Fix slapd SASL/ExternalOps encoding

Add controls to extended ops API signatures, need impl.
Update password to support optional server side generation of
new password, verification of old password, and changing of
non-bound user's passwords.

diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c
index 5e9737347976ea81bb7e03cbe0fd4aa90e5e129e..0deb9f95d9c07a1c6c2c586fcd8d974b1f23eac7 100644 (file)
--- a/clients/tools/ldappasswd.c
+++ b/clients/tools/ldappasswd.c
@@ -34,6 +34,7 @@ usage(const char *s)
                "  -n\t\tmake no modifications\n"
                "  -p port\tldap port\n"
                "  -s secret\tnew password\n"
+               "  -S\t\tprompt for new password\n"
                "  -v\t\tincrease verbosity\n"
                "  -W\t\tprompt for bind password\n"
                "  -w passwd\tbind password (for simple authentication)\n"
@@ -46,20 +47,26 @@ int
 main( int argc, char *argv[] )
 {
        int rc;
+       char    *ldaphost = NULL;
+
        char    *dn = NULL;
        char    *binddn = NULL;
+
        char    *bindpw = NULL;
-       char    *ldaphost = NULL;
        char    *newpw = NULL;
+       char    *oldpw = NULL;
+
+       int             want_bindpw = 0;
+       int             want_newpw = 0;
+       int             want_oldpw = 0;
+
        int             noupdates = 0;
        int             i;
        int             ldapport = 0;
        int             debug = 0;
        int             version = -1;
-       int             want_bindpw = 0;
        LDAP           *ld;
        struct berval *bv = NULL;
-       BerElement *ber;
 
        char    *retoid;
        struct berval *retdata;
@@ -68,9 +75,23 @@ main( int argc, char *argv[] )
                usage (argv[0]);
 
        while( (i = getopt( argc, argv,
-               "D:d:h:np:s:vWw:" )) != EOF )
+               "Aa:D:d:h:np:Ss:vWw:" )) != EOF )
        {
                switch (i) {
+               case 'A':       /* prompt for oldr password */
+                       want_oldpw++;
+                       break;
+               case 'a':       /* old password (secret) */
+                       oldpw = strdup (optarg);
+
+                       {
+                               char* p;
+
+                               for( p = optarg; *p == '\0'; p++ ) {
+                                       *p = '*';
+                               }
+                       }
+                       break;
                case 'D':       /* bind distinguished name */
                        binddn = strdup (optarg);
                        break;
@@ -91,8 +112,20 @@ main( int argc, char *argv[] )
                        ldapport = strtol( optarg, NULL, 10 );
                        break;
 
+               case 'S':       /* prompt for user password */
+                       want_newpw++;
+                       break;
+
                case 's':       /* new password (secret) */
                        newpw = strdup (optarg);
+
+                       {
+                               char* p;
+
+                               for( p = optarg; *p == '\0'; p++ ) {
+                                       *p = '*';
+                               }
+                       }
                        break;
 
                case 'v':       /* verbose */
@@ -105,6 +138,7 @@ main( int argc, char *argv[] )
 
                case 'w':       /* bind password */
                        bindpw = strdup (optarg);
+
                        {
                                char* p;
 
@@ -126,7 +160,19 @@ main( int argc, char *argv[] )
 
        dn = strdup( argv[optind] );
 
-       if( newpw == NULL ) {
+       if( want_oldpw && oldpw == NULL ) {
+               /* prompt for old password */
+               char *ckoldpw;
+               newpw = strdup(getpass("Old password: "));
+               ckoldpw = getpass("Re-enter old password: ");
+
+               if( strncmp( oldpw, ckoldpw, strlen(oldpw) )) {
+                       fprintf( stderr, "passwords do not match\n" );
+                       return EXIT_FAILURE;
+               }
+       }
+
+       if( want_newpw && newpw == NULL ) {
                /* prompt for new password */
                char *cknewpw;
                newpw = strdup(getpass("New password: "));
@@ -138,13 +184,15 @@ main( int argc, char *argv[] )
                }
        }
 
-       if( binddn == NULL ) {
+       if( binddn == NULL && dn != NULL ) {
                binddn = dn;
                dn = NULL;
+
+               if( bindpw == NULL ) bindpw = oldpw;
        }
 
