X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Foverlays%2Fppolicy.c;h=e5b0045fcefc901d480b3c21054563596366c1fb;hb=a255e44bf0fcb703a3a5ac58117fd54a00727fd1;hp=606d9fc54f0b4b979cdbe36346c859eb560af1d9;hpb=458f7d99bac119f6a241395e3363cf27bf973d32;p=openldap diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c index 606d9fc54f..e5b0045fce 100644 --- a/servers/slapd/overlays/ppolicy.c +++ b/servers/slapd/overlays/ppolicy.c @@ -1,7 +1,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 2004-2009 The OpenLDAP Foundation. + * Copyright 2004-2012 The OpenLDAP Foundation. * Portions Copyright 2004-2005 Howard Chu, Symas Corporation. * Portions Copyright 2004 Hewlett-Packard Company. * All rights reserved. @@ -587,13 +587,15 @@ static int check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyError *err, Entry *e, char **txt ) { int rc = LDAP_SUCCESS, ok = LDAP_SUCCESS; - char *ptr = cred->bv_val; + char *ptr; struct berval sch; assert( cred != NULL ); assert( pp != NULL ); assert( txt != NULL ); + ptr = cred->bv_val; + *txt = NULL; if ((cred->bv_len == 0) || (pp->pwdMinLength > cred->bv_len)) { @@ -853,6 +855,7 @@ free_pwd_history_list( pw_hist **l ) typedef struct ppbind { slap_overinst *on; int send_ctrl; + int set_restrict; LDAPControl **oldctrls; Modifications *mod; LDAPPasswordPolicyError pErr; @@ -1021,8 +1024,10 @@ ppolicy_bind_response( Operation *op, SlapReply *rs ) * that we are disallowed from doing anything * other than change password. */ - ber_dupbv( &pwcons[op->o_conn->c_conn_idx].dn, - &op->o_conn->c_ndn ); + if ( ppb->set_restrict ) { + ber_dupbv( &pwcons[op->o_conn->c_conn_idx].dn, + &op->o_conn->c_ndn ); + } ppb->pErr = PP_changeAfterReset; @@ -1136,6 +1141,7 @@ locked: op2.o_tag = LDAP_REQ_MODIFY; op2.o_callback = &cb; op2.orm_modlist = mod; + op2.orm_no_opattrs = 0; op2.o_dn = op->o_bd->be_rootdn; op2.o_ndn = op->o_bd->be_rootndn; @@ -1157,6 +1163,11 @@ locked: c.ldctl_iscritical = 1; c.ldctl_oid = LDAP_CONTROL_RELAX; } else { + /* If not forwarding, don't update opattrs and don't replicate */ + if ( SLAP_SINGLE_SHADOW( op->o_bd )) { + op2.orm_no_opattrs = 1; + op2.o_dont_replicate = 1; + } op2.o_bd->bd_info = (BackendInfo *)on->on_info; } rc = op2.o_bd->be_modify( &op2, &r2 ); @@ -1209,6 +1220,7 @@ ppolicy_bind( Operation *op, SlapReply *rs ) ppb = (ppbind *)(cb+1); ppb->on = on; ppb->pErr = PP_noError; + ppb->set_restrict = 1; /* Setup a callback so we can munge the result */ @@ -1231,7 +1243,6 @@ ppolicy_bind( Operation *op, SlapReply *rs ) be_entry_release_r( op, e ); if ( rc ) { - /* This will be the Draft 8 response, Unwilling is bogus */ ppb->pErr = PP_accountLocked; send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, NULL ); return rs->sr_err; @@ -1299,6 +1310,88 @@ ppolicy_restrict( return SLAP_CB_CONTINUE; } +static int +ppolicy_compare_response( + Operation *op, + SlapReply *rs ) +{ + /* map compare responses to bind responses */ + if ( rs->sr_err == LDAP_COMPARE_TRUE ) + rs->sr_err = LDAP_SUCCESS; + else if ( rs->sr_err == LDAP_COMPARE_FALSE ) + rs->sr_err = LDAP_INVALID_CREDENTIALS; + + ppolicy_bind_response( op, rs ); + + /* map back to compare */ + if ( rs->sr_err == LDAP_SUCCESS ) + rs->sr_err = LDAP_COMPARE_TRUE; + else if ( rs->sr_err == LDAP_INVALID_CREDENTIALS ) + rs->sr_err = LDAP_COMPARE_FALSE; + + return SLAP_CB_CONTINUE; +} + +static int +ppolicy_compare( + Operation *op, + SlapReply *rs ) +{ + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + + if ( ppolicy_restrict( op, rs ) != SLAP_CB_CONTINUE ) + return rs->sr_err; + + /* Did we receive a password policy request control? + * Are we testing the userPassword? + */ + if ( op->o_ctrlflag[ppolicy_cid] && + op->orc_ava->aa_desc == slap_schema.si_ad_userPassword ) { + Entry *e; + int rc; + ppbind *ppb; + slap_callback *cb; + + op->o_bd->bd_info = (BackendInfo *)on->on_info; + rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); + + if ( rc != LDAP_SUCCESS ) { + return SLAP_CB_CONTINUE; + } + + cb = op->o_tmpcalloc( sizeof(ppbind)+sizeof(slap_callback), + 1, op->o_tmpmemctx ); + ppb = (ppbind *)(cb+1); + ppb->on = on; + ppb->pErr = PP_noError; + ppb->send_ctrl = 1; + /* failures here don't lockout the connection */ + ppb->set_restrict = 0; + + /* Setup a callback so we can munge the result */ + + cb->sc_response = ppolicy_compare_response; + cb->sc_next = op->o_callback->sc_next; + cb->sc_private = ppb; + op->o_callback->sc_next = cb; + + op->o_bd->bd_info = (BackendInfo *)on; + ppolicy_get( op, e, &ppb->pp ); + + rc = account_locked( op, e, &ppb->pp, &ppb->mod ); + + op->o_bd->bd_info = (BackendInfo *)on->on_info; + be_entry_release_r( op, e ); + + if ( rc ) { + ppb->pErr = PP_accountLocked; + send_ldap_error( op, rs, LDAP_COMPARE_FALSE, NULL ); + return rs->sr_err; + } + } + return SLAP_CB_CONTINUE; +} + static int ppolicy_add( Operation *op, @@ -1695,7 +1788,10 @@ ppolicy_modify( Operation *op, SlapReply *rs ) if (be_isroot( op )) goto do_modify; - if (!pp.pwdAllowUserChange) { + /* NOTE: according to draft-behera-ldap-password-policy + * pwdAllowUserChange == FALSE must only prevent pwd changes + * by the user the pwd belongs to (ITS#7021) */ + if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "User alteration of password is not allowed"; pErr = PP_passwordModNotAllowed; @@ -1878,23 +1974,26 @@ do_modify: timestamp.bv_len = sizeof(timebuf); slap_timestamp( &now, ×tamp ); - mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 ); - mods->sml_desc = ad_pwdChangedTime; + mods = NULL; if (pwmop != LDAP_MOD_DELETE) { + mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 ); mods->sml_op = LDAP_MOD_REPLACE; mods->sml_numvals = 1; mods->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) ); ber_dupbv( &mods->sml_values[0], ×tamp ); BER_BVZERO( &mods->sml_values[1] ); assert( !BER_BVISNULL( &mods->sml_values[0] ) ); - - } else { + } else if (attr_find(e->e_attrs, ad_pwdChangedTime )) { + mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 ); mods->sml_op = LDAP_MOD_DELETE; } - mods->sml_flags = SLAP_MOD_INTERNAL; - mods->sml_next = NULL; - modtail->sml_next = mods; - modtail = mods; + if (mods) { + mods->sml_desc = ad_pwdChangedTime; + mods->sml_flags = SLAP_MOD_INTERNAL; + mods->sml_next = NULL; + modtail->sml_next = mods; + modtail = mods; + } if (attr_find(e->e_attrs, ad_pwdGraceUseTime )) { mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 ); @@ -2144,7 +2243,7 @@ ppolicy_db_init( if ( cr ){ snprintf( cr->msg, sizeof(cr->msg), "slapo-ppolicy cannot be global" ); - fprintf( stderr, "%s\n", cr->msg ); + Debug( LDAP_DEBUG_ANY, "%s\n", cr->msg, 0, 0 ); } return 1; } @@ -2161,7 +2260,7 @@ ppolicy_db_init( snprintf( cr->msg, sizeof(cr->msg), "User Schema load failed for attribute \"%s\". Error code %d: %s", pwd_UsSchema[i].def, code, err ); - fprintf( stderr, "%s\n", cr->msg ); + Debug( LDAP_DEBUG_ANY, "%s\n", cr->msg, 0, 0 ); } return code; } @@ -2212,6 +2311,10 @@ ppolicy_close( slap_overinst *on = (slap_overinst *) be->bd_info; pp_info *pi = on->on_bi.bi_private; +#ifdef SLAP_CONFIG_DELETE + overlay_unregister_control( be, LDAP_CONTROL_PASSWORDPOLICYREQUEST ); +#endif /* SLAP_CONFIG_DELETE */ + /* Perhaps backover should provide bi_destroy hooks... */ ov_count--; if ( ov_count <=0 && pwcons ) { @@ -2254,7 +2357,7 @@ int ppolicy_initialize() SLAP_CTRL_ADD|SLAP_CTRL_BIND|SLAP_CTRL_MODIFY|SLAP_CTRL_HIDE, extops, ppolicy_parseCtrl, &ppolicy_cid ); if ( code != LDAP_SUCCESS ) { - fprintf( stderr, "Failed to register control %d\n", code ); + Debug( LDAP_DEBUG_ANY, "Failed to register control %d\n", code, 0, 0 ); return code; } @@ -2267,7 +2370,7 @@ int ppolicy_initialize() ppolicy.on_bi.bi_op_add = ppolicy_add; ppolicy.on_bi.bi_op_bind = ppolicy_bind; - ppolicy.on_bi.bi_op_compare = ppolicy_restrict; + ppolicy.on_bi.bi_op_compare = ppolicy_compare; ppolicy.on_bi.bi_op_delete = ppolicy_restrict; ppolicy.on_bi.bi_op_modify = ppolicy_modify; ppolicy.on_bi.bi_op_search = ppolicy_restrict;