August 2015 - 389-commits - Fedora Mailing-Lists

Branch '389-ds-base-1.3.4' - 2 commits - dirsrvtests/tickets ldap/servers

by Noriko Hosoi

dirsrvtests/tickets/ticket48228_test.py | 327 ++++++++++++++++++++++++++++++++ ldap/servers/slapd/pw.c | 193 +++++++++++------- 2 files changed, 441 insertions(+), 79 deletions(-) New commits: commit e62b4815f0682845992dc9a4375e1d7c5597bfba Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Wed Aug 5 14:40:12 2015 -0700 Ticket #48228 - CI test: added test cases for ticket 48228 Description: wrong password check if passwordInHistory is decreased. (cherry picked from commit 6b138a2091bf7d78f3bc60a13f226a39296e0f4c) diff --git a/dirsrvtests/tickets/ticket48228_test.py b/dirsrvtests/tickets/ticket48228_test.py new file mode 100644 index 0000000..e0595bb --- /dev/null +++ b/dirsrvtests/tickets/ticket48228_test.py @@ -0,0 +1,327 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2015 Red Hat, Inc. +# All rights reserved. +# +# License: GPL (version 3 or any later version). +# See LICENSE for details. +# --- END COPYRIGHT BLOCK --- +# +import os +import sys +import time +import ldap +import logging +import pytest +from lib389 import DirSrv, Entry, tools, tasks +from lib389.tools import DirSrvTools +from lib389._constants import * +from lib389.properties import * +from lib389.tasks import * + +log = logging.getLogger(__name__) + +installation_prefix = None + +# Assuming DEFAULT_SUFFIX is "dc=example,dc=com", otherwise it does not work... :( +SUBTREE_CONTAINER = 'cn=nsPwPolicyContainer,' + DEFAULT_SUFFIX +SUBTREE_PWPDN = 'cn=nsPwPolicyEntry,' + DEFAULT_SUFFIX +SUBTREE_PWP = 'cn=cn\3DnsPwPolicyEntry\2Cdc\3Dexample\2Cdc\3Dcom,' + SUBTREE_CONTAINER +SUBTREE_COS_TMPLDN = 'cn=nsPwTemplateEntry,' + DEFAULT_SUFFIX +SUBTREE_COS_TMPL = 'cn=cn\3DnsPwTemplateEntry\2Cdc\3Dexample\2Cdc\3Dcom,' + SUBTREE_CONTAINER +SUBTREE_COS_DEF = 'cn=nsPwPolicy_CoS,' + DEFAULT_SUFFIX + +USER1_DN = 'uid=user1,' + DEFAULT_SUFFIX +USER2_DN = 'uid=user2,' + DEFAULT_SUFFIX + +class TopologyStandalone(object): + def __init__(self, standalone): + standalone.open() + self.standalone = standalone + + +(a)pytest.fixture(scope="module") +def topology(request): + ''' + This fixture is used to standalone topology for the 'module'. + ''' + global installation_prefix + + if installation_prefix: + args_instance[SER_DEPLOYED_DIR] = installation_prefix + + standalone = DirSrv(verbose=False) + + # Args for the standalone instance + args_instance[SER_HOST] = HOST_STANDALONE + args_instance[SER_PORT] = PORT_STANDALONE + args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE + args_standalone = args_instance.copy() + standalone.allocate(args_standalone) + + # Get the status of the instance and restart it if it exists + instance_standalone = standalone.exists() + + # Remove the instance + if instance_standalone: + standalone.delete() + + # Create the instance + standalone.create() + + # Used to retrieve configuration information (dbdir, confdir...) + standalone.open() + + # clear the tmp directory + standalone.clearTmpDir(__file__) + + # Here we have standalone instance up and running + return TopologyStandalone(standalone) + +def set_global_pwpolicy(topology, inhistory): + log.info(" +++++ Enable global password policy +++++\n") + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + # Enable password policy + try: + topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on')]) + except ldap.LDAPError, e: + log.error('Failed to set pwpolicy-local: error ' + e.message['desc']) + assert False + + log.info(" Set global password history on\n") + try: + topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordHistory', 'on')]) + except ldap.LDAPError, e: + log.error('Failed to set passwordHistory: error ' + e.message['desc']) + assert False + + log.info(" Set global passwords in history\n") + try: + count = "%d" % inhistory + topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordInHistory', count)]) + except ldap.LDAPError, e: + log.error('Failed to set passwordInHistory: error ' + e.message['desc']) + assert False + +def set_subtree_pwpolicy(topology): + log.info(" +++++ Enable subtree level password policy +++++\n") + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + log.info(" Add the container") + try: + topology.standalone.add_s(Entry((SUBTREE_CONTAINER, {'objectclass': 'top nsContainer'.split(), + 'cn': 'nsPwPolicyContainer'}))) + except ldap.LDAPError, e: + log.error('Failed to add subtree container: error ' + e.message['desc']) + assert False + + log.info(" Add the password policy subentry {passwordHistory: on, passwordInHistory: 6}") + try: + topology.standalone.add_s(Entry((SUBTREE_PWP, {'objectclass': 'top ldapsubentry passwordpolicy'.split(), + 'cn': SUBTREE_PWPDN, + 'passwordMustChange': 'off', + 'passwordExp': 'off', + 'passwordHistory': 'on', + 'passwordInHistory': '6', + 'passwordMinAge': '0', + 'passwordChange': 'on', + 'passwordStorageScheme': 'clear'}))) + except ldap.LDAPError, e: + log.error('Failed to add passwordpolicy: error ' + e.message['desc']) + assert False + + log.info(" Add the COS template") + try: + topology.standalone.add_s(Entry((SUBTREE_COS_TMPL, {'objectclass': 'top ldapsubentry costemplate extensibleObject'.split(), + 'cn': SUBTREE_PWPDN, + 'cosPriority': '1', + 'cn': SUBTREE_COS_TMPLDN, + 'pwdpolicysubentry': SUBTREE_PWP}))) + except ldap.LDAPError, e: + log.error('Failed to add COS template: error ' + e.message['desc']) + assert False + + log.info(" Add the COS definition") + try: + topology.standalone.add_s(Entry((SUBTREE_COS_DEF, {'objectclass': 'top ldapsubentry cosSuperDefinition cosPointerDefinition'.split(), + 'cn': SUBTREE_PWPDN, + 'costemplatedn': SUBTREE_COS_TMPL, + 'cosAttribute': 'pwdpolicysubentry default operational-default'}))) + except ldap.LDAPError, e: + log.error('Failed to add COS def: error ' + e.message['desc']) + assert False + +def check_passwd_inhistory(topology, user, cpw, passwd): + inhistory = 0 + log.info(" Bind as {%s,%s}" % (user, cpw)) + topology.standalone.simple_bind_s(user, cpw) + try: + topology.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', passwd)]) + except ldap.LDAPError, e: + log.info(' The password ' + passwd + ' of user' + USER1_DN + ' in history: error ' + e.message['desc']) + inhistory = 1 + return inhistory + +def update_passwd(topology, user, passwd, times): + cpw = passwd + loop = 0 + while loop < times: + log.info(" Bind as {%s,%s}" % (user, cpw)) + topology.standalone.simple_bind_s(user, cpw) + cpw = 'password%d' % loop + try: + topology.