-       /* handle bind password */
-       if (want_bindpw) {
+       if (want_bindpw && bindpw == NULL ) {
+               /* handle bind password */
                fprintf( stderr, "Bind DN: %s\n", binddn );
                bindpw = strdup( getpass("Enter bind password: "));
        }
@@ -186,39 +234,45 @@ main( int argc, char *argv[] )
                return EXIT_FAILURE;
        }
 
-       /* build change password control */
-       ber = ber_alloc_t( LBER_USE_DER );
+       if( dn != NULL || oldpw != NULL || newpw != NULL ) {
+               /* build change password control */
+               BerElement *ber = ber_alloc_t( LBER_USE_DER );
 
-       if( ber == NULL ) {
-               perror( "ber_alloc_t" );
-               ldap_unbind( ld );
-               return EXIT_FAILURE;
-       }
+               if( ber == NULL ) {
+                       perror( "ber_alloc_t" );
+                       ldap_unbind( ld );
+                       return EXIT_FAILURE;
+               }
 
-       if( dn != NULL ) {
-               ber_printf( ber, "{tsts}",
-                       LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID, dn,
-                       LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, newpw );
+               if( dn != NULL ) {
+                       ber_printf( ber, "ts",
+                               LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID, dn );
+                       free(dn);
+               }
 
-               free(dn);
+               if( oldpw != NULL ) {
+                       ber_printf( ber, "ts",
+                               LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, oldpw );
+                       free(oldpw);
+               }
 
-       } else {
-               ber_printf( ber, "{ts}",
-                       LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, newpw );
-       }
+               if( newpw != NULL ) {
+                       ber_printf( ber, "ts",
+                               LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, newpw );
+                       free(newpw);
+               }
 
-       free(newpw);
+               rc = ber_flatten( ber, &bv );
 
-       rc = ber_flatten( ber, &bv );
+               if( rc < 0 ) {
+                       perror( "ber_flatten" );
+                       ldap_unbind( ld );
+                       return EXIT_FAILURE;
+               }
 
-       if( rc < 0 ) {
-               perror( "ber_flatten" );
-               ldap_unbind( ld );
-               return EXIT_FAILURE;
+               ber_free( ber, 1 );
        }
 
-       ber_free( ber, 1 );
-
        rc = ldap_extended_operation_s( ld,
                LDAP_EXOP_X_MODIFY_PASSWD, bv, 
                NULL, NULL,
@@ -226,6 +280,30 @@ main( int argc, char *argv[] )
 
        ber_bvfree( bv );
 
+       if( retdata != NULL ) {
+               ber_tag_t tag;
+               char *s;
+               BerElement *ber = ber_init( retdata );
+
+               if( ber == NULL ) {
+                       perror( "ber_init" );
+                       ldap_unbind( ld );
+                       return EXIT_FAILURE;
+               }
+
+               /* we should check the tag */
+               tag = ber_scanf( ber, "a", &s);
+
+               if( tag == LBER_ERROR ) {
+                       perror( "ber_scanf" );
+               } else {
+                       printf("New password: %s\n", s);
+                       free( s );
+               }
+
+               ber_free( ber, 1 );
+       }
+
        if ( rc != LDAP_SUCCESS ) {
                ldap_perror( ld, "ldap_extended_operation" );
                ldap_unbind( ld );

diff --git a/include/lutil.h b/include/lutil.h
index 9a385aca3dc36e4d1efae59ea3f4f862b5c06aa4..9e6336d840914325cf834f9f1df182b716ec7778 100644 (file)
--- a/include/lutil.h
+++ b/include/lutil.h
@@ -65,7 +65,10 @@ lutil_passwd LDAP_P((
        const char **methods ));
 
 LIBLUTIL_F( struct berval * )
-lutil_passwd_generate LDAP_P((
+lutil_passwd_generate LDAP_P(( int ));
+
+LIBLUTIL_F( struct berval * )
+lutil_passwd_hash LDAP_P((
        const struct berval *passwd,
        const char *method ));
 

diff --git a/libraries/libldap/extended.c b/libraries/libldap/extended.c
index c3b382d18d9dfd45d5a8f9ebb2e75e16ed2764a7..fe6f549f220d84623627d66d0c50f0b44e6278a8 100644 (file)
--- a/libraries/libldap/extended.c
+++ b/libraries/libldap/extended.c
@@ -202,7 +202,7 @@ ldap_parse_extended_result (
        }
 
