[Fedora-directory-devel] Please Review: (202872) Allow the password modify extended op when using SASL privacy layer

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202872 Bug(s) fixed: 202872 Bug Description: The current behavior of the Directory Server is to only allow the password modify extended operation when the connection is using SSL or TLS. If you attempt to use a connection that is not using SSL or TLS, the server returns LDAP_CONFIDENTIALITY_REQUIRED. We should allow the password modify extended operation if the connection is using a SASL security layer that has privacy. Reviewed by: ??? Files: See diffs Branch: HEAD Fix Description: I added a new internal function "int ids_sasl_privacy_enabled(Connection *conn)" that will check if a SASL security layer supporting privacy has been negotiated for a particular connection. This function uses the sasl_getprop() function to check the SSF (security strength factor) to see if privacy has been negotiated. This function allows us to have the password modify extop code check if privacy is enabled so it can allow the operation to be processed. The new server behavior is to allow the password modify extended operation if using SSL, TLS, or a SASL privacy layer. All other attempts will return LDAP_CONFIDENTIALITY_REQUIRED. Platforms tested: RHEL4 Flag Day: no Doc impact: no https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=134347