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', cpw)]) + except ldap.LDAPError, e: + log.fatal('test_ticket48228: Failed to update the password ' + cpw + ' of user ' + user + ': error ' + e.message['desc']) + assert False + loop += 1 + + # checking the first password, which is supposed to be in history + inhistory = check_passwd_inhistory(topology, user, cpw, passwd) + assert inhistory == 1 + +def test_ticket48228_test_global_policy(topology): + """ + Check global password policy + """ + + log.info(' Set inhistory = 6') + set_global_pwpolicy(topology, 6) + + log.info(' Bind as directory manager') + log.info("Bind as %s" % DN_DM) + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + + log.info(' Add an entry' + USER1_DN) + try: + topology.standalone.add_s(Entry((USER1_DN, {'objectclass': "top person organizationalPerson inetOrgPerson".split(), + 'sn': '1', + 'cn': 'user 1', + 'uid': 'user1', + 'givenname': 'user', + 'mail': 'user1(a)example.com', + 'userpassword': 'password'}))) + except ldap.LDAPError, e: + log.fatal('test_ticket48228: Failed to add user' + USER1_DN + ': error ' + e.message['desc']) + assert False + + log.info(' Update the password of ' + USER1_DN + ' 6 times') + update_passwd(topology, USER1_DN, 'password', 6) + + log.info(' Set inhistory = 4') + set_global_pwpolicy(topology, 4) + + log.info(' checking the first password, which is supposed NOT to be in history any more') + cpw = 'password%d' % 5 + tpw = 'password' + inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the second password, which is supposed NOT to be in history any more') + cpw = tpw + tpw = 'password%d' % 0 + inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the second password, which is supposed NOT to be in history any more') + cpw = tpw + tpw = 'password%d' % 1 + inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the third password, which is supposed to be in history') + cpw = tpw + tpw = 'password%d' % 2 + inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw) + assert inhistory == 1 + + log.info("Global policy was successfully verified.") + +def test_ticket48228_test_subtree_policy(topology): + """ + Check subtree level password policy + """ + + log.info(' Set inhistory = 6') + set_subtree_pwpolicy(topology) + + log.info(' Bind as directory manager') + log.info("Bind as %s" % DN_DM) + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + + log.info(' Add an entry' + USER2_DN) + try: + topology.standalone.add_s(Entry((USER2_DN, {'objectclass': "top person organizationalPerson inetOrgPerson".split(), + 'sn': '2', + 'cn': 'user 2', + 'uid': 'user2', + 'givenname': 'user', + 'mail': 'user2(a)example.com', + 'userpassword': 'password'}))) + except ldap.LDAPError, e: + log.fatal('test_ticket48228: Failed to add user' + USER2_DN + ': error ' + e.message['desc']) + assert False + + log.info(' Update the password of ' + USER2_DN + ' 6 times') + update_passwd(topology, USER2_DN, 'password', 6) + + log.info(' Set inhistory = 4') + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + try: + topology.standalone.modify_s(SUBTREE_PWP, [(ldap.MOD_REPLACE, 'passwordInHistory', '4')]) + except ldap.LDAPError, e: + log.error('Failed to set pwpolicy-local: error ' + e.message['desc']) + assert False + + log.info(' checking the first password, which is supposed NOT to be in history any more') + cpw = 'password%d' % 5 + tpw = 'password' + inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the second password, which is supposed NOT to be in history any more') + cpw = tpw + tpw = 'password%d' % 0 + inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the second password, which is supposed NOT to be in history any more') + cpw = tpw + tpw = 'password%d' % 1 + inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the third password, which is supposed to be in history') + cpw = tpw + tpw = 'password%d' % 2 + inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw) + assert inhistory == 1 + + log.info("Subtree level policy was successfully verified.") + +def test_ticket48228_final(topology): + topology.standalone.delete() + log.info('Testcase PASSED') + +def run_isolated(): + ''' + run_isolated is used to run these test cases independently of a test scheduler (xunit, py.test..) + To run isolated without py.test, you need to + - edit this file and comment '@pytest.fixture' line before 'topology' function. + - set the installation prefix + - run this program + ''' + global installation_prefix + installation_prefix = None + + topo = topology(True) + log.info('Testing Ticket 48228 - wrong password check if passwordInHistory is decreased') + + test_ticket48228_test_global_policy(topo) + + test_ticket48228_test_subtree_policy(topo) + + test_ticket48228_final(topo) + + +if __name__ == '__main__': + run_isolated() + commit dd85ee9c9ac24f1b141dd806943de236d2e44c90 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Mon Aug 3 18:49:58 2015 -0700 Ticket #48228 - wrong password check if passwordInHistory is decreased. Bug Description: When N passwords to be remembered (passwordInHistroy) and N passwords are remembered, decreasing the passwordInHistory value to M (< N) does not allow to use the oldest password which should have been discarded from the history and should be allowed. Fix Description: Before checking if the password is in the history or not, adding a check the passwordInHistory value (M) is less than the count of passwords remembered (N). If M < N, discard the (N-M) oldest passwords. https://fedorahosted.org/389/ticket/48228 Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!) (cherry picked from commit 1a119125856006543aae0520b5800a8b52c3b049) diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c index f883010..3abebbf 100644 --- a/ldap/servers/slapd/pw.c +++ b/ldap/servers/slapd/pw.c @@ -613,7 +613,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) /* update passwordHistory */ if ( old_pw != NULL && pwpolicy->pw_history == 1 ) { - update_pw_history(pb, sdn, old_pw); + (void)update_pw_history(pb, sdn, old_pw); slapi_ch_free ( (void**)&old_pw ); } @@ -654,8 +654,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) */ if ((internal_op && pwpolicy->pw_must_change && (!pb->pb_conn || strcasecmp(target_dn, pb->pb_conn->c_dn))) || (!internal_op && pwpolicy->pw_must_change && - ((target_dn && bind_dn && strcasecmp(target_dn, bind_dn)) && pw_is_pwp_admin(pb, pwpolicy)))) - { + ((target_dn && bind_dn && strcasecmp(target_dn, bind_dn)) && pw_is_pwp_admin(pb, pwpolicy)))) { pw_exp_date = NO_TIME; } else if ( pwpolicy->pw_exp == 1 ) { Slapi_Entry *pse = NULL; @@ -996,6 +995,7 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, /* get the entry and check for the password history if this is called by a modify operation */ if ( mod_op ) { +retry: /* retrieve the entry */ e = get_entry ( pb, dn ); if ( e == NULL ) { @@ -1004,19 +1004,21 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, /* check for password history */ if ( pwpolicy->pw_history == 1 ) { + Slapi_Value **va = NULL; attr = attrlist_find(e->e_attrs, "passwordHistory"); - if (attr && - !valueset_isempty(&attr->a_present_values)) - { - Slapi_Value **va= attr_get_present_values(attr); + if (attr && !valueset_isempty(&attr->a_present_values)) { + /* Resetting password history array if necessary. */ + if (0 == update_pw_history(pb, sdn, NULL)) { + /* There was an update in the password history. Retry... */ + slapi_entry_free(e); + goto retry; + } + va = attr_get_present_values(attr); if ( pw_in_history( va, vals[0] ) == 0 ) { if ( pwresponse_req == 1 ) { - slapi_pwpolicy_make_response_control ( pb, -1, -1, - LDAP_PWPOLICY_PWDINHISTORY ); + slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDINHISTORY); } - pw_send_ldap_result ( pb, - LDAP_CONSTRAINT_VIOLATION, NULL, - "password in history", 0, NULL ); + pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL); slapi_entry_free( e ); return ( 1 ); } @@ -1024,26 +1026,17 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, /* get current password. check it and remember it */ attr = attrlist_find(e->e_attrs, "userpassword"); - if (attr && !valueset_isempty(&attr->a_present_values)) - { - Slapi_Value **va= valueset_get_valuearray(&attr->a_present_values); - if (slapi_is_encoded((char*)slapi_value_get_string(vals[0]))) - { - if (slapi_attr_value_find(attr, (struct berval *)slapi_value_get_berval(vals[0])) == 0 ) - { - pw_send_ldap_result ( pb, - LDAP_CONSTRAINT_VIOLATION ,NULL, - "password in history", 0, NULL); + if (attr && !valueset_isempty(&attr->a_present_values)) { + va = valueset_get_valuearray(&attr->a_present_values); + if (slapi_is_encoded((char*)slapi_value_get_string(vals[0]))) { + if (slapi_attr_value_find(attr, (struct berval *)slapi_value_get_berval(vals[0])) == 0 ) { + pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL); slapi_entry_free( e ); return ( 1 ); } - } else - { - if ( slapi_pw_find_sv ( va, vals[0] ) == 0 ) - { - pw_send_ldap_result ( pb, - LDAP_CONSTRAINT_VIOLATION ,NULL, - "password in history", 0, NULL); + } else { + if ( slapi_pw_find_sv ( va, vals[0] ) == 0 ) { + pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL); slapi_entry_free( e ); return ( 1 ); } @@ -1086,68 +1079,112 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, } +/* + * Basically, h0 and h1 must be longer than GENERALIZED_TIME_LENGTH. + */ +static int +pw_history_cmp(const void *h0, const void *h1) +{ + size_t h0sz = 0; + size_t h1sz = 0; + if (!h0) { + if (!h1) { + return 0; + } else { + return -1; + } + } else { + if (!h1) { + return 1; + } else { + size_t delta; + h0sz = strlen(h0); + h1sz = strlen(h1); + delta = h0sz - h1sz; + if (!delta) { + return delta; + } + if (h0sz < GENERALIZED_TIME_LENGTH) { + /* too short for the history str. */ + return 0; + } + } + } + return PL_strncmp(h0, h1, GENERALIZED_TIME_LENGTH); +} + + static int update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw ) { - time_t t, old_t, cur_time; - int i = 0, oldest = 0; - int res; - Slapi_Entry *e; - Slapi_Attr *attr; + time_t cur_time; + int res = 1; /* no update, by default */ + Slapi_Entry *e = NULL; LDAPMod attribute; - char *values_replace[25]; /* 2-24 passwords in history */ LDAPMod *list_of_mods[2]; Slapi_PBlock mod_pb; - char *history_str; - char *str; + char *str = NULL; passwdPolicy *pwpolicy = NULL; const char *dn = slapi_sdn_get_dn(sdn); + char **values_replace = NULL; + int vacnt = 0; + int vacnt_todelete = 0; pwpolicy = new_passwdPolicy(pb, dn); /* retrieve the entry */ e = get_entry ( pb, dn ); if ( e == NULL ) { - return ( 1 ); + return res; } - history_str = (char *)slapi_ch_malloc(GENERALIZED_TIME_LENGTH + strlen(old_pw) + 1); - /* get password history, and find the oldest password in history */ - cur_time = current_time (); - old_t = cur_time; - str = format_genTime ( cur_time ); - attr = attrlist_find(e->e_attrs, "passwordHistory"); - if (attr && !valueset_isempty(&attr->a_present_values)) - { - Slapi_Value **va= valueset_get_valuearray(&attr->a_present_values); - for ( i = oldest = 0 ; - (va[i] != NULL) && (slapi_value_get_length(va[i]) > 0) ; - i++ ) { - - values_replace[i] = (char*)slapi_value_get_string(va[i]); - strncpy( history_str, values_replace[i], GENERALIZED_TIME_LENGTH); - history_str[GENERALIZED_TIME_LENGTH] = '\0'; - if (history_str[GENERALIZED_TIME_LENGTH - 1] != 'Z'){ - /* The time is not a generalized Time. Probably a password history from 4.x */ - history_str[GENERALIZED_TIME_LENGTH - 1] = '\0'; - } - t = parse_genTime ( history_str ); - if ( difftime ( t, old_t ) < 0 ) { - oldest = i; - old_t = t; - } + /* get password history */ + values_replace = slapi_entry_attr_get_charray_ext(e, "passwordHistory", &vacnt); + if (old_pw) { + /* we have a password to replace with the oldest one in the history. */ + if (!values_replace || !vacnt) { /* This is the first one to store */ + values_replace = (char **)slapi_ch_calloc(2, sizeof(char *)); } + } else { + /* we are checking the history size if it stores more than the current inhistory count. */ + if (!values_replace || !vacnt) { /* nothing to revise */ + res = 1; + goto bail; + } + /* + * If revising the passwords in the passwordHistory values + * and the password count in the value array is less than the inhistory, + * we have nothing to do. + */ + if (vacnt <= pwpolicy->pw_inhistory) { + res = 1; + goto bail; + } + vacnt_todelete = vacnt - pwpolicy->pw_inhistory; } - strcpy ( history_str, str ); - strcat ( history_str, old_pw ); - if ( i >= pwpolicy->pw_inhistory ) { - /* replace the oldest password in history */ - values_replace[oldest] = history_str; - values_replace[pwpolicy->pw_inhistory] = NULL; + + cur_time = current_time(); + str = format_genTime(cur_time); + /* values_replace is sorted. */ + if (old_pw) { + if ( vacnt >= pwpolicy->pw_inhistory ) { + slapi_ch_free_string(&values_replace[0]); + values_replace[0] = slapi_ch_smprintf("%s%s", str, old_pw); + } else { + /* add old_pw at the end of password history */ + values_replace = (char **)slapi_ch_realloc((char *)values_replace, sizeof(char *) * (vacnt + 2)); + values_replace[vacnt] = slapi_ch_smprintf("%s%s", str, old_pw); + values_replace[vacnt+1] = NULL; + } + qsort((void *)values_replace, vacnt, (size_t)sizeof(char *), pw_history_cmp); } else { - /* add old_pw at the end of password history */ - values_replace[i] = history_str; - values_replace[++i]=NULL; + int i; + /* vacnt > pwpolicy->pw_inhistory */ + for (i = 0; i < vacnt_todelete; i++) { + slapi_ch_free_string(&values_replace[i]); + } + memmove(values_replace, values_replace + vacnt_todelete, sizeof(char *) * pwpolicy->pw_inhistory); + values_replace[pwpolicy->pw_inhistory] = NULL; } /* modify the attribute */ @@ -1159,21 +1196,19 @@ update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw ) list_of_mods[1] = NULL; pblock_init(&mod_pb); - slapi_modify_internal_set_pb_ext(&mod_pb, sdn, list_of_mods, NULL, NULL, - pw_get_componentID(), 0); + slapi_modify_internal_set_pb_ext(&mod_pb, sdn, list_of_mods, NULL, NULL, pw_get_componentID(), 0); slapi_modify_internal_pb(&mod_pb); slapi_pblock_get(&mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &res); if (res != LDAP_SUCCESS){ LDAPDebug2Args(LDAP_DEBUG_ANY, "WARNING: passwordPolicy modify error %d on entry '%s'\n", res, dn); } - pblock_done(&mod_pb); - - slapi_ch_free((void **) &str ); - slapi_ch_free((void **) &history_str ); + slapi_ch_free_string(&str); +bail: + slapi_ch_array_free(values_replace); slapi_entry_free( e ); - return 0; + return res; } static