        rc = ber_scanf( ber, "{iaa" /*}*/, &errcode,
-               &ld->ld_matched, &ld->ld_matched );
+               &ld->ld_matched, &ld->ld_error );
 
        if( rc == LBER_ERROR ) {
                ld->ld_errno = LDAP_DECODING_ERROR;
@@ -237,7 +237,7 @@ ldap_parse_extended_result (
 
        if( tag == LDAP_TAG_EXOP_RES_VALUE ) {
                /* we have a resdata */
-               if( ber_scanf( ber, "O", &resoid ) == LBER_ERROR ) {
+               if( ber_scanf( ber, "O", &resdata ) == LBER_ERROR ) {
                        ld->ld_errno = LDAP_DECODING_ERROR;
                        ber_free( ber, 0 );
                        if( resoid != NULL ) LDAP_FREE( resoid );

diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c
index efab836b8742cb0bf43d16ecd1617cca248aaa9e..c610c2bd101a8d95dcb79cbe6c6fb1cc5fbe9cf6 100644 (file)
--- a/libraries/liblutil/passwd.c
+++ b/libraries/liblutil/passwd.c
@@ -35,6 +35,9 @@
 #      include <pwd.h>
 #endif
 
+static const unsigned char crypt64[] =
+       "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";
+
 struct pw_scheme;
 
 typedef int (*PASSWD_CHK_FUNC)(
@@ -42,14 +45,14 @@ typedef int (*PASSWD_CHK_FUNC)(
        const struct berval *passwd,
        const struct berval *cred );
 
-typedef struct berval * (*PASSWD_GEN_FUNC) (
+typedef struct berval * (*PASSWD_HASH_FUNC) (
        const struct pw_scheme *scheme,
        const struct berval *passwd );
 
 struct pw_scheme {
        struct berval name;
        PASSWD_CHK_FUNC chk_fn;
-       PASSWD_GEN_FUNC gen_fn;
+       PASSWD_HASH_FUNC hash_fn;
 };
 
 /* password check routines */
@@ -84,38 +87,38 @@ static int chk_unix(
        const struct berval *cred );
 
 
-/* password generation routines */
-static struct berval *gen_sha1(
+/* password hash routines */
+static struct berval *hash_sha1(
        const struct pw_scheme *scheme,
        const struct berval *passwd );
 
-static struct berval *gen_ssha1(
+static struct berval *hash_ssha1(
        const struct pw_scheme *scheme,
        const struct berval *passwd );
 
-static struct berval *gen_smd5(
+static struct berval *hash_smd5(
        const struct pw_scheme *scheme,
        const struct berval *passwd );
 
-static struct berval *gen_md5(
+static struct berval *hash_md5(
        const struct pw_scheme *scheme,
        const struct berval *passwd );
 
-static struct berval *gen_crypt(
+static struct berval *hash_crypt(
        const struct pw_scheme *scheme,
        const struct berval *passwd );
 
 
 static const struct pw_scheme pw_schemes[] =
 {
-       { {sizeof("{SSHA}")-1, "{SSHA}"},       chk_ssha1, gen_ssha1 },
-       { {sizeof("{SHA}")-1, "{SHA}"},         chk_sha1, gen_sha1 },
+       { {sizeof("{SSHA}")-1, "{SSHA}"},       chk_ssha1, hash_ssha1 },
+       { {sizeof("{SHA}")-1, "{SHA}"},         chk_sha1, hash_sha1 },
 
-       { {sizeof("{SMD5}")-1, "{SMD5}"},       chk_smd5, gen_smd5 },
-       { {sizeof("{MD5}")-1, "{MD5}"},         chk_md5, gen_md5 },
+       { {sizeof("{SMD5}")-1, "{SMD5}"},       chk_smd5, hash_smd5 },
+       { {sizeof("{MD5}")-1, "{MD5}"},         chk_md5, hash_md5 },
 
 #ifdef SLAPD_CRYPT
-       { {sizeof("{CRYPT}")-1, "{CRYPT}"},     chk_crypt, gen_crypt },
+       { {sizeof("{CRYPT}")-1, "{CRYPT}"},     chk_crypt, hash_crypt },
 #endif
 # if defined( HAVE_GETSPNAM ) \
   || ( defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD ) )
@@ -247,16 +250,48 @@ lutil_passwd(
 
