Branch '389-ds-base-1.3.4' - 2 commits - dirsrvtests/tickets ldap/servers
by Noriko Hosoi
dirsrvtests/tickets/ticket48228_test.py | 327 ++++++++++++++++++++++++++++++++
ldap/servers/slapd/pw.c | 193 +++++++++++-------
2 files changed, 441 insertions(+), 79 deletions(-)
New commits:
commit e62b4815f0682845992dc9a4375e1d7c5597bfba
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Aug 5 14:40:12 2015 -0700
Ticket #48228 - CI test: added test cases for ticket 48228
Description: wrong password check if passwordInHistory is decreased.
(cherry picked from commit 6b138a2091bf7d78f3bc60a13f226a39296e0f4c)
diff --git a/dirsrvtests/tickets/ticket48228_test.py b/dirsrvtests/tickets/ticket48228_test.py
new file mode 100644
index 0000000..e0595bb
--- /dev/null
+++ b/dirsrvtests/tickets/ticket48228_test.py
@@ -0,0 +1,327 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2015 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+
+log = logging.getLogger(__name__)
+
+installation_prefix = None
+
+# Assuming DEFAULT_SUFFIX is "dc=example,dc=com", otherwise it does not work... :(
+SUBTREE_CONTAINER = 'cn=nsPwPolicyContainer,' + DEFAULT_SUFFIX
+SUBTREE_PWPDN = 'cn=nsPwPolicyEntry,' + DEFAULT_SUFFIX
+SUBTREE_PWP = 'cn=cn\3DnsPwPolicyEntry\2Cdc\3Dexample\2Cdc\3Dcom,' + SUBTREE_CONTAINER
+SUBTREE_COS_TMPLDN = 'cn=nsPwTemplateEntry,' + DEFAULT_SUFFIX
+SUBTREE_COS_TMPL = 'cn=cn\3DnsPwTemplateEntry\2Cdc\3Dexample\2Cdc\3Dcom,' + SUBTREE_CONTAINER
+SUBTREE_COS_DEF = 'cn=nsPwPolicy_CoS,' + DEFAULT_SUFFIX
+
+USER1_DN = 'uid=user1,' + DEFAULT_SUFFIX
+USER2_DN = 'uid=user2,' + DEFAULT_SUFFIX
+
+class TopologyStandalone(object):
+ def __init__(self, standalone):
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ '''
+ This fixture is used to standalone topology for the 'module'.
+ '''
+ global installation_prefix
+
+ if installation_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation_prefix
+
+ standalone = DirSrv(verbose=False)
+
+ # Args for the standalone instance
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+
+ # Get the status of the instance and restart it if it exists
+ instance_standalone = standalone.exists()
+
+ # Remove the instance
+ if instance_standalone:
+ standalone.delete()
+
+ # Create the instance
+ standalone.create()
+
+ # Used to retrieve configuration information (dbdir, confdir...)
+ standalone.open()
+
+ # clear the tmp directory
+ standalone.clearTmpDir(__file__)
+
+ # Here we have standalone instance up and running
+ return TopologyStandalone(standalone)
+
+def set_global_pwpolicy(topology, inhistory):
+ log.info(" +++++ Enable global password policy +++++\n")
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ # Enable password policy
+ try:
+ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on')])
+ except ldap.LDAPError, e:
+ log.error('Failed to set pwpolicy-local: error ' + e.message['desc'])
+ assert False
+
+ log.info(" Set global password history on\n")
+ try:
+ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordHistory', 'on')])
+ except ldap.LDAPError, e:
+ log.error('Failed to set passwordHistory: error ' + e.message['desc'])
+ assert False
+
+ log.info(" Set global passwords in history\n")
+ try:
+ count = "%d" % inhistory
+ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordInHistory', count)])
+ except ldap.LDAPError, e:
+ log.error('Failed to set passwordInHistory: error ' + e.message['desc'])
+ assert False
+
+def set_subtree_pwpolicy(topology):
+ log.info(" +++++ Enable subtree level password policy +++++\n")
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ log.info(" Add the container")
+ try:
+ topology.standalone.add_s(Entry((SUBTREE_CONTAINER, {'objectclass': 'top nsContainer'.split(),
+ 'cn': 'nsPwPolicyContainer'})))
+ except ldap.LDAPError, e:
+ log.error('Failed to add subtree container: error ' + e.message['desc'])
+ assert False
+
+ log.info(" Add the password policy subentry {passwordHistory: on, passwordInHistory: 6}")
+ try:
+ topology.standalone.add_s(Entry((SUBTREE_PWP, {'objectclass': 'top ldapsubentry passwordpolicy'.split(),
+ 'cn': SUBTREE_PWPDN,
+ 'passwordMustChange': 'off',
+ 'passwordExp': 'off',
+ 'passwordHistory': 'on',
+ 'passwordInHistory': '6',
+ 'passwordMinAge': '0',
+ 'passwordChange': 'on',
+ 'passwordStorageScheme': 'clear'})))
+ except ldap.LDAPError, e:
+ log.error('Failed to add passwordpolicy: error ' + e.message['desc'])
+ assert False
+
+ log.info(" Add the COS template")
+ try:
+ topology.standalone.add_s(Entry((SUBTREE_COS_TMPL, {'objectclass': 'top ldapsubentry costemplate extensibleObject'.split(),
+ 'cn': SUBTREE_PWPDN,
+ 'cosPriority': '1',
+ 'cn': SUBTREE_COS_TMPLDN,
+ 'pwdpolicysubentry': SUBTREE_PWP})))
+ except ldap.LDAPError, e:
+ log.error('Failed to add COS template: error ' + e.message['desc'])
+ assert False
+
+ log.info(" Add the COS definition")
+ try:
+ topology.standalone.add_s(Entry((SUBTREE_COS_DEF, {'objectclass': 'top ldapsubentry cosSuperDefinition cosPointerDefinition'.split(),
+ 'cn': SUBTREE_PWPDN,
+ 'costemplatedn': SUBTREE_COS_TMPL,
+ 'cosAttribute': 'pwdpolicysubentry default operational-default'})))
+ except ldap.LDAPError, e:
+ log.error('Failed to add COS def: error ' + e.message['desc'])
+ assert False
+
+def check_passwd_inhistory(topology, user, cpw, passwd):
+ inhistory = 0
+ log.info(" Bind as {%s,%s}" % (user, cpw))
+ topology.standalone.simple_bind_s(user, cpw)
+ try:
+ topology.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', passwd)])
+ except ldap.LDAPError, e:
+ log.info(' The password ' + passwd + ' of user' + USER1_DN + ' in history: error ' + e.message['desc'])
+ inhistory = 1
+ return inhistory
+
+def update_passwd(topology, user, passwd, times):
