#include <ac/time.h>
#include <ac/string.h>
#include <ac/ctype.h>
+#include "config.h"
#ifndef MODULE_NAME_SZ
#define MODULE_NAME_SZ 256
* used by all instances
*/
typedef struct pw_conn {
- int restricted; /* TRUE if connection is restricted */
+ struct berval dn; /* DN of restricted user */
} pw_conn;
static pw_conn *pwcons;
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
"SINGLE-VALUE "
#if 0
- /* Not until MANAGEDIT control is released */
+ /* Not until Relax control is released */
"NO-USER-MODIFICATION "
#endif
"USAGE directoryOperation )",
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
"SINGLE-VALUE "
#if 0
- /* Not until MANAGEDIT control is released */
+ /* Not until Relax control is released */
"NO-USER-MODIFICATION "
#endif
"USAGE directoryOperation )",
static ldap_pvt_thread_mutex_t chk_syntax_mutex;
+enum {
+ PPOLICY_DEFAULT = 1,
+ PPOLICY_HASH_CLEARTEXT,
+ PPOLICY_USE_LOCKOUT
+};
+
+static ConfigDriver ppolicy_cf_default;
+
+static ConfigTable ppolicycfg[] = {
+ { "ppolicy_default", "policyDN", 2, 2, 0,
+ ARG_DN|ARG_MAGIC|PPOLICY_DEFAULT, ppolicy_cf_default,
+ "( OLcfgOvAt:12.1 NAME 'olcPPolicyDefault' "
+ "DESC 'DN of a pwdPolicy object for uncustomized objects' "
+ "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
+ { "ppolicy_hash_cleartext", "on|off", 1, 2, 0,
+ ARG_ON_OFF|ARG_OFFSET|PPOLICY_HASH_CLEARTEXT,
+ (void *)offsetof(pp_info,hash_passwords),
+ "( OLcfgOvAt:12.2 NAME 'olcPPolicyHashCleartext' "
+ "DESC 'Hash passwords on add or modify' "
+ "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
+ { "ppolicy_use_lockout", "on|off", 1, 2, 0,
+ ARG_ON_OFF|ARG_OFFSET|PPOLICY_USE_LOCKOUT,
+ (void *)offsetof(pp_info,use_lockout),
+ "( OLcfgOvAt:12.3 NAME 'olcPPolicyUseLockout' "
+ "DESC 'Warn clients with AccountLocked' "
+ "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
+ { NULL, NULL, 0, 0, 0, ARG_IGNORED }
+};
+
+static ConfigOCs ppolicyocs[] = {
+ { "( OLcfgOvOc:12.1 "
+ "NAME 'olcPPolicyConfig' "
+ "DESC 'Password Policy configuration' "
+ "SUP olcOverlayConfig "
+ "MAY ( olcPPolicyDefault $ olcPPolicyHashCleartext $ "
+ "olcPPolicyUseLockout ) )",
+ Cft_Overlay, ppolicycfg },
+ { NULL, 0, NULL }
+};
+
+static int
+ppolicy_cf_default( ConfigArgs *c )
+{
+ slap_overinst *on = (slap_overinst *)c->bi;
+ pp_info *pi = (pp_info *)on->on_bi.bi_private;
+ int rc = ARG_BAD_CONF;
+
+ assert ( c->type == PPOLICY_DEFAULT );
+ Debug(LDAP_DEBUG_TRACE, "==> ppolicy_cf_default\n", 0, 0, 0);
+
+ switch ( c->op ) {
+ case SLAP_CONFIG_EMIT:
+ Debug(LDAP_DEBUG_TRACE, "==> ppolicy_cf_default emit\n", 0, 0, 0);
+ rc = 0;
+ if ( !BER_BVISEMPTY( &pi->def_policy )) {
+ rc = value_add_one( &c->rvalue_vals,
+ &pi->def_policy );
+ if ( rc ) return rc;
+ rc = value_add_one( &c->rvalue_nvals,
+ &pi->def_policy );
+ }
+ break;
+ case LDAP_MOD_DELETE:
+ Debug(LDAP_DEBUG_TRACE, "==> ppolicy_cf_default delete\n", 0, 0, 0);
+ if ( pi->def_policy.bv_val ) {
+ ber_memfree ( pi->def_policy.bv_val );
+ pi->def_policy.bv_val = NULL;
+ }
+ pi->def_policy.bv_len = 0;
+ rc = 0;
+ break;
+ case SLAP_CONFIG_ADD:
+ /* fallthrough to LDAP_MOD_ADD */
+ case LDAP_MOD_ADD:
+ Debug(LDAP_DEBUG_TRACE, "==> ppolicy_cf_default add\n", 0, 0, 0);