 }
 
-struct berval * lutil_passwd_generate(
+struct berval * lutil_passwd_generate( int len )
+{
+       struct berval *pw;
+
+       if( len < 1 ) return NULL;
+
+       pw = ber_memalloc( sizeof( struct berval ) );
+       if( pw == NULL ) return NULL;
+
+       pw->bv_len = len;
+       pw->bv_val = ber_memalloc( len + 1 );
+
+       if( pw->bv_val == NULL ) {
+               ber_memfree( pw );
+               return NULL;
+       }
+
+       if( lutil_entropy( pw->bv_val, pw->bv_len) < 0 ) {
+               ber_bvfree( pw );
+               return NULL; 
+       }
+
+       for( len = 0; len < pw->bv_len; len++ ) {
+               pw->bv_val[len] = crypt64[
+                       pw->bv_val[len] % (sizeof(crypt64)-1) ];
+       }
+
+       pw->bv_val[len] = '\0';
+       
+       return pw;
+}
+
+struct berval * lutil_passwd_hash(
        const struct berval * passwd,
        const char * method )
 {
        const struct pw_scheme *sc = get_scheme( method );
 
        if( sc == NULL ) return NULL;
-       if( ! sc->gen_fn ) return NULL;
+       if( ! sc->hash_fn ) return NULL;
 
-       return (sc->gen_fn)( sc, passwd );
+       return (sc->hash_fn)( sc, passwd );
 }
 
 static struct berval * pw_string(
@@ -579,7 +614,7 @@ static int chk_unix(
 #endif
 
 /* PASSWORD CHECK ROUTINES */
-static struct berval *gen_ssha1(
+static struct berval *hash_ssha1(
        const struct pw_scheme *scheme,
        const struct berval  *passwd )
 {
@@ -608,7 +643,7 @@ static struct berval *gen_ssha1(
        return pw_string64( scheme, &digest, &salt);
 }
 
-static struct berval *gen_sha1(
+static struct berval *hash_sha1(
        const struct pw_scheme *scheme,
        const struct berval  *passwd )
 {
@@ -626,7 +661,7 @@ static struct berval *gen_sha1(
        return pw_string64( scheme, &digest, NULL);
 }
 
-static struct berval *gen_smd5(
+static struct berval *hash_smd5(
        const struct pw_scheme *scheme,
        const struct berval  *passwd )
 {
@@ -655,7 +690,7 @@ static struct berval *gen_smd5(
        return pw_string64( scheme, &digest, &salt );
 }
 
-static struct berval *gen_md5(
+static struct berval *hash_md5(
        const struct pw_scheme *scheme,
        const struct berval  *passwd )
 {
@@ -677,13 +712,10 @@ static struct berval *gen_md5(
 }
 
 #ifdef SLAPD_CRYPT
-static struct berval *gen_crypt(
+static struct berval *hash_crypt(
        const struct pw_scheme *scheme,
        const struct berval *passwd )
 {
-       static const unsigned char crypt64[] =
-               "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890./";
-
        struct berval hash;
        unsigned char salt[3];
        int i;

diff --git a/servers/slapd/back-ldbm/extended.c b/servers/slapd/back-ldbm/extended.c
index eb55797d8fee8c87bb85d941e734f04450f94736..bc172df0d83045833137e26447cfbd422d7dab05 100644 (file)
--- a/servers/slapd/back-ldbm/extended.c
+++ b/servers/slapd/back-ldbm/extended.c
@@ -32,6 +32,7 @@ ldbm_back_extended(
        char            *oid,
     struct berval      *reqdata,
     struct berval      **rspdata,
+       LDAPControl *** rspctrls,
        char**  text
 )
 {
@@ -40,8 +41,8 @@ ldbm_back_extended(
        for( i=0; exop_table[i].oid != NULL; i++ ) {
                if( strcmp( exop_table[i].oid, oid ) == 0 ) {
                        return (exop_table[i].extended)(
-                               be, conn, op,
-                               oid, reqdata, rspdata, text );
+                               be, conn, op, oid,
+                               reqdata, rspdata, rspctrls, text );
                }
        }
 