8 years, 8 months

1
0
0 / 0

2 commits - dirsrvtests/tickets ldap/servers

by Noriko Hosoi

dirsrvtests/tickets/ticket48228_test.py | 327 ++++++++++++++++++++++++++++++++ ldap/servers/slapd/pw.c | 193 +++++++++++------- 2 files changed, 441 insertions(+), 79 deletions(-) New commits: commit 6b138a2091bf7d78f3bc60a13f226a39296e0f4c Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Wed Aug 5 14:40:12 2015 -0700 Ticket #48228 - CI test: added test cases for ticket 48228 Description: wrong password check if passwordInHistory is decreased. diff --git a/dirsrvtests/tickets/ticket48228_test.py b/dirsrvtests/tickets/ticket48228_test.py new file mode 100644 index 0000000..e0595bb --- /dev/null +++ b/dirsrvtests/tickets/ticket48228_test.py @@ -0,0 +1,327 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2015 Red Hat, Inc. +# All rights reserved. +# +# License: GPL (version 3 or any later version). +# See LICENSE for details. +# --- END COPYRIGHT BLOCK --- +# +import os +import sys +import time +import ldap +import logging +import pytest +from lib389 import DirSrv, Entry, tools, tasks +from lib389.tools import DirSrvTools +from lib389._constants import * +from lib389.properties import * +from lib389.tasks import * + +log = logging.getLogger(__name__) + +installation_prefix = None + +# Assuming DEFAULT_SUFFIX is "dc=example,dc=com", otherwise it does not work... :( +SUBTREE_CONTAINER = 'cn=nsPwPolicyContainer,' + DEFAULT_SUFFIX +SUBTREE_PWPDN = 'cn=nsPwPolicyEntry,' + DEFAULT_SUFFIX +SUBTREE_PWP = 'cn=cn\3DnsPwPolicyEntry\2Cdc\3Dexample\2Cdc\3Dcom,' + SUBTREE_CONTAINER +SUBTREE_COS_TMPLDN = 'cn=nsPwTemplateEntry,' + DEFAULT_SUFFIX +SUBTREE_COS_TMPL = 'cn=cn\3DnsPwTemplateEntry\2Cdc\3Dexample\2Cdc\3Dcom,' + SUBTREE_CONTAINER +SUBTREE_COS_DEF = 'cn=nsPwPolicy_CoS,' + DEFAULT_SUFFIX + +USER1_DN = 'uid=user1,' + DEFAULT_SUFFIX +USER2_DN = 'uid=user2,' + DEFAULT_SUFFIX + +class TopologyStandalone(object): + def __init__(self, standalone): + standalone.open() + self.standalone = standalone + + +(a)pytest.fixture(scope="module") +def topology(request): + ''' + This fixture is used to standalone topology for the 'module'. + ''' + global installation_prefix + + if installation_prefix: + args_instance[SER_DEPLOYED_DIR] = installation_prefix + + standalone = DirSrv(verbose=False) + + # Args for the standalone instance + args_instance[SER_HOST] = HOST_STANDALONE + args_instance[SER_PORT] = PORT_STANDALONE + args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE + args_standalone = args_instance.copy() + standalone.allocate(args_standalone) + + # Get the status of the instance and restart it if it exists + instance_standalone = standalone.exists() + + # Remove the instance + if instance_standalone: + standalone.delete() + + # Create the instance + standalone.create() + + # Used to retrieve configuration information (dbdir, confdir...) + standalone.open() + + # clear the tmp directory + standalone.clearTmpDir(__file__) + + # Here we have standalone instance up and running + return TopologyStandalone(standalone) + +def set_global_pwpolicy(topology, inhistory): + log.info(" +++++ Enable global password policy +++++\n") + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + # Enable password policy + try: + topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on')]) + except ldap.LDAPError, e: + log.error('Failed to set pwpolicy-local: error ' + e.message['desc']) + assert False + + log.info(" Set global password history on\n") + try: + topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordHistory', 'on')]) + except ldap.LDAPError, e: + log.error('Failed to set passwordHistory: error ' + e.message['desc']) + assert False + + log.info(" Set global passwords in history\n") + try: + count = "%d" % inhistory + topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordInHistory', count)]) + except ldap.LDAPError, e: + log.error('Failed to set passwordInHistory: error ' + e.message['desc']) + assert False + +def set_subtree_pwpolicy(topology): + log.info(" +++++ Enable subtree level password policy +++++\n") + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + log.info(" Add the container") + try: + topology.standalone.add_s(Entry((SUBTREE_CONTAINER, {'objectclass': 'top nsContainer'.split(), + 'cn': 'nsPwPolicyContainer'}))) + except ldap.LDAPError, e: + log.error('Failed to add subtree container: error ' + e.message['desc']) + assert False + + log.info(" Add the password policy subentry {passwordHistory: on, passwordInHistory: 6}") + try: + topology.standalone.add_s(Entry((SUBTREE_PWP, {'objectclass': 'top ldapsubentry passwordpolicy'.split(), + 'cn': SUBTREE_PWPDN, + 'passwordMustChange': 'off', + 'passwordExp': 'off', + 'passwordHistory': 'on', + 'passwordInHistory': '6', + 'passwordMinAge': '0', + 'passwordChange': 'on', + 'passwordStorageScheme': 'clear'}))) + except ldap.LDAPError, e: + log.error('Failed to add passwordpolicy: error ' + e.message['desc']) + assert False + + log.info(" Add the COS template") + try: + topology.standalone.add_s(Entry((SUBTREE_COS_TMPL, {'objectclass': 'top ldapsubentry costemplate extensibleObject'.split(), + 'cn': SUBTREE_PWPDN, + 'cosPriority': '1', + 'cn': SUBTREE_COS_TMPLDN, + 'pwdpolicysubentry': SUBTREE_PWP}))) + except ldap.LDAPError, e: + log.error('Failed to add COS template: error ' + e.message['desc']) + assert False + + log.info(" Add the COS definition") + try: + topology.standalone.add_s(Entry((SUBTREE_COS_DEF, {'objectclass': 'top ldapsubentry cosSuperDefinition cosPointerDefinition'.split(), + 'cn': SUBTREE_PWPDN, + 'costemplatedn': SUBTREE_COS_TMPL, + 'cosAttribute': 'pwdpolicysubentry default operational-default'}))) + except ldap.LDAPError, e: + log.error('Failed to add COS def: error ' + e.message['desc']) + assert False + +def check_passwd_inhistory(topology, user, cpw, passwd): + inhistory = 0 + log.info(" Bind as {%s,%s}" % (user, cpw)) + topology.standalone.simple_bind_s(user, cpw) + try: + topology.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', passwd)]) + except ldap.LDAPError, e: + log.info(' The password ' + passwd + ' of user' + USER1_DN + ' in history: error ' + e.message['desc']) + inhistory = 1 + return inhistory + +def update_passwd(topology, user, passwd, times): + cpw = passwd + loop = 0 + while loop < times: + log.info(" Bind as {%s,%s}" % (user, cpw)) + topology.standalone.simple_bind_s(user, cpw) + cpw = 'password%d' % loop + try: + topology.