add logs; fix bug in group/dn selection logic

[openldap] / servers / slapd / passwd.c
diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c

index 24d3e0552d880df67273a26864bb66f9cbf93837..25d541d8957470d76f017ee8c2970d9885fe6b26 100644 (file)
--- a/servers/slapd/passwd.c
+++ b/servers/slapd/passwd.c
@@ -28,6 +28,15 @@
  #include <lber_pvt.h>
  #include <lutil.h>
  
+static const char *defhash[] = {
+#ifdef LUTIL_SHA1_BYTES
+       "{SSHA}",
+#else
+       "{SMD5}",
+#endif
+       NULL
+};
+
  int passwd_extop(
         Operation *op,
         SlapReply *rs )
@@ -38,6 +47,9 @@ int passwd_extop(
         Operation op2;
         slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
         slap_callback cb2 = { NULL, slap_replog_cb, NULL, NULL };
+       int i, nhash;
+       char **hashes;
+
         cb2.sc_next = &cb;
  
         assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
@@ -98,22 +110,25 @@ int passwd_extop(
  
  #ifndef SLAPD_MULTIMASTER
         /* This does not apply to multi-master case */
-       if( op->o_bd->be_update_ndn.bv_len ) {
+       if(!( !SLAP_SHADOW( op->o_bd ) || be_isupdate( op ))) {
                 /* we SHOULD return a referral in this case */
-               BerVarray defref = NULL;
-               if ( !LDAP_STAILQ_EMPTY( &op->o_bd->be_syncinfo )) {
-                       syncinfo_t *si;
-                       LDAP_STAILQ_FOREACH( si, &op->o_bd->be_syncinfo, si_next ) {
-                               struct berval tmpbv;
-                               ber_dupbv( &tmpbv, &si->si_provideruri_bv[0] );
-                               ber_bvarray_add( &defref, &tmpbv );
-                       }
-               } else {
-                       defref = referral_rewrite( op->o_bd->be_update_refs,
+               BerVarray defref = op->o_bd->be_update_refs
+                       ? op->o_bd->be_update_refs : default_referral; 
+
+               if( defref != NULL ) {
+                       rs->sr_ref = referral_rewrite( op->o_bd->be_update_refs,
                                 NULL, NULL, LDAP_SCOPE_DEFAULT );
+                       if(rs->sr_ref) {
+                               rs->sr_flags |= REP_REF_MUSTBEFREED;
+                       } else {
+                               rs->sr_ref = defref;
+                       }
+                       return LDAP_REFERRAL;
+
                 }
-               rs->sr_ref = defref;
-               return LDAP_REFERRAL;
+
+               rs->sr_text = "shadow context; no update referral";
+               return LDAP_UNWILLING_TO_PERFORM;
         }
  #endif /* !SLAPD_MULTIMASTER */
  
@@ -144,44 +159,61 @@ int passwd_extop(
                 return LDAP_UNWILLING_TO_PERFORM;
         }
  
-       slap_passwd_hash( &qpw->rs_new, &hash, &rs->sr_text );
-       if ( rsp ) {
-               free( qpw->rs_new.bv_val );
+       ml = ch_malloc( sizeof(Modifications) );
+       if ( !qpw->rs_modtail ) qpw->rs_modtail = &ml->sml_next;
+
+       if ( default_passwd_hash ) {
+               for ( nhash = 0; default_passwd_hash[nhash]; nhash++ );
+               hashes = default_passwd_hash;
+       } else {
+               nhash = 1;
+               hashes = (char **)defhash;
         }
-       if ( hash.bv_len == 0 ) {
-               if ( !rs->sr_text ) {
-                       rs->sr_text = "password hash failed";
+       ml->sml_values = ch_malloc( (nhash+1)*sizeof(struct berval) );
+       for ( i=0; hashes[i]; i++ ) {
+               slap_passwd_hash_type( &qpw->rs_new, &hash, hashes[i], &rs->sr_text );
+               if ( hash.bv_len == 0 ) {
+                       if ( !rs->sr_text ) {
+                               rs->sr_text = "password hash failed";
+                       }
+                       break;
                 }
-               return LDAP_OTHER;
+               ml->sml_values[i] = hash;
         }
-       ml = ch_malloc( sizeof(Modifications) );
-       if ( !qpw->rs_modtail ) qpw->rs_modtail = &ml->sml_next;
-       ml->sml_values = ch_malloc( 2*sizeof(struct berval) );
-       ml->sml_values[0] = hash;
-       ml->sml_values[1].bv_val = NULL;
-       ml->sml_desc = slap_schema.si_ad_userPassword;
+       ml->sml_values[i].bv_val = NULL;
         ml->sml_nvalues = NULL;
+       ml->sml_desc = slap_schema.si_ad_userPassword;
         ml->sml_op = LDAP_MOD_REPLACE;
         ml->sml_next = qpw->rs_mods;
         qpw->rs_mods = ml;
  