diff --git a/servers/slapd/back-ldbm/external.h b/servers/slapd/back-ldbm/external.h
index 24ca3560a84ad6aa1a6fb63e3eafff14e2b82f7a..aeac346579d5a38bac021b2013f1339986e83081 100644 (file)
--- a/servers/slapd/back-ldbm/external.h
+++ b/servers/slapd/back-ldbm/external.h
@@ -27,6 +27,7 @@ extern int ldbm_back_extended LDAP_P(( BackendDB *bd,
        char *reqoid,
        struct berval *reqdata,
        struct berval **rspdata,
+       LDAPControl *** rspctrls,
        char **text ));
 
 extern int ldbm_back_bind LDAP_P(( BackendDB *bd,

diff --git a/servers/slapd/back-ldbm/passwd.c b/servers/slapd/back-ldbm/passwd.c
index c8980768b63ac50ab231a7bc87e3d9ee77ac47d8..7ab5e1876687f91f3efb5ef266d784c236d38b80 100644 (file)
--- a/servers/slapd/back-ldbm/passwd.c
+++ b/servers/slapd/back-ldbm/passwd.c
@@ -24,6 +24,7 @@ ldbm_back_exop_passwd(
        char            *oid,
     struct berval      *reqdata,
     struct berval      **rspdata,
+       LDAPControl *** rspctrls,
        char**  text
 )
 {
@@ -51,15 +52,21 @@ ldbm_back_exop_passwd(
        }
 
        if( new == NULL || new->bv_len == 0 ) {
-               *text = ch_strdup("no password provided");
-               rc = LDAP_OPERATIONS_ERROR;
-               goto done;
+               new = slap_passwd_generate();
+
+               if( new == NULL || new->bv_len == 0 ) {
+                       *text = ch_strdup("password generation failed.");
+                       rc = LDAP_OPERATIONS_ERROR;
+                       goto done;
+               }
+               
+               *rspdata = slap_passwd_return( new );
        }
 
-       hash = slap_passwd_generate( new );
+       hash = slap_passwd_hash( new );
 
        if( hash == NULL || hash->bv_len == 0 ) {
-               *text = ch_strdup("password generation failed");
+               *text = ch_strdup("password hash failed");
                rc = LDAP_OPERATIONS_ERROR;
                goto done;
        }
@@ -75,9 +82,7 @@ ldbm_back_exop_passwd(
                goto done;
        }
 
-       e = dn2entry_w( be,
-               id ? id->bv_val : op->o_dn,
-               NULL );
+       e = dn2entry_w( be, dn, NULL );
 
        if( e == NULL ) {
                *text = ch_strdup("could not locate authorization entry");

diff --git a/servers/slapd/back-ldbm/proto-back-ldbm.h b/servers/slapd/back-ldbm/proto-back-ldbm.h
index c6aeaa519f05cec0b87bb364b4d71a26c7182da2..89aae2a4325dfd57f6de790381202c8788d52b83 100644 (file)
--- a/servers/slapd/back-ldbm/proto-back-ldbm.h
+++ b/servers/slapd/back-ldbm/proto-back-ldbm.h
@@ -151,6 +151,7 @@ extern int ldbm_back_exop_passwd LDAP_P(( BackendDB *bd,
        char *oid,
        struct berval *reqdata,
        struct berval **rspdata,
+       LDAPControl ***rspctrls,
        char **text ));
  
 

diff --git a/servers/slapd/extended.c b/servers/slapd/extended.c
index 55620e6109fa68fbc1af76f5e266a03ad1041054..f907dc808d677deb2804d02e0dd383d9996eb845 100644 (file)
--- a/servers/slapd/extended.c
+++ b/servers/slapd/extended.c
@@ -93,6 +93,7 @@ do_extended(
        extop_list_t *ext;
        char *text;
        struct berval *rspdata;
+       LDAPControl **rspctrls;
 
        Debug( LDAP_DEBUG_TRACE, "do_extended\n", 0, 0, 0 );
 