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', cpw)]) + except ldap.LDAPError, e: + log.fatal('test_ticket48228: Failed to update the password ' + cpw + ' of user ' + user + ': error ' + e.message['desc']) + assert False + loop += 1 + + # checking the first password, which is supposed to be in history + inhistory = check_passwd_inhistory(topology, user, cpw, passwd) + assert inhistory == 1 + +def test_ticket48228_test_global_policy(topology): + """ + Check global password policy + """ + + log.info(' Set inhistory = 6') + set_global_pwpolicy(topology, 6) + + log.info(' Bind as directory manager') + log.info("Bind as %s" % DN_DM) + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + + log.info(' Add an entry' + USER1_DN) + try: + topology.standalone.add_s(Entry((USER1_DN, {'objectclass': "top person organizationalPerson inetOrgPerson".split(), + 'sn': '1', + 'cn': 'user 1', + 'uid': 'user1', + 'givenname': 'user', + 'mail': 'user1(a)example.com', + 'userpassword': 'password'}))) + except ldap.LDAPError, e: + log.fatal('test_ticket48228: Failed to add user' + USER1_DN + ': error ' + e.message['desc']) + assert False + + log.info(' Update the password of ' + USER1_DN + ' 6 times') + update_passwd(topology, USER1_DN, 'password', 6) + + log.info(' Set inhistory = 4') + set_global_pwpolicy(topology, 4) + + log.info(' checking the first password, which is supposed NOT to be in history any more') + cpw = 'password%d' % 5 + tpw = 'password' + inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the second password, which is supposed NOT to be in history any more') + cpw = tpw + tpw = 'password%d' % 0 + inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the second password, which is supposed NOT to be in history any more') + cpw = tpw + tpw = 'password%d' % 1 + inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the third password, which is supposed to be in history') + cpw = tpw + tpw = 'password%d' % 2 + inhistory = check_passwd_inhistory(topology, USER1_DN, cpw, tpw) + assert inhistory == 1 + + log.info("Global policy was successfully verified.") + +def test_ticket48228_test_subtree_policy(topology): + """ + Check subtree level password policy + """ + + log.info(' Set inhistory = 6') + set_subtree_pwpolicy(topology) + + log.info(' Bind as directory manager') + log.info("Bind as %s" % DN_DM) + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + + log.info(' Add an entry' + USER2_DN) + try: + topology.standalone.add_s(Entry((USER2_DN, {'objectclass': "top person organizationalPerson inetOrgPerson".split(), + 'sn': '2', + 'cn': 'user 2', + 'uid': 'user2', + 'givenname': 'user', + 'mail': 'user2(a)example.com', + 'userpassword': 'password'}))) + except ldap.LDAPError, e: + log.fatal('test_ticket48228: Failed to add user' + USER2_DN + ': error ' + e.message['desc']) + assert False + + log.info(' Update the password of ' + USER2_DN + ' 6 times') + update_passwd(topology, USER2_DN, 'password', 6) + + log.info(' Set inhistory = 4') + topology.standalone.simple_bind_s(DN_DM, PASSWORD) + try: + topology.standalone.modify_s(SUBTREE_PWP, [(ldap.MOD_REPLACE, 'passwordInHistory', '4')]) + except ldap.LDAPError, e: + log.error('Failed to set pwpolicy-local: error ' + e.message['desc']) + assert False + + log.info(' checking the first password, which is supposed NOT to be in history any more') + cpw = 'password%d' % 5 + tpw = 'password' + inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the second password, which is supposed NOT to be in history any more') + cpw = tpw + tpw = 'password%d' % 0 + inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the second password, which is supposed NOT to be in history any more') + cpw = tpw + tpw = 'password%d' % 1 + inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw) + assert inhistory == 0 + + log.info(' checking the third password, which is supposed to be in history') + cpw = tpw + tpw = 'password%d' % 2 + inhistory = check_passwd_inhistory(topology, USER2_DN, cpw, tpw) + assert inhistory == 1 + + log.info("Subtree level policy was successfully verified.") + +def test_ticket48228_final(topology): + topology.standalone.delete() + log.info('Testcase PASSED') + +def run_isolated(): + ''' + run_isolated is used to run these test cases independently of a test scheduler (xunit, py.test..) + To run isolated without py.test, you need to + - edit this file and comment '@pytest.fixture' line before 'topology' function. + - set the installation prefix + - run this program + ''' + global installation_prefix + installation_prefix = None + + topo = topology(True) + log.info('Testing Ticket 48228 - wrong password check if passwordInHistory is decreased') + + test_ticket48228_test_global_policy(topo) + + test_ticket48228_test_subtree_policy(topo) + + test_ticket48228_final(topo) + + +if __name__ == '__main__': + run_isolated() + commit 1a119125856006543aae0520b5800a8b52c3b049 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Mon Aug 3 18:49:58 2015 -0700 Ticket #48228 - wrong password check if passwordInHistory is decreased. Bug Description: When N passwords to be remembered (passwordInHistroy) and N passwords are remembered, decreasing the passwordInHistory value to M (< N) does not allow to use the oldest password which should have been discarded from the history and should be allowed. Fix Description: Before checking if the password is in the history or not, adding a check the passwordInHistory value (M) is less than the count of passwords remembered (N). If M < N, discard the (N-M) oldest passwords. https://fedorahosted.org/389/ticket/48228 Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!) diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c index f883010..3abebbf 100644 --- a/ldap/servers/slapd/pw.c +++ b/ldap/servers/slapd/pw.c @@ -613,7 +613,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) /* update passwordHistory */ if ( old_pw != NULL && pwpolicy->pw_history == 1 ) { - update_pw_history(pb, sdn, old_pw); + (void)update_pw_history(pb, sdn, old_pw); slapi_ch_free ( (void**)&old_pw ); } @@ -654,8 +654,7 @@ update_pw_info ( Slapi_PBlock *pb , char *old_pw) */ if ((internal_op && pwpolicy->pw_must_change && (!pb->pb_conn || strcasecmp(target_dn, pb->pb_conn->c_dn))) || (!internal_op && pwpolicy->pw_must_change && - ((target_dn && bind_dn && strcasecmp(target_dn, bind_dn)) && pw_is_pwp_admin(pb, pwpolicy)))) - { + ((target_dn && bind_dn && strcasecmp(target_dn, bind_dn)) && pw_is_pwp_admin(pb, pwpolicy)))) { pw_exp_date = NO_TIME; } else if ( pwpolicy->pw_exp == 1 ) { Slapi_Entry *pse = NULL; @@ -996,6 +995,7 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, /* get the entry and check for the password history if this is called by a modify operation */ if ( mod_op ) { +retry: /* retrieve the entry */ e = get_entry ( pb, dn ); if ( e == NULL ) { @@ -1004,19 +1004,21 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, /* check for password history */ if ( pwpolicy->pw_history == 1 ) { + Slapi_Value **va = NULL; attr = attrlist_find(e->e_attrs, "passwordHistory"); - if (attr && - !valueset_isempty(&attr->a_present_values)) - { - Slapi_Value **va= attr_get_present_values(attr); + if (attr && !valueset_isempty(&attr->a_present_values)) { + /* Resetting password history array if necessary. */ + if (0 == update_pw_history(pb, sdn, NULL)) { + /* There was an update in the password history. Retry... */ + slapi_entry_free(e); + goto retry; + } + va = attr_get_present_values(attr); if ( pw_in_history( va, vals[0] ) == 0 ) { if ( pwresponse_req == 1 ) { - slapi_pwpolicy_make_response_control ( pb, -1, -1, - LDAP_PWPOLICY_PWDINHISTORY ); + slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDINHISTORY); } - pw_send_ldap_result ( pb, - LDAP_CONSTRAINT_VIOLATION, NULL, - "password in history", 0, NULL ); + pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL); slapi_entry_free( e ); return ( 1 ); } @@ -1024,26 +1026,17 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, /* get current password. check it and remember it */ attr = attrlist_find(e->e_attrs, "userpassword"); - if (attr && !valueset_isempty(&attr->a_present_values)) - { - Slapi_Value **va= valueset_get_valuearray(&attr->a_present_values); - if (slapi_is_encoded((char*)slapi_value_get_string(vals[0]))) - { - if (slapi_attr_value_find(attr, (struct berval *)slapi_value_get_berval(vals[0])) == 0 ) - { - pw_send_ldap_result ( pb, - LDAP_CONSTRAINT_VIOLATION ,NULL, - "password in history", 0, NULL); + if (attr && !valueset_isempty(&attr->a_present_values)) { + va = valueset_get_valuearray(&attr->a_present_values); + if (slapi_is_encoded((char*)slapi_value_get_string(vals[0]))) { + if (slapi_attr_value_find(attr, (struct berval *)slapi_value_get_berval(vals[0])) == 0 ) { + pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL); slapi_entry_free( e ); return ( 1 ); } - } else - { - if ( slapi_pw_find_sv ( va, vals[0] ) == 0 ) - { - pw_send_ldap_result ( pb, - LDAP_CONSTRAINT_VIOLATION ,NULL, - "password in history", 0, NULL); + } else { + if ( slapi_pw_find_sv ( va, vals[0] ) == 0 ) { + pw_send_ldap_result(pb, LDAP_CONSTRAINT_VIOLATION, NULL, "password in history", 0, NULL); slapi_entry_free( e ); return ( 1 ); } @@ -1086,68 +1079,112 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals, } +/* + * Basically, h0 and h1 must be longer than GENERALIZED_TIME_LENGTH. + */ +static int +pw_history_cmp(const void *h0, const void *h1) +{ + size_t h0sz = 0; + size_t h1sz = 0; + if (!h0) { + if (!h1) { + return 0; + } else { + return -1; + } + } else { + if (!h1) { + return 1; + } else { + size_t delta; + h0sz = strlen(h0); + h1sz = strlen(h1); + delta = h0sz - h1sz; + if (!delta) { + return delta; + } + if (h0sz < GENERALIZED_TIME_LENGTH) { + /* too short for the history str. */ + return 0; + } + } + } + return PL_strncmp(h0, h1, GENERALIZED_TIME_LENGTH); +} + + static int update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw ) { - time_t t, old_t, cur_time; - int i = 0, oldest = 0; - int res; - Slapi_Entry *e; - Slapi_Attr *attr; + time_t cur_time; + int res = 1; /* no update, by default */ + Slapi_Entry *e = NULL; LDAPMod attribute; - char *values_replace[25]; /* 2-24 passwords in history */ LDAPMod *list_of_mods[2]; Slapi_PBlock mod_pb; - char *history_str; - char *str; + char *str = NULL; passwdPolicy *pwpolicy = NULL; const char *dn = slapi_sdn_get_dn(sdn); + char **values_replace = NULL; + int vacnt = 0; + int vacnt_todelete = 0; pwpolicy = new_passwdPolicy(pb, dn); /* retrieve the entry */ e = get_entry ( pb, dn ); if ( e == NULL ) { - return ( 1 ); + return res; } - history_str = (char *)slapi_ch_malloc(GENERALIZED_TIME_LENGTH + strlen(old_pw) + 1); - /* get password history, and find the oldest password in history */ - cur_time = current_time (); - old_t = cur_time; - str = format_genTime ( cur_time ); - attr = attrlist_find(e->e_attrs, "passwordHistory"); - if (attr && !valueset_isempty(&attr->a_present_values)) - { - Slapi_Value **va= valueset_get_valuearray(&attr->a_present_values); - for ( i = oldest = 0 ; - (va[i] != NULL) && (slapi_value_get_length(va[i]) > 0) ; - i++ ) { - - values_replace[i] = (char*)slapi_value_get_string(va[i]); - strncpy( history_str, values_replace[i], GENERALIZED_TIME_LENGTH); - history_str[GENERALIZED_TIME_LENGTH] = '\0'; - if (history_str[GENERALIZED_TIME_LENGTH - 1] != 'Z'){ - /* The time is not a generalized Time. Probably a password history from 4.x */ - history_str[GENERALIZED_TIME_LENGTH - 1] = '\0'; - } - t = parse_genTime ( history_str ); - if ( difftime ( t, old_t ) < 0 ) { - oldest = i; - old_t = t; - } + /* get password history */ + values_replace = slapi_entry_attr_get_charray_ext(e, "passwordHistory", &vacnt); + if (old_pw) { + /* we have a password to replace with the oldest one in the history. */ + if (!values_replace || !vacnt) { /* This is the first one to store */ + values_replace = (char **)slapi_ch_calloc(2, sizeof(char *)); } + } else { + /* we are checking the history size if it stores more than the current inhistory count. */ + if (!values_replace || !vacnt) { /* nothing to revise */ + res = 1; + goto bail; + } + /* + * If revising the passwords in the passwordHistory values + * and the password count in the value array is less than the inhistory, + * we have nothing to do. + */ + if (vacnt <= pwpolicy->pw_inhistory) { + res = 1; + goto bail; + } + vacnt_todelete = vacnt - pwpolicy->pw_inhistory; } - strcpy ( history_str, str ); - strcat ( history_str, old_pw ); - if ( i >= pwpolicy->pw_inhistory ) { - /* replace the oldest password in history */ - values_replace[oldest] = history_str; - values_replace[pwpolicy->pw_inhistory] = NULL; + + cur_time = current_time(); + str = format_genTime(cur_time); + /* values_replace is sorted. */ + if (old_pw) { + if ( vacnt >= pwpolicy->pw_inhistory ) { + slapi_ch_free_string(&values_replace[0]); + values_replace[0] = slapi_ch_smprintf("%s%s", str, old_pw); + } else { + /* add old_pw at the end of password history */ + values_replace = (char **)slapi_ch_realloc((char *)values_replace, sizeof(char *) * (vacnt + 2)); + values_replace[vacnt] = slapi_ch_smprintf("%s%s", str, old_pw); + values_replace[vacnt+1] = NULL; + } + qsort((void *)values_replace, vacnt, (size_t)sizeof(char *), pw_history_cmp); } else { - /* add old_pw at the end of password history */ - values_replace[i] = history_str; - values_replace[++i]=NULL; + int i; + /* vacnt > pwpolicy->pw_inhistory */ + for (i = 0; i < vacnt_todelete; i++) { + slapi_ch_free_string(&values_replace[i]); + } + memmove(values_replace, values_replace + vacnt_todelete, sizeof(char *) * pwpolicy->pw_inhistory); + values_replace[pwpolicy->pw_inhistory] = NULL; } /* modify the attribute */ @@ -1159,21 +1196,19 @@ update_pw_history( Slapi_PBlock *pb, const Slapi_DN *sdn, char *old_pw ) list_of_mods[1] = NULL; pblock_init(&mod_pb); - slapi_modify_internal_set_pb_ext(&mod_pb, sdn, list_of_mods, NULL, NULL, - pw_get_componentID(), 0); + slapi_modify_internal_set_pb_ext(&mod_pb, sdn, list_of_mods, NULL, NULL, pw_get_componentID(), 0); slapi_modify_internal_pb(&mod_pb); slapi_pblock_get(&mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &res); if (res != LDAP_SUCCESS){ LDAPDebug2Args(LDAP_DEBUG_ANY, "WARNING: passwordPolicy modify error %d on entry '%s'\n", res, dn); } - pblock_done(&mod_pb); - - slapi_ch_free((void **) &str ); - slapi_ch_free((void **) &history_str ); + slapi_ch_free_string(&str); +bail: + slapi_ch_array_free(values_replace); slapi_entry_free( e ); - return 0; + return res; } static