+ cpw = passwd
+ loop = 0
+ while loop < times:
+ log.info(" Bind as {%s,%s}" % (user, cpw))
+ topology.standalone.simple_bind_s(user, cpw)
+ cpw = 'password%d' % loop
+ try:
+ topology.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', cpw)])
+ except ldap.LDAPError, e:
+ log.fatal('test_ticket48228: Failed to update the password ' + cpw + ' of user ' + user + ': error ' + e.message['desc'])
+ assert False
+ loop += 1
+
+ # checking the first password, which is supposed to be in history
+ inhistory = check_passwd_inhistory(topology, user, cpw, passwd)
+ assert inhistory == 1
+
+def test_ticket48228_test_global_policy(topology):
+ """
+ Check global password policy
+ """
+
+ log.info(' Set inhistory = 6')
+ set_global_pwpolicy(topology, 6)
+
+ log.info(' Bind as directory manager')
+ log.info("Bind as %s" % DN_DM)
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+
+ log.info(' Add an entry' + USER1_DN)
+ try:
+ topology.standalone.add_s(Entry((USER1_DN, {'objectclass': "top person organizationalPerson inetOrgPerson".split(),
+ 'sn': '1',
+ 'cn': 'user 1',
+ 'uid': 'user1',
+ 'givenname': 'user',
+ 'mail': 'user1(a)example.com',
+ 'userpassword': 'password'})))
+ except ldap.LDAPError, e:
+ log.fatal('test_ticket48228: Failed to add user' + USER1_DN + ': error ' + e.message['desc'])
+ assert False
+
+ log.info(' Update the password of ' + USER1_DN + ' 6 times')
+ update_passwd(topology, USER1_DN, 'password', 6)
+
+ log.info(' Set inhistory = 4')
+ set_global_pwpolicy(topology, 4)
+
+ log.info(' checking the first password, which is supposed NOT to be in history any more')
+ cpw = 'password%d' % 5
+ tpw = 'password'
+ inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the second password, which is supposed NOT to be in history any more')
+ cpw = tpw
+ tpw = 'password%d' % 0
+ inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the second password, which is supposed NOT to be in history any more')
+ cpw = tpw
+ tpw = 'password%d' % 1
+ inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the third password, which is supposed to be in history')
+ cpw = tpw
+ tpw = 'password%d' % 2
+ inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw)
+ assert inhistory == 1
+
+ log.info("Global policy was successfully verified.")
+
+def test_ticket48228_test_subtree_policy(topology):
+ """
+ Check subtree level password policy
+ """
+
+ log.info(' Set inhistory = 6')
+ set_subtree_pwpolicy(topology)
+
+ log.info(' Bind as directory manager')
+ log.info("Bind as %s" % DN_DM)
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+
+ log.info(' Add an entry' + USER2_DN)
+ try:
+ topology.standalone.add_s(Entry((USER2_DN, {'objectclass': "top person organizationalPerson inetOrgPerson".split(),
+ 'sn': '2',
+ 'cn': 'user 2',
+ 'uid': 'user2',
+ 'givenname': 'user',
+ 'mail': 'user2(a)example.com',
+ 'userpassword': 'password'})))
+ except ldap.LDAPError, e:
+ log.fatal('test_ticket48228: Failed to add user' + USER2_DN + ': error ' + e.message['desc'])
+ assert False
+
+ log.info(' Update the password of ' + USER2_DN + ' 6 times')
+ update_passwd(topology, USER2_DN, 'password', 6)
+
+ log.info(' Set inhistory = 4')
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ try:
+ topology.standalone.modify_s(SUBTREE_PWP, [(ldap.MOD_REPLACE, 'passwordInHistory', '4')])
+ except ldap.LDAPError, e:
+ log.error('Failed to set pwpolicy-local: error ' + e.message['desc'])
+ assert False
+
+ log.info(' checking the first password, which is supposed NOT to be in history any more')
+ cpw = 'password%d' % 5
+ tpw = 'password'
+ inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the second password, which is supposed NOT to be in history any more')
+ cpw = tpw
+ tpw = 'password%d' % 0
+ inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the second password, which is supposed NOT to be in history any more')
+ cpw = tpw
+ tpw = 'password%d' % 1
+ inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the third password, which is supposed to be in history')
+ cpw = tpw
+ tpw = 'password%d' % 2
+ inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw)
+ assert inhistory == 1
+
+ log.info("Subtree level policy was successfully verified.")
+
+def test_ticket48228_final(topology):
+ topology.standalone.delete()
+ log.info('Testcase PASSED')
+
+def run_isolated():
+ '''
+ run_isolated is used to run these test cases independently of a test scheduler (xunit, py.test..)
+ To run isolated without py.test, you need to
+ - edit this file and comment '@pytest.fixture' line before 'topology' function.
+ - set the installation prefix
+ - run this program
+ '''
+ global installation_prefix
+ installation_prefix = None
+
+ topo = topology(True)
+ log.info('Testing Ticket 48228 - wrong password check if passwordInHistory is decreased')
+
+ test_ticket48228_test_global_policy(topo)
+
+ test_ticket48228_test_subtree_policy(topo)
+
+ test_ticket48228_final(topo)
+
+
+if __name__ == '__main__':
+ run_isolated()
+
commit dd85ee9c9ac24f1b141dd806943de236d2e44c90
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Aug 3 18:49:58 2015 -0700
Ticket #48228 - wrong password check if passwordInHistory is decreased.
Bug Description: When N passwords to be remembered (passwordInHistroy)
and N passwords are remembered, decreasing the passwordInHistory value
to M (< N) does not allow to use the oldest password which should have
been discarded from the history and should be allowed.
Fix Description: Before checking if the password is in the history or
not, adding a check the passwordInHistory value (M) is less than the
count of passwords remembered (N). If M < N, discard the (N-M) oldest
passwords.