@@ -144,14 +145,15 @@ do_extended(
        Debug( LDAP_DEBUG_ARGS, "do_extended: oid=%s\n", oid, 0 ,0 );
 
        rspdata = NULL;
+       rspctrls = NULL;
        text = NULL;
 
        rc = (ext->ext_main)( extop_callback, conn, op,
-               oid, reqdata, &rspdata, &text );
+               oid, reqdata, &rspdata, &rspctrls, &text );
 
        if( rc != SLAPD_ABANDON ) {
                send_ldap_extended( conn, op, rc, NULL, text,
-                       oid, rspdata );
+                       oid, rspdata, rspctrls );
        }
 
        if ( rspdata != NULL )

diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c
index 875bdf6fd0ac6454308234fb2d7d5ec5c061af9d..7a57bce12927cf3bd3a9a6d538bc80c554cd863c 100644 (file)
--- a/servers/slapd/passwd.c
+++ b/servers/slapd/passwd.c
@@ -21,7 +21,10 @@
 int passwd_extop(
        SLAP_EXTOP_CALLBACK_FN ext_callback,
        Connection *conn, Operation *op, char *oid,
-       struct berval *reqdata, struct berval **rspdata, char **text )
+       struct berval *reqdata,
+       struct berval **rspdata,
+       LDAPControl ***rspctrls,
+       char **text )
 {
        int rc;
 
@@ -33,17 +36,12 @@ int passwd_extop(
                return LDAP_STRONG_AUTH_REQUIRED;
        }
 
-       if( reqdata == NULL || reqdata->bv_len == 0 ) {
-               *text = ch_strdup("request data missing");
-               return LDAP_PROTOCOL_ERROR;
-       }
-
        if( conn->c_authz_backend != NULL &&
                conn->c_authz_backend->be_extended )
        {
                rc = conn->c_authz_backend->be_extended(
                        conn->c_authz_backend,
-                       conn, op, oid, reqdata, rspdata, text );
+                       conn, op, oid, reqdata, rspdata, rspctrls, text );
 
        } else {
                *text = ch_strdup("operation not supported for current user");
@@ -64,7 +62,9 @@ int slap_passwd_parse( struct berval *reqdata,
        ber_len_t len;
        BerElement *ber;
 
-       assert( reqdata != NULL );
+       if( reqdata == NULL ) {
+               return LDAP_SUCCESS;
+       }
 
        ber = ber_init( reqdata );
 
@@ -75,12 +75,6 @@ int slap_passwd_parse( struct berval *reqdata,
                return LDAP_PROTOCOL_ERROR;
        }
 
-       tag = ber_scanf(ber, "{" /*}*/);
-
-       if( tag == LBER_ERROR ) {
-               goto decoding_error;
-       }
-
        tag = ber_peek_tag( ber, &len );
 
        if( tag == LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID ) {
@@ -175,6 +169,35 @@ done:
        return rc;
 }
 
+struct berval * slap_passwd_return(
+       struct berval           *cred )
+{
+       int rc;
+       struct berval *bv;
+       BerElement *ber = ber_alloc_t(LBER_USE_DER);
+
+       assert( cred != NULL );
+
+       Debug( LDAP_DEBUG_TRACE, "slap_passwd_return: %ld\n",
+               (long) cred->bv_len, 0, 0 );
+
+       if( ber == NULL ) return NULL;
+       
+       rc = ber_printf( ber, "tO",
+               LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW, cred );
+
+       if( rc == -1 ) {
+               ber_free( ber, 1 );
+               return NULL;
+       }
+
+       (void) ber_flatten( ber, &bv );
+
+       ber_free( ber, 1 );
+
+       return bv;
+}
+
 int
 slap_passwd_check(
        Attribute *a,
@@ -200,7 +223,13 @@ slap_passwd_check(
        return( 1 );
 }
 
-struct berval * slap_passwd_generate(
+struct berval * slap_passwd_generate( void )
+{
+       Debug( LDAP_DEBUG_TRACE, "slap_passwd_generate\n", 0, 0, 0 );
+       return lutil_passwd_generate( 8 );
+}
+
+struct berval * slap_passwd_hash(
        struct berval * cred )
 {
        char* hash = default_passwd_hash ? default_passwd_hash : "{SSHA}";
@@ -211,7 +240,7 @@ struct berval * slap_passwd_generate(
        ldap_pvt_thread_mutex_lock( &crypt_mutex );
 #endif
 
-       new = lutil_passwd_generate( cred , hash );
+       new = lutil_passwd_hash( cred , hash );
        