+ if ( pi->def_policy.bv_val )
+ ber_memfree ( pi->def_policy.bv_val );
+ pi->def_policy = c->value_ndn;
+ rc = 0;
+ break;
+ default:
+ abort ();
+ }
+
+ return rc;
+}
+
static time_t
parse_time( char *atm )
{
memset( pp, 0, sizeof(PassPolicy) );
+ pp->ad = slap_schema.si_ad_userPassword;
+
/* Users can change their own password by default */
pp->pwdAllowUserChange = 1;
#if 0 /* Only worry about userPassword for now */
if ((a = attr_find( pe->e_attrs, ad_pwdAttribute )))
slap_bv2ad( &a->a_vals[0], &pp->ad, &text );
-#else
- pp->ad = slap_schema.si_ad_userPassword;
#endif
if ( ( a = attr_find( pe->e_attrs, ad_pwdMinAge ) )
return;
defaultpol:
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"ppolicy_get: using default policy\n", 0, 0, 0 );
return;
}
if (cred->bv_val[e]) {
int rc;
rc = lutil_passwd_scheme( cred->bv_val );
- if (rc && sch) {
- sch->bv_val = cred->bv_val;
- sch->bv_len = e;
+ if (rc) {
+ if (sch) {
+ sch->bv_val = cred->bv_val;
+ sch->bv_len = e;
+ }
return LDAP_SUCCESS;
}
}
* that we are disallowed from doing anything
* other than change password.
*/
- pwcons[op->o_conn->c_conn_idx].restricted = 1;
+ ber_dupbv( &pwcons[op->o_conn->c_conn_idx].dn,
+ &op->o_conn->c_ndn );
ppb->pErr = PP_changeAfterReset;
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
/* Reset lockout status on all Bind requests */
- pwcons[op->o_conn->c_conn_idx].restricted = 0;
+ if ( !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) {
+ ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
+ BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
+ }
/* Root bypasses policy */
if ( !be_isroot_dn( op->o_bd, &op->o_req_ndn )) {
return SLAP_CB_CONTINUE;
}
-/* Reset the restricted flag for the next session on this connection */
+/* Reset the restricted info for the next session on this connection */
static int
ppolicy_connection_destroy( BackendDB *bd, Connection *conn )
{
- pwcons[conn->c_conn_idx].restricted = 0;
+ if ( !BER_BVISEMPTY( &pwcons[conn->c_conn_idx].dn )) {
+ ch_free( pwcons[conn->c_conn_idx].dn.bv_val );
+ BER_BVZERO( &pwcons[conn->c_conn_idx].dn );
+ }
return SLAP_CB_CONTINUE;
}
send_ctrl = 1;
}
- if ( op->o_conn && pwcons[op->o_conn->c_conn_idx].restricted ) {
+ if ( op->o_conn && !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) {
+ /* if the current authcDN doesn't match the one we recorded,
+ * then an intervening Bind has succeeded and the restriction
+ * no longer applies. (ITS#4516)
+ */
+ if ( !dn_match( &op->o_conn->c_ndn,
+ &pwcons[op->o_conn->c_conn_idx].dn )) {
+ ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
+ BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
+ return SLAP_CB_CONTINUE;
+ }
+
Debug( LDAP_DEBUG_TRACE,
"connection restricted to password changing only\n", 0, 0, 0);
if ( send_ctrl ) {
if ((pa = attr_find( op->oq_add.rs_e->e_attrs,
slap_schema.si_ad_userPassword )))
{
+ assert( pa->a_vals );
+ assert( !BER_BVISNULL( &pa->a_vals[ 0 ] ) );
+
+ if ( !BER_BVISNULL( &pa->a_vals[ 1 ] ) ) {
+ send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, "Password policy only allows one password value" );
+ return rs->sr_err;
+ }
+
/*
* new entry contains a password - if we're not the root user
