https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202872
Bug(s) fixed: 202872
Bug Description: The current behavior of the Directory Server is to only
allow the password
modify extended operation when the connection is using SSL or TLS.
If you
attempt to use a connection that is not using SSL or TLS, the server
returns
LDAP_CONFIDENTIALITY_REQUIRED.
We should allow the password modify extended operation if the
connection is
using a SASL security layer that has privacy.
Reviewed by: ???
Files: See diffs
Branch: HEAD
Fix Description: I added a new internal function "int
ids_sasl_privacy_enabled(Connection
*conn)" that will check if a SASL security layer supporting privacy
has been
negotiated for a particular connection. This function uses the
sasl_getprop()
function to check the SSF (security strength factor) to see if
privacy has been
negotiated.
This function allows us to have the password modify extop code check
if privacy
is enabled so it can allow the operation to be processed. The new
server
behavior is to allow the password modify extended operation if using
SSL, TLS,
or a SASL privacy layer. All other attempts will return
LDAP_CONFIDENTIALITY_REQUIRED.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=134347