switch ( op->oq_bind.rb_method ) {
case LDAP_AUTH_SIMPLE:
- rs->sr_err = access_allowed( op, e,
- password, NULL, ACL_AUTH, NULL );
- if ( ! rs->sr_err ) {
+ a = attr_find( e->e_attrs, password );
+ if ( a == NULL ) {
rs->sr_err = LDAP_INVALID_CREDENTIALS;
goto done;
}
- if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
- rs->sr_err = LDAP_INVALID_CREDENTIALS;
- goto done;
- }
-
- if ( slap_passwd_check( op->o_conn,
- a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 )
+ if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred,
+ &rs->sr_text ) != 0 )
{
+ /* failure; stop front end from sending result */
rs->sr_err = LDAP_INVALID_CREDENTIALS;
goto done;
}
-
+
rs->sr_err = 0;
break;
switch ( op->oq_bind.rb_method ) {
case LDAP_AUTH_SIMPLE:
- if ( ! access_allowed( op, e,
- password, NULL, ACL_AUTH, NULL ) )
- {
-#if 1
- rc = LDAP_INVALID_CREDENTIALS;
-#else
- rc = LDAP_INSUFFICIENT_ACCESS;
-#endif
- goto return_results;
- }
-
if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
/* stop front end from sending result */
-#if 1
rc = LDAP_INVALID_CREDENTIALS;
-#else
- rc = LDAP_INAPPROPRIATE_AUTH;
-#endif
goto return_results;
}
- if ( slap_passwd_check( op->o_conn,
- a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 )
+ if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred,
+ &rs->sr_text ) != 0 )
{
- /* stop front end from sending result */
+ /* failure; stop front end from sending result */
rc = LDAP_INVALID_CREDENTIALS;
goto return_results;
}
}
e = &user_entry;
- if ( ! access_allowed( op, e, password, NULL, ACL_AUTH, NULL ) ) {
-#if 1
- rs->sr_err = LDAP_INVALID_CREDENTIALS;
-#else
- rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
-#endif
- goto error_return;
- }
-
a = attr_find( e->e_attrs, password );
if ( a == NULL ) {
-#if 1
rs->sr_err = LDAP_INVALID_CREDENTIALS;
-#else
- rs->sr_err = LDAP_INAPPROPRIATE_AUTH;
-#endif
goto error_return;
}
- if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) {
+ if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred,
+ &rs->sr_text ) != 0 )
+ {
rs->sr_err = LDAP_INVALID_CREDENTIALS;
goto error_return;
}
return bv;
}
+/*
+ * if "e" is provided, access to each value of the password is checked first
+ */
int
slap_passwd_check(
- Connection *conn,
- Attribute *a,
- struct berval *cred,
- const char **text )
+ Operation *op,
+ Entry *e,
+ Attribute *a,
+ struct berval *cred,
+ const char **text )
{
- int result = 1;
- struct berval *bv;
+ int result = 1;
+ struct berval *bv;
+ AccessControlState acl_state = ACL_STATE_INIT;
#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
ldap_pvt_thread_mutex_lock( &passwd_mutex );
#ifdef SLAPD_SPASSWD
- lutil_passwd_sasl_conn = conn->c_sasl_authctx;
+ lutil_passwd_sasl_conn = op->o_conn->c_sasl_authctx;
#endif
#endif
for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
- if( !lutil_passwd( bv, cred, NULL, text ) ) {
+ /* if e is provided, check access */
+ if ( e && access_allowed( op, e, a->a_desc, bv,
+ ACL_AUTH, &acl_state ) == 0 )
+ {
+ continue;
+ }
+
+ if ( !lutil_passwd( bv, cred, NULL, text ) ) {
result = 0;
break;
}
LDAP_SLAPD_F (SLAP_EXTOP_MAIN_FN) passwd_extop;
LDAP_SLAPD_F (int) slap_passwd_check(
- Connection *conn,
- Attribute *attr,
+ Operation *op,
+ Entry *e,
+ Attribute *a,
struct berval *cred,
- const char **text );
+ const char **text );
LDAP_SLAPD_F (void) slap_passwd_generate( struct berval * );
LDAP_SLAPD_F (void) slap_passwd_hash_type(
struct berval *cred,
struct berval *hash,
- char *htype,
+ char *htype,
const char **text );
LDAP_SLAPD_F (struct berval *) slap_passwd_return(
struct berval *cred );
LDAP_SLAPD_F (int) slap_passwd_parse(
- struct berval *reqdata,
- struct berval *id,
- struct berval *oldpass,
- struct berval *newpass,
- const char **text );
+ struct berval *reqdata,
+ struct berval *id,
+ struct berval *oldpass,
+ struct berval *newpass,
+ const char **text );
/*
* phonetic.c
projects / openldap / commitdiff