8 years, 8 months

1
0
0 / 0

Branch '389-ds-base-1.2.11' - ldap/servers

by Mark Reynolds

ldap/servers/slapd/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit aa083988ed65bf9ae9d0f4090ce3ef4ce5cb4a31 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu Aug 6 11:27:40 2015 -0400 Ticket 48215 - update dbverify usage in main.c Description: Need to update dbverify usage in main.c https://fedorahosted.org/389/ticket/48215 (cherry picked from commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297) diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c index 2442610..95976d3 100644 --- a/ldap/servers/slapd/main.c +++ b/ldap/servers/slapd/main.c @@ -453,7 +453,7 @@ usage( char *name, char *extraname ) usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n"; break; case SLAPD_EXEMODE_DBVERIFY: - usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n"; + usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n"; break; default: /* SLAPD_EXEMODE_SLAPD */

8 years, 8 months

1
0
0 / 0

Branch '389-ds-base-1.3.1' - ldap/servers

by Mark Reynolds

ldap/servers/slapd/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit e861b06de4faceea3774fb20963d3a6bf3fba735 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu Aug 6 11:27:40 2015 -0400 Ticket 48215 - update dbverify usage in main.c Description: Need to update dbverify usage in main.c https://fedorahosted.org/389/ticket/48215 (cherry picked from commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297) diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c index f301a67..4298070 100644 --- a/ldap/servers/slapd/main.c +++ b/ldap/servers/slapd/main.c @@ -453,7 +453,7 @@ usage( char *name, char *extraname ) usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n"; break; case SLAPD_EXEMODE_DBVERIFY: - usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n"; + usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n"; break; default: /* SLAPD_EXEMODE_SLAPD */