 #ifdef SLAPD_CRYPT
        ldap_pvt_thread_mutex_unlock( &crypt_mutex );

diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 33d608892fb7a9957e22b2b27c7bec6f42121e7e..fe4dc39f5dd92870c7525064d9d73cf93c4b35ab 100644 (file)
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -259,6 +259,7 @@ typedef int (*SLAP_EXTOP_MAIN_FN) LDAP_P((
        char * oid,
        struct berval * reqdata,
        struct berval ** rspdata,
+       LDAPControl *** rspctrls,
        char ** text ));
 
 typedef int (*SLAP_EXTOP_GETOID_FN) LDAP_P((
@@ -376,6 +377,7 @@ LIBSLAPD_F (void) send_ldap_sasl LDAP_P((
        Connection *conn, Operation *op,
        ber_int_t err, const char *matched,
        const char *text,
+       LDAPControl **ctrls,
        struct berval *cred ));
 
 LIBSLAPD_F (void) send_ldap_disconnect LDAP_P((
@@ -386,7 +388,8 @@ LIBSLAPD_F (void) send_ldap_extended LDAP_P((
        Connection *conn, Operation *op,
        ber_int_t err, const char *matched,
        const char *text,
-       char *rspoid, struct berval *rspdata ));
+       char *rspoid, struct berval *rspdata,
+       LDAPControl **ctrls ));
 
 LIBSLAPD_F (void) send_search_result LDAP_P((
        Connection *conn, Operation *op,
@@ -465,6 +468,7 @@ LIBSLAPD_F (int) starttls_extop LDAP_P((
        char * oid,
        struct berval * reqdata,
        struct berval ** rspdata,
+       LDAPControl ***rspctrls,
        char ** text ));
 
 
@@ -505,13 +509,19 @@ LIBSLAPD_F (int) passwd_extop LDAP_P((
        char * oid,
        struct berval * reqdata,
        struct berval ** rspdata,
+       LDAPControl *** rspctrls,
        char ** text ));
 
 LIBSLAPD_F (int) slap_passwd_check(
        Attribute                       *attr,
        struct berval           *cred );
 
-LIBSLAPD_F (struct berval *) slap_passwd_generate(
+LIBSLAPD_F (struct berval *) slap_passwd_generate( void );
+
+LIBSLAPD_F (struct berval *) slap_passwd_hash(
+       struct berval           *cred );
+
+LIBSLAPD_F (struct berval *) slap_passwd_return(
        struct berval           *cred );
 
 LIBSLAPD_F (int) slap_passwd_parse(

diff --git a/servers/slapd/result.c b/servers/slapd/result.c
index bc8dc7aa6114f722f2aa0549c9e56176e899bdd2..204ba41db1e7035e1a11a10db77c11a4a123e64c 100644 (file)
--- a/servers/slapd/result.c
+++ b/servers/slapd/result.c
@@ -243,7 +243,8 @@ send_ldap_response(
     const char *text,
        struct berval   **ref,
        const char      *resoid,
-       struct berval   *data,
+       struct berval   *resdata,
+       struct berval   *sasldata,
        LDAPControl **ctrls
 )
 {
@@ -279,12 +280,19 @@ send_ldap_response(
                        rc = ber_printf( ber, "{V}", ref );
                }
 
+               if( rc != -1 && sasldata != NULL ) {
+                       rc = ber_printf( ber, "tO",
+                               LDAP_TAG_SASL_RES_CREDS, sasldata );
+               }
+
                if( rc != -1 && resoid != NULL ) {
-                       rc = ber_printf( ber, "s", resoid );
+                       rc = ber_printf( ber, "ts",
+                               LDAP_TAG_EXOP_RES_OID, resoid );
                }
 
-               if( rc != -1 && data != NULL ) {
-                       rc = ber_printf( ber, "O", data );
+               if( rc != -1 && resdata != NULL ) {
+                       rc = ber_printf( ber, "tO",
+                               LDAP_TAG_EXOP_RES_VALUE, resdata );
                }
 
                if( rc != -1 ) {
@@ -361,9 +369,10 @@ send_ldap_disconnect(
                    0 );
        }
 #endif
+
        send_ldap_response( conn, op, tag, msgid,
                err, NULL, text, NULL,
-               reqoid, NULL, NULL );
+               reqoid, NULL, NULL, NULL );
 
