From: Howard Chu Date: Thu, 11 May 2006 13:39:44 +0000 (+0000) Subject: ITS#4516 clear restricted status if other Binds have succeeded X-Git-Tag: OPENLDAP_REL_ENG_2_4_1ALPHA~2^2~45 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=a0ee28698ce570a1d86b678240db002448d37cf6;p=openldap ITS#4516 clear restricted status if other Binds have succeeded --- diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c index 958348e939..95ff1fd7c8 100644 --- a/servers/slapd/overlays/ppolicy.c +++ b/servers/slapd/overlays/ppolicy.c @@ -55,7 +55,7 @@ typedef struct pp_info { * used by all instances */ typedef struct pw_conn { - int restricted; /* TRUE if connection is restricted */ + struct berval dn; /* DN of restricted user */ } pw_conn; static pw_conn *pwcons; @@ -814,7 +814,8 @@ ppolicy_bind_resp( Operation *op, SlapReply *rs ) * that we are disallowed from doing anything * other than change password. */ - pwcons[op->o_conn->c_conn_idx].restricted = 1; + ber_dupbv( &pwcons[op->o_conn->c_conn_idx].dn, + &op->o_conn->c_ndn ); ppb->pErr = PP_changeAfterReset; @@ -972,7 +973,10 @@ ppolicy_bind( Operation *op, SlapReply *rs ) slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; /* Reset lockout status on all Bind requests */ - pwcons[op->o_conn->c_conn_idx].restricted = 0; + if ( !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) { + ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val ); + BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn ); + } /* Root bypasses policy */ if ( !be_isroot_dn( op->o_bd, &op->o_req_ndn )) { @@ -1026,11 +1030,14 @@ ppolicy_bind( Operation *op, SlapReply *rs ) return SLAP_CB_CONTINUE; } -/* Reset the restricted flag for the next session on this connection */ +/* Reset the restricted info for the next session on this connection */ static int ppolicy_connection_destroy( BackendDB *bd, Connection *conn ) { - pwcons[conn->c_conn_idx].restricted = 0; + if ( !BER_BVISEMPTY( &pwcons[conn->c_conn_idx].dn )) { + ch_free( pwcons[conn->c_conn_idx].dn.bv_val ); + BER_BVZERO( &pwcons[conn->c_conn_idx].dn ); + } return SLAP_CB_CONTINUE; } @@ -1048,7 +1055,18 @@ ppolicy_restrict( send_ctrl = 1; } - if ( op->o_conn && pwcons[op->o_conn->c_conn_idx].restricted ) { + if ( op->o_conn && !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) { + /* if the current authcDN doesn't match the one we recorded, + * then an intervening Bind has succeeded and the restriction + * no longer applies. (ITS#4516) + */ + if ( !dn_match( &op->o_conn->c_ndn, + &pwcons[op->o_conn->c_conn_idx].dn )) { + ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val ); + BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn ); + return SLAP_CB_CONTINUE; + } + Debug( LDAP_DEBUG_TRACE, "connection restricted to password changing only\n", 0, 0, 0); if ( send_ctrl ) { @@ -1354,13 +1372,19 @@ ppolicy_modify( Operation *op, SlapReply *rs ) } } - if (pwcons[op->o_conn->c_conn_idx].restricted && !mod_pw_only) { - Debug( LDAP_DEBUG_TRACE, - "connection restricted to password changing only\n", 0, 0, 0 ); - rs->sr_err = LDAP_INSUFFICIENT_ACCESS; - rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password"; - pErr = PP_changeAfterReset; - goto return_results; + if (!BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn ) && !mod_pw_only ) { + if ( dn_match( &op->o_conn->c_ndn, + &pwcons[op->o_conn->c_conn_idx].dn )) { + Debug( LDAP_DEBUG_TRACE, + "connection restricted to password changing only\n", 0, 0, 0 ); + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password"; + pErr = PP_changeAfterReset; + goto return_results; + } else { + ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val ); + BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn ); + } } /*