https://fedorahosted.org/389/ticket/48228
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
(cherry picked from commit 1a119125856006543aae0520b5800a8b52c3b049)
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index f883010..3abebbf 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -613,7 +613,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw)
/* update passwordHistory */
if ( old_pw != NULL && pwpolicy->pw_history == 1 ) {
- update_pw_history(pb, sdn, old_pw);
+ (void)update_pw_history(pb, sdn, old_pw);
slapi_ch_free ( (void**)&old_pw );
}
@@ -654,8 +654,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw)
*/
if ((internal_op && pwpolicy->pw_must_change && (!pb->pb_conn || strcasecmp(target_dn, pb->pb_conn->c_dn))) ||
(!internal_op && pwpolicy->pw_must_change &&
- ((target_dn && bind_dn && strcasecmp(target_dn, bind_dn)) && pw_is_pwp_admin(pb, pwpolicy))))
- {
+ ((target_dn && bind_dn && strcasecmp(target_dn, bind_dn)) && pw_is_pwp_admin(pb, pwpolicy)))) {
pw_exp_date = NO_TIME;
} else if ( pwpolicy->pw_exp == 1 ) {
Slapi_Entry *pse = NULL;
@@ -996,6 +995,7 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
/* get the entry and check for the password history if this is called by a modify operation */
if ( mod_op ) {
+retry:
/* retrieve the entry */
e = get_entry ( pb, dn );
if ( e == NULL ) {
@@ -1004,19 +1004,21 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
/* check for password history */
if ( pwpolicy->pw_history == 1 ) {
+ Slapi_Value **va = NULL;
attr = attrlist_find(e->e_attrs, "passwordHistory");
- if (attr &&
- !valueset_isempty(&attr->a_present_values))
- {
- Slapi_Value **va= attr_get_present_values(attr);
+ if (attr && !valueset_isempty(&attr->a_present_values)) {
+ /* Resetting password history array if necessary. */
+ if (0 == update_pw_history(pb, sdn, NULL)) {
+ /* There was an update in the password history. Retry... */
+ slapi_entry_free(e);
+ goto retry;
+ }
+ va = attr_get_present_values(attr);
if ( pw_in_history( va, vals[0] ) == 0 ) {
if ( pwresponse_req == 1 ) {
- slapi_pwpolicy_make_response_control ( pb, -1, -1,
- LDAP_PWPOLICY_PWDINHISTORY );
+ slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDINHISTORY);
}
- pw_send_ldap_result ( pb,
- LDAP_CONSTRAINT_VIOLATION, NULL,
- "password in history", 0, NULL );
+ pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL);
slapi_entry_free( e );
return ( 1 );
}
@@ -1024,26 +1026,17 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
/* get current password. check it and remember it */
attr = attrlist_find(e->e_attrs, "userpassword");
- if (attr && !valueset_isempty(&attr->a_present_values))
- {
- Slapi_Value **va= valueset_get_valuearray(&attr->a_present_values);
- if (slapi_is_encoded((char*)slapi_value_get_string(vals[0])))
- {
- if (slapi_attr_value_find(attr, (struct berval *)slapi_value_get_berval(vals[0])) == 0 )
- {
- pw_send_ldap_result ( pb,
- LDAP_CONSTRAINT_VIOLATION ,NULL,
- "password in history", 0, NULL);
+ if (attr && !valueset_isempty(&attr->a_present_values)) {
+ va = valueset_get_valuearray(&attr->a_present_values);
+ if (slapi_is_encoded((char*)slapi_value_get_string(vals[0]))) {
+ if (slapi_attr_value_find(attr, (struct berval *)slapi_value_get_berval(vals[0])) == 0 ) {
+ pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL);
slapi_entry_free( e );
return ( 1 );
}
- } else
- {
- if ( slapi_pw_find_sv ( va, vals[0] ) == 0 )
- {
- pw_send_ldap_result ( pb,
- LDAP_CONSTRAINT_VIOLATION ,NULL,
- "password in history", 0, NULL);
+ } else {
+ if ( slapi_pw_find_sv ( va, vals[0] ) == 0 ) {
+ pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL);
slapi_entry_free( e );
return ( 1 );
}
@@ -1086,68 +1079,112 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
}
+/*
+ * Basically, h0 and h1 must be longer than GENERALIZED_TIME_LENGTH.
+ */
+static int
+pw_history_cmp(const void *h0, const void *h1)
+{
+ size_t h0sz = 0;
+ size_t h1sz = 0;
+ if (!h0) {
+ if (!h1) {
+ return 0;
+ } else {
+ return -1;
+ }
+ } else {
+ if (!h1) {
+ return 1;
+ } else {
+ size_t delta;
+ h0sz = strlen(h0);
+ h1sz = strlen(h1);
+ delta = h0sz - h1sz;
+ if (!delta) {
+ return delta;
+ }
+ if (h0sz < GENERALIZED_TIME_LENGTH) {
+ /* too short for the history str. */
+ return 0;
+ }
+ }
+ }
+ return PL_strncmp(h0, h1, GENERALIZED_TIME_LENGTH);
+}
+
+
static int
update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw )
{
- time_t t, old_t, cur_time;
- int i = 0, oldest = 0;
- int res;
- Slapi_Entry *e;
- Slapi_Attr *attr;
+ time_t cur_time;
+ int res = 1; /* no update, by default */
+ Slapi_Entry *e = NULL;
LDAPMod attribute;
- char *values_replace[25]; /* 2-24 passwords in history */
LDAPMod *list_of_mods[2];
Slapi_PBlock mod_pb;
- char *history_str;
- char *str;
+ char *str = NULL;
passwdPolicy *pwpolicy = NULL;
const char *dn = slapi_sdn_get_dn(sdn);
+ char **values_replace = NULL;
+ int vacnt = 0;
+ int vacnt_todelete = 0;
pwpolicy = new_passwdPolicy(pb, dn);
/* retrieve the entry */
e = get_entry ( pb, dn );
if ( e == NULL ) {
- return ( 1 );
+ return res;
}
- history_str = (char *)slapi_ch_malloc(GENERALIZED_TIME_LENGTH + strlen(old_pw) + 1);
- /* get password history, and find the oldest password in history */
- cur_time = current_time ();
- old_t = cur_time;
- str = format_genTime ( cur_time );
- attr = attrlist_find(e->e_attrs, "passwordHistory");
- if (attr && !valueset_isempty(&attr->a_present_values))
- {
- Slapi_Value **va= valueset_get_valuearray(&attr->a_present_values);
- for ( i = oldest = 0 ;
- (va[i] != NULL) && (slapi_value_get_length(va[i]) > 0) ;
- i++ ) {
-
- values_replace[i] = (char*)slapi_value_get_string(va[i]);
- strncpy( history_str, values_replace[i], GENERALIZED_TIME_LENGTH);
- history_str[GENERALIZED_TIME_LENGTH] = '\0';
- if (history_str[GENERALIZED_TIME_LENGTH - 1] != 'Z'){
- /* The time is not a generalized Time. Probably a password history from 4.x */
- history_str[GENERALIZED_TIME_LENGTH - 1] = '\0';
- }
- t = parse_genTime ( history_str );
- if ( difftime ( t, old_t ) < 0 ) {
- oldest = i;
- old_t = t;
- }
+ /* get password history */
+ values_replace = slapi_entry_attr_get_charray_ext(e, "passwordHistory", &vacnt);
+ if (old_pw) {
+ /* we have a password to replace with the oldest one in the history. */
+ if (!values_replace || !vacnt) { /* This is the first one to store */
+ values_replace = (char **)slapi_ch_calloc(2, sizeof(char *));
}
+ } else {
+ /* we are checking the history size if it stores more than the current inhistory count. */
+ if (!values_replace || !vacnt) { /* nothing to revise */
+ res = 1;
+ goto bail;
+ }
+ /*
+ * If revising the passwords in the passwordHistory values
+ * and the password count in the value array is less than the inhistory,
+ * we have nothing to do.