        Statslog( LDAP_DEBUG_STATS,
            "conn=%ld op=%ld DISCONNECT err=%ld tag=%lu text=%s\n",
@@ -429,7 +438,7 @@ send_ldap_result(
 
        send_ldap_response( conn, op, tag, msgid,
                err, matched, text, ref,
-               NULL, NULL, ctrls );
+               NULL, NULL, NULL, ctrls );
 
        Statslog( LDAP_DEBUG_STATS,
            "conn=%ld op=%ld RESULT tag=%lu err=%ld text=%s\n",
@@ -448,6 +457,7 @@ send_ldap_sasl(
     ber_int_t  err,
     const char *matched,
     const char *text,
+       LDAPControl **ctrls,
        struct berval *cred
 )
 {
@@ -473,7 +483,7 @@ send_ldap_sasl(
 
        send_ldap_response( conn, op, tag, msgid,
                err, matched, text, NULL,
-               NULL, cred, NULL );
+               NULL, NULL, cred, ctrls  );
 }
 
 void
@@ -484,15 +494,18 @@ send_ldap_extended(
     const char *matched,
     const char *text,
     char               *rspoid,
-       struct berval *rspdata
+       struct berval *rspdata,
+       LDAPControl **ctrls
 )
 {
        ber_tag_t tag;
        ber_int_t msgid;
 
        Debug( LDAP_DEBUG_TRACE,
-               "send_ldap_extended %ld:%s\n",
-               (long) err, rspoid ? rspoid : "", NULL );
+               "send_ldap_extended %ld:%s (%ld)\n",
+               (long) err,
+               rspoid ? rspoid : "",
+               rspdata != NULL ? (long) rspdata->bv_len : (long) 0 );
 
        tag = req2res( op->o_tag );
        msgid = (tag != LBER_SEQUENCE) ? op->o_msgid : 0;
@@ -507,9 +520,10 @@ send_ldap_extended(
                    0 );
        }
 #endif
+
        send_ldap_response( conn, op, tag, msgid,
                err, matched, text, NULL,
-               rspoid, rspdata, NULL );
+               rspoid, rspdata, NULL, ctrls );
 }
 
 
@@ -572,7 +586,7 @@ send_search_result(
 
        send_ldap_response( conn, op, tag, msgid,
                err, matched, text, refs,
-               NULL, NULL, ctrls );
+               NULL, NULL, NULL, ctrls );
 
        Statslog( LDAP_DEBUG_STATS,
            "conn=%ld op=%ld SEARCH RESULT tag=%lu err=%ld text=%s\n",

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index de59ee406117700bb5cf82eb6bca2433175dd5d4..88a0b6418e9da42a03db273e57bc0b6792db582e 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -538,6 +538,7 @@ typedef int (*SLAP_EXTENDED_FN) LDAP_P((
        char            *oid,
     struct berval * reqdata,
     struct berval ** rspdata,
+       LDAPControl ***rspctrls,
        char**  text ));
 
 struct slap_backend_info {

diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c
index 6cee1c2964527616f365aba3453c3f1e290d4d7f..410e450733ce0e3473d42cf0de0fe5e6fe309a82 100644 (file)
--- a/servers/slapd/starttls.c
+++ b/servers/slapd/starttls.c
@@ -26,6 +26,7 @@ starttls_extop (
        char * oid,
        struct berval * reqdata,
        struct berval ** rspdata,
+       LDAPControl ***rspctrls,
        char ** text )
 {
        if ( reqdata != NULL ) {
@@ -62,6 +63,7 @@ starttls_extop (
 
     conn->c_is_tls = 1;
     conn->c_needs_tls_accept = 1;
+
     return(LDAP_SUCCESS);
 }
 

diff --git a/servers/slapd/tools/mimic.c b/servers/slapd/tools/mimic.c
index caea1a513558f0078172f65716d901a8304cb288..a3a7d603090e793b38d15b9310adff232f71308d 100644 (file)
--- a/servers/slapd/tools/mimic.c
+++ b/servers/slapd/tools/mimic.c
@@ -47,7 +47,8 @@ send_ldap_extended(
     const char *matched,
     const char *text,
     char       *rspoid,
-       struct berval *rspdata
+       struct berval *rspdata,
+       LDAPControl **ctrls
 )
 {
        assert(0);
@@ -60,6 +61,7 @@ send_ldap_sasl(
     ber_int_t  err,
     const char *matched,
     const char *text,
+       LDAPControl **ctrls,
        struct berval *cred
 )
 {