-       op2 = *op;
-       op2.o_tag = LDAP_REQ_MODIFY;
-       op2.o_callback = &cb2;
-       op2.orm_modlist = qpw->rs_mods;
+       if ( hashes[i] ) {
+               rs->sr_err = LDAP_OTHER;
+       } else {
  
-       rs->sr_err = slap_mods_opattrs( &op2, ml, qpw->rs_modtail, &rs->sr_text,
-               NULL, 0 );
-       
-       if ( rs->sr_err == LDAP_SUCCESS ) {
-               rs->sr_err = op2.o_bd->be_modify( &op2, rs );
+               op2 = *op;
+               op2.o_tag = LDAP_REQ_MODIFY;
+               op2.o_callback = &cb2;
+               op2.orm_modlist = qpw->rs_mods;
+               cb2.sc_private = qpw;   /* let Modify know this was pwdMod,
+                                        * if it cares... */
+
+               rs->sr_err = slap_mods_opattrs( &op2, ml, qpw->rs_modtail, &rs->sr_text,
+                       NULL, 0 );
+               
+               if ( rs->sr_err == LDAP_SUCCESS ) {
+                       rs->sr_err = op2.o_bd->be_modify( &op2, rs );
+               }
+               if ( rs->sr_err == LDAP_SUCCESS ) {
+                       rs->sr_rspdata = rsp;
+               } else if ( rsp ) {
+                       ber_bvfree( rsp );
+               }
         }
-       if ( rs->sr_err == LDAP_SUCCESS ) {
-               rs->sr_rspdata = rsp;
-       } else if ( rsp ) {
-               ber_bvfree( rsp );
+       slap_mods_free( qpw->rs_mods );
+       if ( rsp ) {
+               free( qpw->rs_new.bv_val );
         }
-       slap_mods_free( ml );
  
         return rs->sr_err;
  }
@@ -410,56 +442,57 @@ slap_passwd_check(
  void
  slap_passwd_generate( struct berval *pass )
  {
-       struct berval *tmp;
  #ifdef NEW_LOGGING
         LDAP_LOG( OPERATION, ENTRY, "slap_passwd_generate: begin\n", 0, 0, 0 );
  #else
         Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
  #endif
+       pass->bv_val = NULL;
+       pass->bv_len = 0;
+
         /*
          * generate passwords of only 8 characters as some getpass(3)
          * implementations truncate at 8 characters.
          */
-       tmp = lutil_passwd_generate( 8 );
-       if (tmp) {
-               *pass = *tmp;
-               free(tmp);
-       } else {
-               pass->bv_val = NULL;
-               pass->bv_len = 0;
-       }
+       lutil_passwd_generate( pass, 8 );
  }
  
  void
-slap_passwd_hash(
+slap_passwd_hash_type(
         struct berval * cred,
         struct berval * new,
+       char *hash,
         const char **text )
  {
-       struct berval *tmp;
-#ifdef LUTIL_SHA1_BYTES
-       char* hash = default_passwd_hash ?  default_passwd_hash : "{SSHA}";
-#else
-       char* hash = default_passwd_hash ?  default_passwd_hash : "{SMD5}";
-#endif
-       
+       new->bv_len = 0;
+       new->bv_val = NULL;
+
+       assert( hash );
  
  #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
         ldap_pvt_thread_mutex_lock( &passwd_mutex );
  #endif
  
-       tmp = lutil_passwd_hash( cred , hash, text );
+       lutil_passwd_hash( cred , hash, new, text );
         
  #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
         ldap_pvt_thread_mutex_unlock( &passwd_mutex );
  #endif
  
-       if( tmp == NULL ) {
-               new->bv_len = 0;
-               new->bv_val = NULL;
+}
+void
+slap_passwd_hash(
+       struct berval * cred,
+       struct berval * new,
+       const char **text )
+{
+       char *hash = NULL;
+       if ( default_passwd_hash ) {
+               hash = default_passwd_hash[0];
+       }
+       if ( !hash ) {
+               hash = (char *)defhash[0];
         }
  
-       *new = *tmp;
-       free( tmp );
-       return;
+       slap_passwd_hash_type( cred, new, hash, text );
  }