+ */
+ if (vacnt <= pwpolicy->pw_inhistory) {
+ res = 1;
+ goto bail;
+ }
+ vacnt_todelete = vacnt - pwpolicy->pw_inhistory;
}
- strcpy ( history_str, str );
- strcat ( history_str, old_pw );
- if ( i >= pwpolicy->pw_inhistory ) {
- /* replace the oldest password in history */
- values_replace[oldest] = history_str;
- values_replace[pwpolicy->pw_inhistory] = NULL;
+
+ cur_time = current_time();
+ str = format_genTime(cur_time);
+ /* values_replace is sorted. */
+ if (old_pw) {
+ if ( vacnt >= pwpolicy->pw_inhistory ) {
+ slapi_ch_free_string(&values_replace[0]);
+ values_replace[0] = slapi_ch_smprintf("%s%s", str, old_pw);
+ } else {
+ /* add old_pw at the end of password history */
+ values_replace = (char **)slapi_ch_realloc((char *)values_replace, sizeof(char *) * (vacnt + 2));
+ values_replace[vacnt] = slapi_ch_smprintf("%s%s", str, old_pw);
+ values_replace[vacnt+1] = NULL;
+ }
+ qsort((void *)values_replace, vacnt, (size_t)sizeof(char *), pw_history_cmp);
} else {
- /* add old_pw at the end of password history */
- values_replace[i] = history_str;
- values_replace[++i]=NULL;
+ int i;
+ /* vacnt > pwpolicy->pw_inhistory */
+ for (i = 0; i < vacnt_todelete; i++) {
+ slapi_ch_free_string(&values_replace[i]);
+ }
+ memmove(values_replace, values_replace + vacnt_todelete, sizeof(char *) * pwpolicy->pw_inhistory);
+ values_replace[pwpolicy->pw_inhistory] = NULL;
}
/* modify the attribute */
@@ -1159,21 +1196,19 @@ update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw )
list_of_mods[1] = NULL;
pblock_init(&mod_pb);
- slapi_modify_internal_set_pb_ext(&mod_pb, sdn, list_of_mods, NULL, NULL,
- pw_get_componentID(), 0);
+ slapi_modify_internal_set_pb_ext(&mod_pb, sdn, list_of_mods, NULL, NULL, pw_get_componentID(), 0);
slapi_modify_internal_pb(&mod_pb);
slapi_pblock_get(&mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
if (res != LDAP_SUCCESS){
LDAPDebug2Args(LDAP_DEBUG_ANY,
"WARNING: passwordPolicy modify error %d on entry '%s'\n", res, dn);
}
-
pblock_done(&mod_pb);
-
- slapi_ch_free((void **) &str );
- slapi_ch_free((void **) &history_str );
+ slapi_ch_free_string(&str);
+bail:
+ slapi_ch_array_free(values_replace);
slapi_entry_free( e );
- return 0;
+ return res;
}
static
8 years, 8 months
2 commits - dirsrvtests/tickets ldap/servers
by Noriko Hosoi
dirsrvtests/tickets/ticket48228_test.py | 327 ++++++++++++++++++++++++++++++++
ldap/servers/slapd/pw.c | 193 +++++++++++-------
2 files changed, 441 insertions(+), 79 deletions(-)
New commits:
commit 6b138a2091bf7d78f3bc60a13f226a39296e0f4c
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Aug 5 14:40:12 2015 -0700
Ticket #48228 - CI test: added test cases for ticket 48228
Description: wrong password check if passwordInHistory is decreased.
diff --git a/dirsrvtests/tickets/ticket48228_test.py b/dirsrvtests/tickets/ticket48228_test.py
new file mode 100644
index 0000000..e0595bb
--- /dev/null
+++ b/dirsrvtests/tickets/ticket48228_test.py
@@ -0,0 +1,327 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2015 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+
+log = logging.getLogger(__name__)
+
+installation_prefix = None
+
+# Assuming DEFAULT_SUFFIX is "dc=example,dc=com", otherwise it does not work... :(
+SUBTREE_CONTAINER = 'cn=nsPwPolicyContainer,' + DEFAULT_SUFFIX
+SUBTREE_PWPDN = 'cn=nsPwPolicyEntry,' + DEFAULT_SUFFIX
+SUBTREE_PWP = 'cn=cn\3DnsPwPolicyEntry\2Cdc\3Dexample\2Cdc\3Dcom,' + SUBTREE_CONTAINER
+SUBTREE_COS_TMPLDN = 'cn=nsPwTemplateEntry,' + DEFAULT_SUFFIX
+SUBTREE_COS_TMPL = 'cn=cn\3DnsPwTemplateEntry\2Cdc\3Dexample\2Cdc\3Dcom,' + SUBTREE_CONTAINER
+SUBTREE_COS_DEF = 'cn=nsPwPolicy_CoS,' + DEFAULT_SUFFIX
+
+USER1_DN = 'uid=user1,' + DEFAULT_SUFFIX
+USER2_DN = 'uid=user2,' + DEFAULT_SUFFIX
+
+class TopologyStandalone(object):
+ def __init__(self, standalone):
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ '''
+ This fixture is used to standalone topology for the 'module'.
+ '''
+ global installation_prefix
+
+ if installation_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation_prefix
+
+ standalone = DirSrv(verbose=False)
+
+ # Args for the standalone instance
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+
+ # Get the status of the instance and restart it if it exists
+ instance_standalone = standalone.exists()
+
+ # Remove the instance
+ if instance_standalone:
+ standalone.delete()
+
+ # Create the instance
+ standalone.create()
+
+ # Used to retrieve configuration information (dbdir, confdir...)
