time_t then, now;
Modifications *m;
- if (!pp->pwdLockoutDuration)
- return 1;
-
if ((then = parse_time( vals[0].bv_val )) == (time_t)0)
return 1;
now = slap_get_time();
+ /* Still in the future? not yet in effect */
+ if (now < then)
+ return 0;
+
+ if (!pp->pwdLockoutDuration)
+ return 1;
+
if (now < then + pp->pwdLockoutDuration)
return 1;
}
static int
-check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyError *err, Entry *e )
+check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyError *err, Entry *e, char **txt )
{
int rc = LDAP_SUCCESS, ok = LDAP_SUCCESS;
char *ptr = cred->bv_val;
assert( cred != NULL );
assert( pp != NULL );
+ assert( txt != NULL );
+
+ *txt = NULL;
if ((cred->bv_len == 0) || (pp->pwdMinLength > cred->bv_len)) {
rc = LDAP_CONSTRAINT_VIOLATION;
pp->pwdCheckModule, err, 0 );
ok = LDAP_OTHER;
} else {
- char *txt = NULL;
-
ldap_pvt_thread_mutex_lock( &chk_syntax_mutex );
- ok = prog( ptr, &txt, e );
+ ok = prog( ptr, txt, e );
ldap_pvt_thread_mutex_unlock( &chk_syntax_mutex );
if (ok != LDAP_SUCCESS) {
Debug(LDAP_DEBUG_ANY,
"check_password_quality: module error: (%s) %s.[%d]\n",
- pp->pwdCheckModule, txt ? txt : "", ok );
- free(txt);
+ pp->pwdCheckModule, *txt ? *txt : "", ok );
}
}
SlapReply r2 = { REP_RESULT };
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
pp_info *pi = on->on_bi.bi_private;
+ LDAPControl c, *ca[2];
op2.o_tag = LDAP_REQ_MODIFY;
op2.o_callback = &cb;
op2.orm_modlist = mod;
+ op2.orm_no_opattrs = 0;
op2.o_dn = op->o_bd->be_rootdn;
op2.o_ndn = op->o_bd->be_rootndn;
* chain overlay. Obviously the updateref and chain overlay
* must be configured appropriately for this to be useful.
*/
- if ( SLAP_SHADOW( op->o_bd ) && pi->forward_updates )
+ if ( SLAP_SHADOW( op->o_bd ) && pi->forward_updates ) {
op2.o_bd = frontendDB;
- else
+
+ /* Must use Relax control since these are no-user-mod */
+ op2.o_relax = SLAP_CONTROL_CRITICAL;
+ op2.o_ctrls = ca;
+ ca[0] = &c;
+ ca[1] = NULL;
+ BER_BVZERO( &c.ldctl_value );
+ c.ldctl_iscritical = 1;
+ c.ldctl_oid = LDAP_CONTROL_RELAX;
+ } else {
op2.o_bd->bd_info = (BackendInfo *)on->on_info;
+ }
rc = op2.o_bd->be_modify( &op2, &r2 );
slap_mods_free( mod, 1 );
}
struct berval *bv = &(pa->a_vals[0]);
int rc, send_ctrl = 0;
LDAPPasswordPolicyError pErr = PP_noError;
+ char *txt;
/* Did we receive a password policy request control? */
if ( op->o_ctrlflag[ppolicy_cid] ) {
send_ctrl = 1;
}
- rc = check_password_quality( bv, &pp, &pErr, op->ora_e );
+ rc = check_password_quality( bv, &pp, &pErr, op->ora_e, &txt );
if (rc != LDAP_SUCCESS) {
LDAPControl **oldctrls = NULL;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
ctrl = create_passcontrol( op, -1, -1, pErr );
oldctrls = add_passcontrol( op, rs, ctrl );
}
- send_ldap_error( op, rs, rc, "Password fails quality checking policy" );
+ send_ldap_error( op, rs, rc, txt ? txt : "Password fails quality checking policy" );
+ if ( txt ) {
+ free( txt );
+ }
if ( send_ctrl ) {
ctrls_cleanup( op, rs, oldctrls );
}
Attribute *pa, *ha, at;
const char *txt;
pw_hist *tl = NULL, *p;
- int zapReset, send_ctrl = 0;
+ int zapReset, send_ctrl = 0, free_txt = 0;
Entry *e;
struct berval newpw = BER_BVNULL, oldpw = BER_BVNULL,
*bv, cr[2];
/*
* we have a password to check
*/
- const char *txt;
-
bv = oldpw.bv_val ? &oldpw : delmod->sml_values;
/* FIXME: no access checking? */
rc = slap_passwd_check( op, NULL, pa, bv, &txt );
bv = newpw.bv_val ? &newpw : &addmod->sml_values[0];
if (pp.pwdCheckQuality > 0) {
- rc = check_password_quality( bv, &pp, &pErr, e );
+ rc = check_password_quality( bv, &pp, &pErr, e, (char **)&txt );
if (rc != LDAP_SUCCESS) {
rs->sr_err = rc;
- rs->sr_text = "Password fails quality checking policy";
+ if ( txt ) {
+ rs->sr_text = txt;
+ free_txt = 1;
+ } else {
+ rs->sr_text = "Password fails quality checking policy";
+ }
goto return_results;
}
}
oldctrls = add_passcontrol( op, rs, ctrl );
}
send_ldap_result( op, rs );
+ if ( free_txt ) {
+ free( (char *)txt );
+ rs->sr_text = NULL;
+ }
if ( send_ctrl ) {
if ( is_pwdexop ) {
if ( rs->sr_flags & REP_CTRLS_MUSTBEFREED ) {