This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.3.9
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push:
new 4554617 Ticket 50155 - password history check has no way to just check the
current password
4554617 is described below
commit 4554617ad3ddf3c5ea911dd42cce24cb60b0c4c4
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Tue Jan 15 18:06:37 2019 +0000
Ticket 50155 - password history check has no way to just check the current password
Description: Currently if you set passwordinhistory 1, it checks the last
recorded password and the current password. To get it to just
check the current password we need to allow "0" in
passwordinhistory.
Then only check the current password, and not the entry's
passwordHistory attributes (if any).
Also added new "rebind" function to Accounts class to
"rebind"
on the current connection.
https://pagure.io/389-ds-base/issue/50155
Reviewed by: firstyear & spichugi (Thanks!!)
---
ldap/servers/slapd/libglobs.c | 8 ++++----
ldap/servers/slapd/pw.c | 7 ++++++-
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 56b67b7..59f8d06 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -3139,8 +3139,8 @@ config_set_pw_maxfailure(const char *attrname, char *value, char
*errorbuf, int
int
config_set_pw_inhistory(const char *attrname, char *value, char *errorbuf, int apply)
{
- int retVal = LDAP_SUCCESS;
- long history = 0;
+ int32_t retVal = LDAP_SUCCESS;
+ int64_t history = 0;
char *endp = NULL;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
@@ -3152,9 +3152,9 @@ config_set_pw_inhistory(const char *attrname, char *value, char
*errorbuf, int a
errno = 0;
history = strtol(value, &endp, 10);
- if (*endp != '\0' || errno == ERANGE || history < 1 || history > 24) {
+ if (*endp != '\0' || errno == ERANGE || history < 0 || history > 24) {
slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password history length \"%s\" is invalid.
The password history must range from 1 to 24", value);
+ "password history length \"%s\" is invalid.
The password history must range from 0 to 24", value);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 10b8e72..ec23ed1 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -983,7 +983,7 @@ check_pw_syntax_ext(Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value
**vals, c
if (pwpolicy->pw_history == 1) {
Slapi_Value **va = NULL;
attr = attrlist_find(e->e_attrs, "passwordHistory");
- if (attr && !valueset_isempty(&attr->a_present_values)) {
+ if (pwpolicy->pw_inhistory && attr &&
!valueset_isempty(&attr->a_present_values)) {
/* Resetting password history array if necessary. */
if (0 == update_pw_history(pb, sdn, NULL)) {
/* There was an update in the password history. Retry... */
@@ -1135,6 +1135,11 @@ update_pw_history(Slapi_PBlock *pb, const Slapi_DN *sdn, char
*old_pw)
pwpolicy = new_passwdPolicy(pb, dn);
+ if (pwpolicy->pw_inhistory == 0){
+ /* We are only enforcing the current password, just return */
+ return res;
+ }
+
/* retrieve the entry */
e = get_entry(pb, dn);
if (e == NULL) {
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.