+ standalone.open()
+
+ # clear the tmp directory
+ standalone.clearTmpDir(__file__)
+
+ # Here we have standalone instance up and running
+ return TopologyStandalone(standalone)
+
+def set_global_pwpolicy(topology, inhistory):
+ log.info(" +++++ Enable global password policy +++++\n")
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ # Enable password policy
+ try:
+ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on')])
+ except ldap.LDAPError, e:
+ log.error('Failed to set pwpolicy-local: error ' + e.message['desc'])
+ assert False
+
+ log.info(" Set global password history on\n")
+ try:
+ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordHistory', 'on')])
+ except ldap.LDAPError, e:
+ log.error('Failed to set passwordHistory: error ' + e.message['desc'])
+ assert False
+
+ log.info(" Set global passwords in history\n")
+ try:
+ count = "%d" % inhistory
+ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordInHistory', count)])
+ except ldap.LDAPError, e:
+ log.error('Failed to set passwordInHistory: error ' + e.message['desc'])
+ assert False
+
+def set_subtree_pwpolicy(topology):
+ log.info(" +++++ Enable subtree level password policy +++++\n")
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ log.info(" Add the container")
+ try:
+ topology.standalone.add_s(Entry((SUBTREE_CONTAINER, {'objectclass': 'top nsContainer'.split(),
+ 'cn': 'nsPwPolicyContainer'})))
+ except ldap.LDAPError, e:
+ log.error('Failed to add subtree container: error ' + e.message['desc'])
+ assert False
+
+ log.info(" Add the password policy subentry {passwordHistory: on, passwordInHistory: 6}")
+ try:
+ topology.standalone.add_s(Entry((SUBTREE_PWP, {'objectclass': 'top ldapsubentry passwordpolicy'.split(),
+ 'cn': SUBTREE_PWPDN,
+ 'passwordMustChange': 'off',
+ 'passwordExp': 'off',
+ 'passwordHistory': 'on',
+ 'passwordInHistory': '6',
+ 'passwordMinAge': '0',
+ 'passwordChange': 'on',
+ 'passwordStorageScheme': 'clear'})))
+ except ldap.LDAPError, e:
+ log.error('Failed to add passwordpolicy: error ' + e.message['desc'])
+ assert False
+
+ log.info(" Add the COS template")
+ try:
+ topology.standalone.add_s(Entry((SUBTREE_COS_TMPL, {'objectclass': 'top ldapsubentry costemplate extensibleObject'.split(),
+ 'cn': SUBTREE_PWPDN,
+ 'cosPriority': '1',
+ 'cn': SUBTREE_COS_TMPLDN,
+ 'pwdpolicysubentry': SUBTREE_PWP})))
+ except ldap.LDAPError, e:
+ log.error('Failed to add COS template: error ' + e.message['desc'])
+ assert False
+
+ log.info(" Add the COS definition")
+ try:
+ topology.standalone.add_s(Entry((SUBTREE_COS_DEF, {'objectclass': 'top ldapsubentry cosSuperDefinition cosPointerDefinition'.split(),
+ 'cn': SUBTREE_PWPDN,
+ 'costemplatedn': SUBTREE_COS_TMPL,
+ 'cosAttribute': 'pwdpolicysubentry default operational-default'})))
+ except ldap.LDAPError, e:
+ log.error('Failed to add COS def: error ' + e.message['desc'])
+ assert False
+
+def check_passwd_inhistory(topology, user, cpw, passwd):
+ inhistory = 0
+ log.info(" Bind as {%s,%s}" % (user, cpw))
+ topology.standalone.simple_bind_s(user, cpw)
+ try:
+ topology.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', passwd)])
+ except ldap.LDAPError, e:
+ log.info(' The password ' + passwd + ' of user' + USER1_DN + ' in history: error ' + e.message['desc'])
+ inhistory = 1
+ return inhistory
+
+def update_passwd(topology, user, passwd, times):
+ cpw = passwd
+ loop = 0
+ while loop < times:
+ log.info(" Bind as {%s,%s}" % (user, cpw))
+ topology.standalone.simple_bind_s(user, cpw)
+ cpw = 'password%d' % loop
+ try:
+ topology.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', cpw)])
+ except ldap.LDAPError, e:
+ log.fatal('test_ticket48228: Failed to update the password ' + cpw + ' of user ' + user + ': error ' + e.message['desc'])
+ assert False
+ loop += 1
+
+ # checking the first password, which is supposed to be in history
+ inhistory = check_passwd_inhistory(topology, user, cpw, passwd)
+ assert inhistory == 1
+
+def test_ticket48228_test_global_policy(topology):
+ """
+ Check global password policy
+ """
+
+ log.info(' Set inhistory = 6')
+ set_global_pwpolicy(topology, 6)
+
+ log.info(' Bind as directory manager')
+ log.info("Bind as %s" % DN_DM)
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+
+ log.info(' Add an entry' + USER1_DN)
+ try:
+ topology.standalone.add_s(Entry((USER1_DN, {'objectclass': "top person organizationalPerson inetOrgPerson".split(),
+ 'sn': '1',
+ 'cn': 'user 1',
+ 'uid': 'user1',
+ 'givenname': 'user',
+ 'mail': 'user1(a)example.com',
+ 'userpassword': 'password'})))
+ except ldap.LDAPError, e:
+ log.fatal('test_ticket48228: Failed to add user' + USER1_DN + ': error ' + e.message['desc'])
+ assert False
+
+ log.info(' Update the password of ' + USER1_DN + ' 6 times')
+ update_passwd(topology, USER1_DN, 'password', 6)
+
+ log.info(' Set inhistory = 4')
+ set_global_pwpolicy(topology, 4)
+
+ log.info(' checking the first password, which is supposed NOT to be in history any more')
+ cpw = 'password%d' % 5
+ tpw = 'password'
+ inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the second password, which is supposed NOT to be in history any more')
+ cpw = tpw
+ tpw = 'password%d' % 0
+ inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the second password, which is supposed NOT to be in history any more')
+ cpw = tpw
+ tpw = 'password%d' % 1
+ inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the third password, which is supposed to be in history')
+ cpw = tpw
+ tpw = 'password%d' % 2
+ inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw)
+ assert inhistory == 1
+
+ log.info("Global policy was successfully verified.")
+
+def test_ticket48228_test_subtree_policy(topology):
+ """
+ Check subtree level password policy
+ """
+
+ log.info(' Set inhistory = 6')
+ set_subtree_pwpolicy(topology)
+
+ log.info(' Bind as directory manager')
+ log.info("Bind as %s" % DN_DM)
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+
+ log.info(' Add an entry' + USER2_DN)
+ try:
+ topology.standalone.add_s(Entry((USER2_DN, {'objectclass': "top person organizationalPerson inetOrgPerson".split(),
+ 'sn': '2',
+ 'cn': 'user 2',
+ 'uid': 'user2',
+ 'givenname': 'user',
+ 'mail': 'user2(a)example.com',
+ 'userpassword': 'password'})))
+ except ldap.LDAPError, e:
+ log.fatal('test_ticket48228: Failed to add user' + USER2_DN + ': error ' + e.message['desc'])
+ assert False
+
+ log.info(' Update the password of ' + USER2_DN + ' 6 times')
+ update_passwd(topology, USER2_DN, 'password', 6)
+
+ log.info(' Set inhistory = 4')
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ try:
+ topology.standalone.modify_s(SUBTREE_PWP, [(ldap.MOD_REPLACE, 'passwordInHistory', '4')])
+ except ldap.LDAPError, e:
+ log.error('Failed to set pwpolicy-local: error ' + e.message['desc'])
+ assert False
+
+ log.info(' checking the first password, which is supposed NOT to be in history any more')
+ cpw = 'password%d' % 5
+ tpw = 'password'
+ inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the second password, which is supposed NOT to be in history any more')
+ cpw = tpw
+ tpw = 'password%d' % 0
+ inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the second password, which is supposed NOT to be in history any more')
+ cpw = tpw
+ tpw = 'password%d' % 1
+ inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw)
+ assert inhistory == 0
+
+ log.info(' checking the third password, which is supposed to be in history')
+ cpw = tpw
+ tpw = 'password%d' % 2
+ inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw)
+ assert inhistory == 1
+
+ log.info("Subtree level policy was successfully verified.")
