000 1.18 +++ passwd_extop.c 15 Jan 2009 18:24:48 -0000 1.19 @@ -143,33 +143,48 @@ /* Construct Mods pblock and perform the modify operation * Sets result of operation in SLAPI_PLUGIN_INTOP_RESULT */ -static int passwd_apply_mods(const char *dn, Slapi_Mods *mods) +static int passwd_apply_mods(const char *dn, Slapi_Mods *mods, LDAPControl **req_controls, + LDAPControl ***resp_controls) { Slapi_PBlock pb; + LDAPControl **req_controls_copy = NULL; + LDAPControl **pb_resp_controls = NULL; int ret=0; LDAPDebug( LDAP_DEBUG_TRACE, "=> passwd_apply_mods\n", 0, 0, 0 ); if (mods && (slapi_mods_get_num_mods(mods) > 0)) { + /* We need to dup the request controls since the original + * pblock owns the ones that have been passed in. */ + if (req_controls) { + slapi_add_controls(&req_controls_copy, req_controls, 1); + } + pblock_init(&pb); slapi_modify_internal_set_pb (&pb, dn, - slapi_mods_get_ldapmods_byref(mods), - NULL, /* Controls */ - NULL, /* UniqueID */ - pw_get_componentID(), /* PluginID */ - 0); /* Flags */ + slapi_mods_get_ldapmods_byref(mods), + req_controls_copy, NULL, /* UniqueID */ + pw_get_componentID(), /* PluginID */ + 0); /* Flags */ - ret =slapi_modify_internal_pb (&pb); + ret =slapi_modify_internal_pb (&pb); - slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); + slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); - if (ret != LDAP_SUCCESS){ - LDAPDebug(LDAP_DEBUG_TRACE, "WARNING: passwordPolicy modify error %d on entry '%s'\n", - ret, dn, 0); - } + /* Retreive and duplicate the response controls since they will be + * destroyed along with the pblock used for the internal operation. */ + slapi_pblock_get(&pb, SLAPI_RESCONTROLS, &pb_resp_controls); + if (pb_resp_controls) { + slapi_add_controls(resp_controls, pb_resp_controls, 1); + } - pblock_done(&pb); + if (ret != LDAP_SUCCESS){ + LDAPDebug(LDAP_DEBUG_TRACE, "WARNING: passwordPolicy modify error %d on entry '%s'\n", + ret, dn, 0); + } + + pblock_done(&pb); } LDAPDebug( LDAP_DEBUG_TRACE, "<= passwd_apply_mods: %d\n", ret, 0, 0 ); @@ -180,7 +195,8 @@ /* Modify the userPassword attribute field of the entry */ -static int passwd_modify_userpassword(Slapi_Entry *targetEntry, const char *newPasswd) +static int passwd_modify_userpassword(Slapi_Entry *targetEntry, const char *newPasswd, + LDAPControl **req_controls, LDAPControl ***resp_controls) { char *dn = NULL; int ret = 0; @@ -193,7 +209,7 @@ slapi_mods_add_string(&smods, LDAP_MOD_REPLACE, SLAPI_USERPWD_ATTR, newPasswd); - ret = passwd_apply_mods(dn, &smods); + ret = passwd_apply_mods(dn, &smods, req_controls, resp_controls); slapi_mods_done(&smods); @@ -432,15 +448,18 @@ char *oldPasswd = NULL; char *newPasswd = NULL; char *errMesg = NULL; - int ret=0, rc=0, sasl_ssf=0; + int ret=0, rc=0, sasl_ssf=0, need_pwpolicy_ctrl=0; ber_tag_t tag=0; ber_len_t len=(ber_len_t)-1; struct berval *extop_value = NULL; struct berval *gen_passwd = NULL; BerElement *ber = NULL; BerElement *response_ber = NULL; - Slapi_Entry *targetEntry=NULL; + Slapi_Entry *targetEntry=NULL; Connection *conn = NULL; + LDAPControl **req_controls = NULL; + LDAPControl **resp_controls = NULL; + passwdPolicy *pwpolicy = NULL; /* Slapi_DN sdn; */ LDAPDebug( LDAP_DEBUG_TRACE, "=> passwd_modify_extop\n", 0, 0, 0 ); @@ -589,33 +608,31 @@ } if (oldPasswd == NULL || *oldPasswd == '\0') { - /* If user is authenticated, they already gave their password during - the bind operation (or used sasl or client cert auth or OS creds) */ - slapi_pblock_get(pb, SLAPI_CONN_AUTHMETHOD, &authmethod); - if (!authmethod || !strcmp(authmethod, SLAPD_AUTH_NONE)) { - errMesg = "User must be authenticated to the directory server.\n"; - rc = LDAP_INSUFFICIENT_ACCESS; - goto free_and_return; - } + /* If user is authenticated, they already gave their password during + * the bind operation (or used sasl or client cert auth or OS creds) */ + slapi_pblock_get(pb, SLAPI_CONN_AUTHMETHOD, &authmethod); + if (!authmethod || !strcmp(authmethod, SLAPD_AUTH_NONE)) { + errMesg = "User must be authenticated to the directory server.\n"; + rc = LDAP_INSUFFICIENT_ACCESS; + goto free_and_return; + } } + + /* Fetch the password policy. We need this in case we need to + * generate a password as well as for some policy checks. */ + pwpolicy = new_passwdPolicy( pb, dn ); /* A new password was not supplied in the request, so we need to generate * a random one and return it to the user in a response. */ if (newPasswd == NULL || *newPasswd == '\0') { - passwdPolicy *pwpolicy; int rval; /* Do a free of newPasswd here to be safe, otherwise we may leak 1 byte */ slapi_ch_free_string( &newPasswd ); - - pwpolicy = new_passwdPolicy( pb, dn ); - /* Generate a new password */ rval = passwd_modify_generate_passwd( pwpolicy, &newPasswd, &errMesg ); - delete_passwdPolicy(&pwpolicy); - if (rval != LDAP_SUCCESS) { if (!errMesg) errMesg = "Error generating new password.