* then we need to check that the password fits in with the
return SLAP_CB_CONTINUE;
}
+static int
+ppolicy_mod_cb( Operation *op, SlapReply *rs )
+{
+ slap_callback *sc = op->o_callback;
+ op->o_callback = sc->sc_next;
+ if ( rs->sr_err == LDAP_SUCCESS ) {
+ ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
+ BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
+ }
+ op->o_tmpfree( sc, op->o_tmpmemctx );
+ return SLAP_CB_CONTINUE;
+}
+
static int
ppolicy_modify( Operation *op, SlapReply *rs )
{
pwmod = 1;
pwmop = ml->sml_op;
if ((deladd == 0) && (ml->sml_op == LDAP_MOD_DELETE) &&
- (ml->sml_values) && (ml->sml_values[0].bv_val != NULL)) {
+ (ml->sml_values) && !BER_BVISNULL( &ml->sml_values[0] ))
+ {
deladd = 1;
delmod = ml;
}
if ((deladd == 1) && ((ml->sml_op == LDAP_MOD_ADD) ||
- (ml->sml_op == LDAP_MOD_REPLACE)))
+ (ml->sml_op == LDAP_MOD_REPLACE)))
+ {
deladd = 2;
+ }
if ((ml->sml_op == LDAP_MOD_ADD) ||
(ml->sml_op == LDAP_MOD_REPLACE))
+ {
addmod = ml;
+
+ /* FIXME: there's no easy way to ensure
+ * that add does not cause multiple
+ * userPassword values; one way (that
+ * would be consistent with the single
+ * password constraint) would be to turn
+ * add into replace); another would be
+ * to disallow add.
+ *
+ * Let's check at least that a single value
+ * is being added
+ */
+ assert( addmod->sml_values != NULL );
+ assert( !BER_BVISNULL( &addmod->sml_values[ 0 ] ) );
+ if ( !BER_BVISNULL( &addmod->sml_values[ 1 ] ) ) {
+ rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
+ rs->sr_text = "Password policy only allows one password value";
+ goto return_results;
+ }
+ }
+
} else if (! is_at_operational( ml->sml_desc->ad_type )) {
mod_pw_only = 0;
/* modifying something other than password */
}
}
- if (pwcons[op->o_conn->c_conn_idx].restricted && !mod_pw_only) {
- Debug( LDAP_DEBUG_TRACE,
- "connection restricted to password changing only\n", 0, 0, 0 );
- rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
- rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password";
- pErr = PP_changeAfterReset;
- goto return_results;
+ if (!BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn ) && !mod_pw_only ) {
+ if ( dn_match( &op->o_conn->c_ndn,
+ &pwcons[op->o_conn->c_conn_idx].dn )) {
+ Debug( LDAP_DEBUG_TRACE,
+ "connection restricted to password changing only\n", 0, 0, 0 );
+ rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+ rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password";
+ pErr = PP_changeAfterReset;
+ goto return_results;
+ } else {
+ ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
+ BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
+ }
}
/*
struct berval timestamp;
char timebuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
time_t now = slap_get_time();
-
+
+ /* If the conn is restricted, set a callback to clear it
+ * if the pwmod succeeds
+ */
+ if (!BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) {
+ slap_callback *sc = op->o_tmpcalloc( 1, sizeof( slap_callback ),
+ op->o_tmpmemctx );
+ sc->sc_next = op->o_callback;
+ /* Must use sc_response to insure we reset on success, before
+ * the client sees the response. Must use sc_cleanup to insure
+ * that it gets cleaned up if sc_response is not called.