+
+def test_ticket48228_final(topology):
+ topology.standalone.delete()
+ log.info('Testcase PASSED')
+
+def run_isolated():
+ '''
+ run_isolated is used to run these test cases independently of a test scheduler (xunit, py.test..)
+ To run isolated without py.test, you need to
+ - edit this file and comment '@pytest.fixture' line before 'topology' function.
+ - set the installation prefix
+ - run this program
+ '''
+ global installation_prefix
+ installation_prefix = None
+
+ topo = topology(True)
+ log.info('Testing Ticket 48228 - wrong password check if passwordInHistory is decreased')
+
+ test_ticket48228_test_global_policy(topo)
+
+ test_ticket48228_test_subtree_policy(topo)
+
+ test_ticket48228_final(topo)
+
+
+if __name__ == '__main__':
+ run_isolated()
+
commit 1a119125856006543aae0520b5800a8b52c3b049
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Aug 3 18:49:58 2015 -0700
Ticket #48228 - wrong password check if passwordInHistory is decreased.
Bug Description: When N passwords to be remembered (passwordInHistroy)
and N passwords are remembered, decreasing the passwordInHistory value
to M (< N) does not allow to use the oldest password which should have
been discarded from the history and should be allowed.
Fix Description: Before checking if the password is in the history or
not, adding a check the passwordInHistory value (M) is less than the
count of passwords remembered (N). If M < N, discard the (N-M) oldest
passwords.
https://fedorahosted.org/389/ticket/48228
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index f883010..3abebbf 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -613,7 +613,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw)
/* update passwordHistory */
if ( old_pw != NULL && pwpolicy->pw_history == 1 ) {
- update_pw_history(pb, sdn, old_pw);
+ (void)update_pw_history(pb, sdn, old_pw);
slapi_ch_free ( (void**)&old_pw );
}
@@ -654,8 +654,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw)
*/
if ((internal_op && pwpolicy->pw_must_change && (!pb->pb_conn || strcasecmp(target_dn, pb->pb_conn->c_dn))) ||
(!internal_op && pwpolicy->pw_must_change &&
- ((target_dn && bind_dn && strcasecmp(target_dn, bind_dn)) && pw_is_pwp_admin(pb, pwpolicy))))
- {
+ ((target_dn && bind_dn && strcasecmp(target_dn, bind_dn)) && pw_is_pwp_admin(pb, pwpolicy)))) {
pw_exp_date = NO_TIME;
} else if ( pwpolicy->pw_exp == 1 ) {
Slapi_Entry *pse = NULL;
@@ -996,6 +995,7 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
/* get the entry and check for the password history if this is called by a modify operation */
if ( mod_op ) {
+retry:
/* retrieve the entry */
e = get_entry ( pb, dn );
if ( e == NULL ) {
@@ -1004,19 +1004,21 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
/* check for password history */
if ( pwpolicy->pw_history == 1 ) {
+ Slapi_Value **va = NULL;
attr = attrlist_find(e->e_attrs, "passwordHistory");
- if (attr &&
- !valueset_isempty(&attr->a_present_values))
- {
- Slapi_Value **va= attr_get_present_values(attr);
+ if (attr && !valueset_isempty(&attr->a_present_values)) {
+ /* Resetting password history array if necessary. */
+ if (0 == update_pw_history(pb, sdn, NULL)) {
+ /* There was an update in the password history. Retry... */
+ slapi_entry_free(e);
+ goto retry;
+ }
+ va = attr_get_present_values(attr);
if ( pw_in_history( va, vals[0] ) == 0 ) {
if ( pwresponse_req == 1 ) {
- slapi_pwpolicy_make_response_control ( pb, -1, -1,
- LDAP_PWPOLICY_PWDINHISTORY );
+ slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDINHISTORY);
}
- pw_send_ldap_result ( pb,
- LDAP_CONSTRAINT_VIOLATION, NULL,
- "password in history", 0, NULL );
+ pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL);
slapi_entry_free( e );
return ( 1 );
}
@@ -1024,26 +1026,17 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
/* get current password. check it and remember it */
attr = attrlist_find(e->e_attrs, "userpassword");
- if (attr && !valueset_isempty(&attr->a_present_values))
- {
- Slapi_Value **va= valueset_get_valuearray(&attr->a_present_values);
- if (slapi_is_encoded((char*)slapi_value_get_string(vals[0])))
- {
- if (slapi_attr_value_find(attr, (struct berval *)slapi_value_get_berval(vals[0])) == 0 )
- {
- pw_send_ldap_result ( pb,
- LDAP_CONSTRAINT_VIOLATION ,NULL,
- "password in history", 0, NULL);
+ if (attr && !valueset_isempty(&attr->a_present_values)) {
+ va = valueset_get_valuearray(&attr->a_present_values);
+ if (slapi_is_encoded((char*)slapi_value_get_string(vals[0]))) {
+ if (slapi_attr_value_find(attr, (struct berval *)slapi_value_get_berval(vals[0])) == 0 ) {
+ pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL);
slapi_entry_free( e );
return ( 1 );
}
- } else
- {
- if ( slapi_pw_find_sv ( va, vals[0] ) == 0 )
- {
- pw_send_ldap_result ( pb,
- LDAP_CONSTRAINT_VIOLATION ,NULL,
- "password in history", 0, NULL);
+ } else {
+ if ( slapi_pw_find_sv ( va, vals[0] ) == 0 ) {
+ pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL);
slapi_entry_free( e );
return ( 1 );
}
@@ -1086,68 +1079,112 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
}
+/*
+ * Basically, h0 and h1 must be longer than GENERALIZED_TIME_LENGTH.