8 years, 8 months

1
0
0 / 0

Branch '389-ds-base-1.3.2' - ldap/servers

by Mark Reynolds

ldap/servers/slapd/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit 318f897d743fa5a556af0cb7d8590d1fdf6834da Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu Aug 6 11:27:40 2015 -0400 Ticket 48215 - update dbverify usage in main.c Description: Need to update dbverify usage in main.c https://fedorahosted.org/389/ticket/48215 (cherry picked from commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297) diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c index c642b85..ef8651d 100644 --- a/ldap/servers/slapd/main.c +++ b/ldap/servers/slapd/main.c @@ -453,7 +453,7 @@ usage( char *name, char *extraname ) usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n"; break; case SLAPD_EXEMODE_DBVERIFY: - usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n"; + usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n"; break; default: /* SLAPD_EXEMODE_SLAPD */

8 years, 8 months

1
0
0 / 0

Branch '389-ds-base-1.3.3' - ldap/servers

by Mark Reynolds

ldap/servers/slapd/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit 67e89737c1d59a7c0825706578a05375fe0cf8da Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu Aug 6 11:27:40 2015 -0400 Ticket 48215 - update dbverify usage in main.c Description: Need to update dbverify usage in main.c https://fedorahosted.org/389/ticket/48215 (cherry picked from commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297) diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c index 9c4787c..244c3ae 100644 --- a/ldap/servers/slapd/main.c +++ b/ldap/servers/slapd/main.c @@ -453,7 +453,7 @@ usage( char *name, char *extraname ) usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n"; break; case SLAPD_EXEMODE_DBVERIFY: - usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n"; + usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n"; break; default: /* SLAPD_EXEMODE_SLAPD */

8 years, 8 months

1
0
0 / 0

Branch '389-ds-base-1.3.4' - ldap/servers

by Mark Reynolds

ldap/servers/slapd/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit c842dbe3d0ee2ac28c55e31b9b8e5e5a3c5dc200 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu Aug 6 11:27:40 2015 -0400 Ticket 48215 - update dbverify usage in main.c Description: Need to update dbverify usage in main.c https://fedorahosted.org/389/ticket/48215 (cherry picked from commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297) diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c index 922de97..4f9fbfe 100644 --- a/ldap/servers/slapd/main.c +++ b/ldap/servers/slapd/main.c @@ -398,7 +398,7 @@ usage( char *name, char *extraname ) usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n"; break; case SLAPD_EXEMODE_DBVERIFY: - usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n"; + usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n"; break; default: /* SLAPD_EXEMODE_SLAPD */

8 years, 8 months

1
0
0 / 0

ldap/servers

by Mark Reynolds

ldap/servers/slapd/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit c1912cdcac8319e2fe0f98f765aa935e6a8ff297 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu Aug 6 11:27:40 2015 -0400 Ticket 48215 - update dbverify usage in main.c Description: Need to update dbverify usage in main.c https://fedorahosted.org/389/ticket/48215 diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c index 922de97..4f9fbfe 100644 --- a/ldap/servers/slapd/main.c +++ b/ldap/servers/slapd/main.c @@ -398,7 +398,7 @@ usage( char *name, char *extraname ) usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-N] -n backend-instance-name -a fullpath-backend-instance-dir-full\n"; break; case SLAPD_EXEMODE_DBVERIFY: - usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name]\n"; + usagestr = "usage: %s %s%s-D configdir [-d debuglevel] [-n backend-instance-name] [-a db-directory]\n"; break; default: /* SLAPD_EXEMODE_SLAPD */

8 years, 8 months

1
0
0 / 0

Branch '389-ds-base-1.3.1' - ldap/admin

by Mark Reynolds

ldap/admin/src/scripts/dbverify.in | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) New commits: commit 26f6b92b70d50bd9e34e3a9d90334832aeb25b63 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu Aug 6 10:13:40 2015 -0400 Ticket 48215 - update dbverify usage Description: Need to add the "-a" argument usage https://fedorahosted.org/389/ticket/48215 (cherry picked from commit 20284e6539f557efc0679d974d5156cdcd55c407) diff --git a/ldap/admin/src/scripts/dbverify.in b/ldap/admin/src/scripts/dbverify.in index 778a9ba..461cc16 100755 --- a/ldap/admin/src/scripts/dbverify.in +++ b/ldap/admin/src/scripts/dbverify.in @@ -14,15 +14,16 @@ PATH=$PATH:/bin usage() { - echo "Usage: dbverify [-Z serverID] [-n backend_instance] [-V] [-v] [-d debuglevel] [-h]" + echo "Usage: dbverify [-Z serverID] [-n backend_instance] [-a db_directory ] [-V] [-v] [-d debuglevel] [-h]" echo "Note if \"-n backend\" is not passed, verify all DBs." echo "Options:" - echo " -Z - Server instance identifier" - echo " -n backend - Backend database name. Example: userRoot" - echo " -V - Verbose output" - echo " -d debuglevel - Debugging level" - echo " -v - Display version" - echo " -h - Display usage" + echo " -Z - Server instance identifier" + echo " -n backend - Backend database name. Example: userRoot" + echo " -a db_directory - Database directory" + echo " -V - Verbose output" + echo " -d debuglevel - Debugging level" + echo " -v - Display version" + echo " -h - Display usage" } display_version="no"

8 years, 8 months

1
0
0 / 0

Branch '389-ds-base-1.3.2' - ldap/admin

by Mark Reynolds

ldap/admin/src/scripts/dbverify.in | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) New commits: commit d2962ea206011bce98749e04c4f8fba91e7c90b1 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu Aug 6 10:13:40 2015 -0400 Ticket 48215 - update dbverify usage Description: Need to add the "-a" argument usage https://fedorahosted.org/389/ticket/48215 (cherry picked from commit 20284e6539f557efc0679d974d5156cdcd55c407) diff --git a/ldap/admin/src/scripts/dbverify.in b/ldap/admin/src/scripts/dbverify.in index 778a9ba..461cc16 100755 --- a/ldap/admin/src/scripts/dbverify.in +++ b/ldap/admin/src/scripts/dbverify.in @@ -14,15 +14,16 @@ PATH=$PATH:/bin usage() { - echo "Usage: dbverify [-Z serverID] [-n backend_instance] [-V] [-v] [-d debuglevel] [-h]" + echo "Usage: dbverify [-Z serverID] [-n backend_instance] [-a db_directory ] [-V] [-v] [-d debuglevel] [-h]" echo "Note if \"-n backend\" is not passed, verify all DBs." echo "Options:" - echo " -Z - Server instance identifier" - echo " -n backend - Backend database name. Example: userRoot" - echo " -V - Verbose output" - echo " -d debuglevel - Debugging level" - echo " -v - Display version" - echo " -h - Display usage" + echo " -Z - Server instance identifier" + echo " -n backend - Backend database name. Example: userRoot" + echo " -a db_directory - Database directory" + echo " -V - Verbose output" + echo " -d debuglevel - Debugging level" + echo " -v - Display version" + echo " -h - Display usage" } display_version="no"

8 years, 8 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits August 2015