+ */
+ sc->sc_response = ppolicy_mod_cb;
+ sc->sc_cleanup = ppolicy_mod_cb;
+ op->o_callback = sc;
+ }
+
/*
* keep the necessary pwd.. operational attributes
* up to date.
rs->sr_text = "passwordPolicyRequest control value not empty";
return LDAP_PROTOCOL_ERROR;
}
- if ( ctrl->ldctl_iscritical ) {
- rs->sr_text = "passwordPolicyRequest control invalid criticality";
- return LDAP_PROTOCOL_ERROR;
- }
- op->o_ctrlflag[ppolicy_cid] = SLAP_CONTROL_NONCRITICAL;
+ op->o_ctrlflag[ppolicy_cid] = ctrl->ldctl_iscritical
+ ? SLAP_CONTROL_CRITICAL
+ : SLAP_CONTROL_NONCRITICAL;
return LDAP_SUCCESS;
}
return 0;
}
-static int
-ppolicy_config(
- BackendDB *be,
- const char *fname,
- int lineno,
- int argc,
- char **argv
-)
-{
- slap_overinst *on = (slap_overinst *) be->bd_info;
- pp_info *pi = on->on_bi.bi_private;
- struct berval dn;
-
-
- if ( strcasecmp( argv[0], "ppolicy_default" ) == 0 ) {
- if ( argc != 2 ) {
- fprintf( stderr, "%s: line %d: invalid arguments in \"ppolicy_default"
- " <policyDN>\n", fname, lineno );
- return ( 1 );
- }
- ber_str2bv( argv[1], 0, 0, &dn );
- if ( dnNormalize( 0, NULL, NULL, &dn, &pi->def_policy, NULL ) ) {
- fprintf( stderr, "%s: line %d: policyDN is invalid\n",
- fname, lineno );
- return 1;
- }
- return 0;
-
- } else if ( strcasecmp( argv[0], "ppolicy_use_lockout" ) == 0 ) {
- if ( argc != 1 ) {
- fprintf( stderr, "%s: line %d: ppolicy_use_lockout "
- "takes no arguments\n", fname, lineno );
- return ( 1 );
- }
- pi->use_lockout = 1;
- return 0;
- } else if ( strcasecmp( argv[0], "ppolicy_hash_cleartext" ) == 0 ) {
- if ( argc != 1 ) {
- fprintf( stderr, "%s: line %d: ppolicy_hash_cleartext "
- "takes no arguments\n", fname, lineno );
- return ( 1 );
- }
- pi->hash_passwords = 1;
- return 0;
- }
- return SLAP_CONF_UNKNOWN;
-}
-
static char *extops[] = {
LDAP_EXOP_MODIFY_PASSWD,
NULL
ppolicy.on_bi.bi_type = "ppolicy";
ppolicy.on_bi.bi_db_init = ppolicy_db_init;
ppolicy.on_bi.bi_db_open = ppolicy_db_open;
- ppolicy.on_bi.bi_db_config = ppolicy_config;
ppolicy.on_bi.bi_db_close = ppolicy_close;
ppolicy.on_bi.bi_op_add = ppolicy_add;
ppolicy.on_bi.bi_op_search = ppolicy_restrict;
ppolicy.on_bi.bi_connection_destroy = ppolicy_connection_destroy;
+ ppolicy.on_bi.bi_cf_ocs = ppolicyocs;
+ code = config_register_schema( ppolicycfg, ppolicyocs );
+ if ( code ) return code;
+
return overlay_register( &ppolicy );
}