\n"; @@ -659,8 +676,8 @@ /* Did they give us a DN ? */ if (dn == NULL || *dn == '\0') { /* Get the DN from the bind identity on this connection */ - slapi_ch_free_string(&dn); - dn = slapi_ch_strdup(bindDN); + slapi_ch_free_string(&dn); + dn = slapi_ch_strdup(bindDN); LDAPDebug( LDAP_DEBUG_ANY, "Missing userIdentity in request, using the bind DN instead.\n", 0, 0, 0 ); @@ -703,8 +720,14 @@ slapi_pblock_set(pb, SLAPI_BACKEND, be); } + /* Check if the pwpolicy control is present */ + slapi_pblock_get( pb, SLAPI_PWPOLICY, &need_pwpolicy_ctrl ); + ret = slapi_access_allowed ( pb, targetEntry, SLAPI_USERPWD_ATTR, NULL, SLAPI_ACL_WRITE ); - if ( ret != LDAP_SUCCESS ) { + if ( ret != LDAP_SUCCESS ) { + if (need_pwpolicy_ctrl) { + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDMODNOTALLOWED ); + } errMesg = "Insufficient access rights\n"; rc = LDAP_INSUFFICIENT_ACCESS; goto free_and_return; @@ -714,21 +737,50 @@ * They gave us a password (old), check it against the target entry * Is the old password valid ? */ - if (oldPasswd && *oldPasswd) { - ret = passwd_check_pwd(targetEntry, oldPasswd); - if (ret) { - /* No, then we fail this operation */ - errMesg = "Invalid oldPasswd value.\n"; - rc = ret; - goto free_and_return; - } - } - + if (oldPasswd && *oldPasswd) { + ret = passwd_check_pwd(targetEntry, oldPasswd); + if (ret) { + /* No, then we fail this operation */ + errMesg = "Invalid oldPasswd value.\n"; + rc = ret; + goto free_and_return; + } + } + + /* Check if password policy allows users to change their passwords. We need to do + * this here since the normal modify code doesn't perform this check for + * internal operations. */ + if (!pb->pb_op->o_isroot && !pb->pb_conn->c_needpw && !pwpolicy->pw_change) { + Slapi_DN *bindSDN = slapi_sdn_new_dn_byref(bindDN); + /* Is this a user modifying their own password? */ + if (slapi_sdn_compare(bindSDN, slapi_entry_get_sdn(targetEntry))==0) { + if (need_pwpolicy_ctrl) { + slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDMODNOTALLOWED ); + } + errMesg = "User is not allowed to change password\n"; + rc = LDAP_UNWILLING_TO_PERFORM; + slapi_sdn_free(&bindSDN); + goto free_and_return; + } + slapi_sdn_free(&bindSDN); + } + /* Fetch any present request controls so we can use them when + * performing the modify operation. */ + slapi_pblock_get(pb, SLAPI_REQCONTROLS, &req_controls); + /* Now we're ready to make actual password change */ - ret = passwd_modify_userpassword(targetEntry, newPasswd); + ret = passwd_modify_userpassword(targetEntry, newPasswd, req_controls, &resp_controls); + + /* Set the response controls if necessary. We want to do this now + * so it is set for both the success and failure cases. The pblock + * will now own the controls. */ + if (resp_controls) { + slapi_pblock_set(pb, SLAPI_RESCONTROLS, resp_controls); + } + if (ret != LDAP_SUCCESS) { - /* Failed to modify the password, e.g. because insufficient access allowed */ + /* Failed to modify the password, e.g. because password policy, etc. */ errMesg = "Failed to update password\n"; rc = ret; goto free_and_return; @@ -742,7 +794,7 @@ LDAPDebug( LDAP_DEBUG_TRACE, "<= passwd_modify_extop: %d\n", rc, 0, 0 ); /* Free anything that we allocated above */ - free_and_return: +free_and_return: slapi_ch_free_string(&bindDN); /* slapi_pblock_get SLAPI_CONN_DN does strdup */ slapi_ch_free_string(&oldPasswd); slapi_ch_free_string(&newPasswd); @@ -756,6 +808,7 @@ slapi_ch_free_string(&otdn); slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, NULL ); slapi_ch_free_string(&authmethod); + delete_passwdPolicy(&pwpolicy); if ( targetEntry != NULL ){ slapi_entry_free (targetEntry);

15 years, 3 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/wrappers initscript.in, 1.9, 1.10

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/wrappers In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31196/wrappers Modified Files: initscript.in Log Message: Resolves: 442474 Summary: Make init script status command exit codes follow LSB standard. Index: initscript.in =================================================================== RCS file: /cvs/dirsec/ldapserver/wrappers/initscript.in,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- initscript.in 14 Jan 2009 17:19:32 -0000 1.9 +++ initscript.in 14 Jan 2009 19:23:12 -0000 1.10 @@ -292,6 +292,7 @@ status() { + ret=0 for instance in $INSTANCES; do if [ -f $piddir/slapd-$instance.pid ]; then pid=`cat $piddir/slapd-$instance.pid` @@ -299,9 +300,11 @@ echo "$prog $instance (pid $pid) is running..." else echo "$prog $instance dead but pid file exists" + ret=1 fi else echo "$prog $instance is stopped" + ret=3 fi done }

15 years, 3 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits January 2009