+ */
+static int
+pw_history_cmp(const void *h0, const void *h1)
+{
+ size_t h0sz = 0;
+ size_t h1sz = 0;
+ if (!h0) {
+ if (!h1) {
+ return 0;
+ } else {
+ return -1;
+ }
+ } else {
+ if (!h1) {
+ return 1;
+ } else {
+ size_t delta;
+ h0sz = strlen(h0);
+ h1sz = strlen(h1);
+ delta = h0sz - h1sz;
+ if (!delta) {
+ return delta;
+ }
+ if (h0sz < GENERALIZED_TIME_LENGTH) {
+ /* too short for the history str. */
+ return 0;
+ }
+ }
+ }
+ return PL_strncmp(h0, h1, GENERALIZED_TIME_LENGTH);
+}
+
+
static int
update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw )
{
- time_t t, old_t, cur_time;
- int i = 0, oldest = 0;
- int res;
- Slapi_Entry *e;
- Slapi_Attr *attr;
+ time_t cur_time;
+ int res = 1; /* no update, by default */
+ Slapi_Entry *e = NULL;
LDAPMod attribute;
- char *values_replace[25]; /* 2-24 passwords in history */
LDAPMod *list_of_mods[2];
Slapi_PBlock mod_pb;
- char *history_str;
- char *str;
+ char *str = NULL;
passwdPolicy *pwpolicy = NULL;
const char *dn = slapi_sdn_get_dn(sdn);
+ char **values_replace = NULL;
+ int vacnt = 0;
+ int vacnt_todelete = 0;
pwpolicy = new_passwdPolicy(pb, dn);
/* retrieve the entry */
e = get_entry ( pb, dn );
if ( e == NULL ) {
- return ( 1 );
+ return res;
}
- history_str = (char *)slapi_ch_malloc(GENERALIZED_TIME_LENGTH + strlen(old_pw) + 1);
- /* get password history, and find the oldest password in history */
- cur_time = current_time ();
- old_t = cur_time;
- str = format_genTime ( cur_time );
- attr = attrlist_find(e->e_attrs, "passwordHistory");
- if (attr && !valueset_isempty(&attr->a_present_values))
- {
- Slapi_Value **va= valueset_get_valuearray(&attr->a_present_values);
- for ( i = oldest = 0 ;
- (va[i] != NULL) && (slapi_value_get_length(va[i]) > 0) ;
- i++ ) {
-
- values_replace[i] = (char*)slapi_value_get_string(va[i]);
- strncpy( history_str, values_replace[i], GENERALIZED_TIME_LENGTH);
- history_str[GENERALIZED_TIME_LENGTH] = '\0';
- if (history_str[GENERALIZED_TIME_LENGTH - 1] != 'Z'){
- /* The time is not a generalized Time. Probably a password history from 4.x */
- history_str[GENERALIZED_TIME_LENGTH - 1] = '\0';
- }
- t = parse_genTime ( history_str );
- if ( difftime ( t, old_t ) < 0 ) {
- oldest = i;
- old_t = t;
- }
+ /* get password history */
+ values_replace = slapi_entry_attr_get_charray_ext(e, "passwordHistory", &vacnt);
+ if (old_pw) {
+ /* we have a password to replace with the oldest one in the history. */
+ if (!values_replace || !vacnt) { /* This is the first one to store */
+ values_replace = (char **)slapi_ch_calloc(2, sizeof(char *));
}
+ } else {
+ /* we are checking the history size if it stores more than the current inhistory count. */
+ if (!values_replace || !vacnt) { /* nothing to revise */
+ res = 1;
+ goto bail;
+ }
+ /*
+ * If revising the passwords in the passwordHistory values
+ * and the password count in the value array is less than the inhistory,
+ * we have nothing to do.
+ */
+ if (vacnt <= pwpolicy->pw_inhistory) {
+ res = 1;
+ goto bail;
+ }
+ vacnt_todelete = vacnt - pwpolicy->pw_inhistory;
}
- strcpy ( history_str, str );
- strcat ( history_str, old_pw );
- if ( i >= pwpolicy->pw_inhistory ) {
- /* replace the oldest password in history */
- values_replace[oldest] = history_str;
- values_replace[pwpolicy->pw_inhistory] = NULL;
+
+ cur_time = current_time();
+ str = format_genTime(cur_time);
+ /* values_replace is sorted. */
+ if (old_pw) {
+ if ( vacnt >= pwpolicy->pw_inhistory ) {
+ slapi_ch_free_string(&values_replace[0]);
+ values_replace[0] = slapi_ch_smprintf("%s%s", str, old_pw);
+ } else {
+ /* add old_pw at the end of password history */
+ values_replace = (char **)slapi_ch_realloc((char *)values_replace, sizeof(char *) * (vacnt + 2));
+ values_replace[vacnt] = slapi_ch_smprintf("%s%s", str, old_pw);
+ values_replace[vacnt+1] = NULL;
+ }
+ qsort((void *)values_replace, vacnt, (size_t)sizeof(char *), pw_history_cmp);
} else {
- /* add old_pw at the end of password history */
- values_replace[i] = history_str;
- values_replace[++i]=NULL;
+ int i;
+ /* vacnt > pwpolicy->pw_inhistory */
+ for (i = 0; i < vacnt_todelete; i++) {
+ slapi_ch_free_string(&values_replace[i]);
+ }
+ memmove(values_replace, values_replace + vacnt_todelete, sizeof(char *) * pwpolicy->pw_inhistory);
+ values_replace[pwpolicy->pw_inhistory] = NULL;
}
/* modify the attribute */
@@ -1159,21 +1196,19 @@ update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw )
list_of_mods[1] = NULL;
pblock_init(&mod_pb);
- slapi_modify_internal_set_pb_ext(&mod_pb, sdn, list_of_mods, NULL, NULL,
- pw_get_componentID(), 0);
+ slapi_modify_internal_set_pb_ext(&mod_pb, sdn, list_of_mods, NULL, NULL, pw_get_componentID(), 0);
slapi_modify_internal_pb(&mod_pb);
slapi_pblock_get(&mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
if (res != LDAP_SUCCESS){
LDAPDebug2Args(LDAP_DEBUG_ANY,
"WARNING: passwordPolicy modify error %d on entry '%s'\n", res, dn);
}
-
pblock_done(&mod_pb);
-
- slapi_ch_free((void **) &str );
- slapi_ch_free((void **) &history_str );
+ slapi_ch_free_string(&str);
+bail:
+ slapi_ch_array_free(values_replace);
slapi_entry_free( e );
- return 0;
+ return res;
}
static
8 years, 8 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit aa083988ed65bf9ae9d0f4090ce3ef4ce5cb4a31
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Aug 6 11:27:40 2015 -0400
Ticket 48215 - update dbverify usage in main.c
Description: Need to update dbverify usage in main.c
https://fedorahosted.org/389/ticket/48215
(cherry picked from commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297)
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index 2442610..95976d3 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -453,7 +453,7 @@ usage( char *name, char *extraname )
usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n";
break;
case SLAPD_EXEMODE_DBVERIFY:
- usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n";
+ usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n";
break;
default: /* SLAPD_EXEMODE_SLAPD */
8 years, 8 months
Branch '389-ds-base-1.3.1' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit e861b06de4faceea3774fb20963d3a6bf3fba735
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Aug 6 11:27:40 2015 -0400
Ticket 48215 - update dbverify usage in main.c
Description: Need to update dbverify usage in main.c
https://fedorahosted.org/389/ticket/48215
(cherry picked from commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297)
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index f301a67..4298070 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -453,7 +453,7 @@ usage( char *name, char *extraname )
usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n";
break;
case SLAPD_EXEMODE_DBVERIFY:
- usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n";
+ usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n";
break;
default: /* SLAPD_EXEMODE_SLAPD */
8 years, 8 months
Branch '389-ds-base-1.3.2' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 318f897d743fa5a556af0cb7d8590d1fdf6834da
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Aug 6 11:27:40 2015 -0400
Ticket 48215 - update dbverify usage in main.c
Description: Need to update dbverify usage in main.c
https://fedorahosted.org/389/ticket/48215
(cherry picked from commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297)
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index c642b85..ef8651d 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -453,7 +453,7 @@ usage( char *name, char *extraname )
usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n";
break;
case SLAPD_EXEMODE_DBVERIFY:
- usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n";
+ usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n";
break;
default: /* SLAPD_EXEMODE_SLAPD */
8 years, 8 months
Branch '389-ds-base-1.3.3' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 67e89737c1d59a7c0825706578a05375fe0cf8da
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Aug 6 11:27:40 2015 -0400
Ticket 48215 - update dbverify usage in main.c
Description: Need to update dbverify usage in main.c
https://fedorahosted.org/389/ticket/48215
(cherry picked from commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297)
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index 9c4787c..244c3ae 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -453,7 +453,7 @@ usage( char *name, char *extraname )
usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n";
break;
case SLAPD_EXEMODE_DBVERIFY:
- usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n";
+ usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n";
break;
default: /* SLAPD_EXEMODE_SLAPD */
8 years, 8 months
Branch '389-ds-base-1.3.4' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit c842dbe3d0ee2ac28c55e31b9b8e5e5a3c5dc200
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Aug 6 11:27:40 2015 -0400
Ticket 48215 - update dbverify usage in main.c
Description: Need to update dbverify usage in main.c
https://fedorahosted.org/389/ticket/48215
(cherry picked from commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297)
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index 922de97..4f9fbfe 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -398,7 +398,7 @@ usage( char *name, char *extraname )
usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n";
break;
case SLAPD_EXEMODE_DBVERIFY:
- usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n";
+ usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n";
break;
default: /* SLAPD_EXEMODE_SLAPD */
8 years, 8 months
ldap/servers
by Mark Reynolds
ldap/servers/slapd/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Aug 6 11:27:40 2015 -0400
Ticket 48215 - update dbverify usage in main.c
Description: Need to update dbverify usage in main.c
https://fedorahosted.org/389/ticket/48215
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index 922de97..4f9fbfe 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -398,7 +398,7 @@ usage( char *name, char *extraname )
usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n";
break;
case SLAPD_EXEMODE_DBVERIFY:
- usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n";
+ usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n";
break;
default: /* SLAPD_EXEMODE_SLAPD */
8 years, 8 months
Branch '389-ds-base-1.3.1' - ldap/admin
by Mark Reynolds
ldap/admin/src/scripts/dbverify.in | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
New commits:
commit 26f6b92b70d50bd9e34e3a9d90334832aeb25b63
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Aug 6 10:13:40 2015 -0400
Ticket 48215 - update dbverify usage
Description: Need to add the "-a" argument usage
https://fedorahosted.org/389/ticket/48215
(cherry picked from commit 20284e6539f557efc0679d974d5156cdcd55c407)
diff --git a/ldap/admin/src/scripts/dbverify.in b/ldap/admin/src/scripts/dbverify.in
index 778a9ba..461cc16 100755
--- a/ldap/admin/src/scripts/dbverify.in
+++ b/ldap/admin/src/scripts/dbverify.in
@@ -14,15 +14,16 @@ PATH=$PATH:/bin
usage()
{
- echo "Usage: dbverify [-Z serverID] [-n backend_instance] [-V] [-v] [-d debuglevel] [-h]"
+ echo "Usage: dbverify [-Z serverID] [-n backend_instance] [-a db_directory ] [-V] [-v] [-d debuglevel] [-h]"
echo "Note if \"-n backend\" is not passed, verify all DBs."
echo "Options:"
- echo " -Z - Server instance identifier"
- echo " -n backend - Backend database name. Example: userRoot"
- echo " -V - Verbose output"
- echo " -d debuglevel - Debugging level"
- echo " -v - Display version"
- echo " -h - Display usage"
+ echo " -Z - Server instance identifier"
+ echo " -n backend - Backend database name. Example: userRoot"
+ echo " -a db_directory - Database directory"
+ echo " -V - Verbose output"
+ echo " -d debuglevel - Debugging level"
+ echo " -v - Display version"
+ echo " -h - Display usage"
}
display_version="no"
8 years, 8 months
Branch '389-ds-base-1.3.2' - ldap/admin
by Mark Reynolds
ldap/admin/src/scripts/dbverify.in | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
New commits:
commit d2962ea206011bce98749e04c4f8fba91e7c90b1
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Aug 6 10:13:40 2015 -0400
Ticket 48215 - update dbverify usage
Description: Need to add the "-a" argument usage
https://fedorahosted.org/389/ticket/48215
(cherry picked from commit 20284e6539f557efc0679d974d5156cdcd55c407)
diff --git a/ldap/admin/src/scripts/dbverify.in b/ldap/admin/src/scripts/dbverify.in
index 778a9ba..461cc16 100755
--- a/ldap/admin/src/scripts/dbverify.in
+++ b/ldap/admin/src/scripts/dbverify.in
@@ -14,15 +14,16 @@ PATH=$PATH:/bin
usage()
{
- echo "Usage: dbverify [-Z serverID] [-n backend_instance] [-V] [-v] [-d debuglevel] [-h]"
+ echo "Usage: dbverify [-Z serverID] [-n backend_instance] [-a db_directory ] [-V] [-v] [-d debuglevel] [-h]"
echo "Note if \"-n backend\" is not passed, verify all DBs."
echo "Options:"
- echo " -Z - Server instance identifier"
- echo " -n backend - Backend database name. Example: userRoot"
- echo " -V - Verbose output"
- echo " -d debuglevel - Debugging level"
- echo " -v - Display version"
- echo " -h - Display usage"
+ echo " -Z - Server instance identifier"
+ echo " -n backend - Backend database name. Example: userRoot"
+ echo " -a db_directory - Database directory"
+ echo " -V - Verbose output"
+ echo " -d debuglevel - Debugging level"
+ echo " -v - Display version"
+ echo " -h - Display usage"
}
display_version="no"
8 years, 8 months