From 6f2ffa30ed7f8007fdac6d798005f86a76870107 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Fri, 7 Jan 2005 13:50:38 +0000 Subject: [PATCH] fix ACL value checking for bind (ITS#3446) --- servers/slapd/back-bdb/bind.c | 17 ++++++----------- servers/slapd/back-ldbm/bind.c | 21 +++------------------ servers/slapd/back-sql/bind.c | 17 +++-------------- servers/slapd/passwd.c | 28 ++++++++++++++++++++-------- servers/slapd/proto-slap.h | 19 ++++++++++--------- 5 files changed, 42 insertions(+), 60 deletions(-) diff --git a/servers/slapd/back-bdb/bind.c b/servers/slapd/back-bdb/bind.c index 54e9bc8eea..69d3756462 100644 --- a/servers/slapd/back-bdb/bind.c +++ b/servers/slapd/back-bdb/bind.c @@ -130,25 +130,20 @@ dn2entry_retry: switch ( op->oq_bind.rb_method ) { case LDAP_AUTH_SIMPLE: - rs->sr_err = access_allowed( op, e, - password, NULL, ACL_AUTH, NULL ); - if ( ! rs->sr_err ) { + a = attr_find( e->e_attrs, password ); + if ( a == NULL ) { rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } - if ( (a = attr_find( e->e_attrs, password )) == NULL ) { - rs->sr_err = LDAP_INVALID_CREDENTIALS; - goto done; - } - - if ( slap_passwd_check( op->o_conn, - a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) + if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred, + &rs->sr_text ) != 0 ) { + /* failure; stop front end from sending result */ rs->sr_err = LDAP_INVALID_CREDENTIALS; goto done; } - + rs->sr_err = 0; break; diff --git a/servers/slapd/back-ldbm/bind.c b/servers/slapd/back-ldbm/bind.c index 6a5dcfbb5b..dce317876a 100644 --- a/servers/slapd/back-ldbm/bind.c +++ b/servers/slapd/back-ldbm/bind.c @@ -105,31 +105,16 @@ ldbm_back_bind( switch ( op->oq_bind.rb_method ) { case LDAP_AUTH_SIMPLE: - if ( ! access_allowed( op, e, - password, NULL, ACL_AUTH, NULL ) ) - { -#if 1 - rc = LDAP_INVALID_CREDENTIALS; -#else - rc = LDAP_INSUFFICIENT_ACCESS; -#endif - goto return_results; - } - if ( (a = attr_find( e->e_attrs, password )) == NULL ) { /* stop front end from sending result */ -#if 1 rc = LDAP_INVALID_CREDENTIALS; -#else - rc = LDAP_INAPPROPRIATE_AUTH; -#endif goto return_results; } - if ( slap_passwd_check( op->o_conn, - a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) + if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred, + &rs->sr_text ) != 0 ) { - /* stop front end from sending result */ + /* failure; stop front end from sending result */ rc = LDAP_INVALID_CREDENTIALS; goto return_results; } diff --git a/servers/slapd/back-sql/bind.c b/servers/slapd/back-sql/bind.c index ce4edaf83c..45b60659f0 100644 --- a/servers/slapd/back-sql/bind.c +++ b/servers/slapd/back-sql/bind.c @@ -100,26 +100,15 @@ backsql_bind( Operation *op, SlapReply *rs ) } e = &user_entry; - if ( ! access_allowed( op, e, password, NULL, ACL_AUTH, NULL ) ) { -#if 1 - rs->sr_err = LDAP_INVALID_CREDENTIALS; -#else - rs->sr_err = LDAP_INSUFFICIENT_ACCESS; -#endif - goto error_return; - } - a = attr_find( e->e_attrs, password ); if ( a == NULL ) { -#if 1 rs->sr_err = LDAP_INVALID_CREDENTIALS; -#else - rs->sr_err = LDAP_INAPPROPRIATE_AUTH; -#endif goto error_return; } - if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) { + if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred, + &rs->sr_text ) != 0 ) + { rs->sr_err = LDAP_INVALID_CREDENTIALS; goto error_return; } diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c index a1ced2fba9..dd04fcfe5c 100644 --- a/servers/slapd/passwd.c +++ b/servers/slapd/passwd.c @@ -384,25 +384,37 @@ struct berval * slap_passwd_return( return bv; } +/* + * if "e" is provided, access to each value of the password is checked first + */ int slap_passwd_check( - Connection *conn, - Attribute *a, - struct berval *cred, - const char **text ) + Operation *op, + Entry *e, + Attribute *a, + struct berval *cred, + const char **text ) { - int result = 1; - struct berval *bv; + int result = 1; + struct berval *bv; + AccessControlState acl_state = ACL_STATE_INIT; #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD ) ldap_pvt_thread_mutex_lock( &passwd_mutex ); #ifdef SLAPD_SPASSWD - lutil_passwd_sasl_conn = conn->c_sasl_authctx; + lutil_passwd_sasl_conn = op->o_conn->c_sasl_authctx; #endif #endif for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { - if( !lutil_passwd( bv, cred, NULL, text ) ) { + /* if e is provided, check access */ + if ( e && access_allowed( op, e, a->a_desc, bv, + ACL_AUTH, &acl_state ) == 0 ) + { + continue; + } + + if ( !lutil_passwd( bv, cred, NULL, text ) ) { result = 0; break; } diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index c079f236b5..5f061a5b59 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -1000,10 +1000,11 @@ LDAP_SLAPD_F (int) overlay_init( void ); LDAP_SLAPD_F (SLAP_EXTOP_MAIN_FN) passwd_extop; LDAP_SLAPD_F (int) slap_passwd_check( - Connection *conn, - Attribute *attr, + Operation *op, + Entry *e, + Attribute *a, struct berval *cred, - const char **text ); + const char **text ); LDAP_SLAPD_F (void) slap_passwd_generate( struct berval * ); @@ -1015,18 +1016,18 @@ LDAP_SLAPD_F (void) slap_passwd_hash( LDAP_SLAPD_F (void) slap_passwd_hash_type( struct berval *cred, struct berval *hash, - char *htype, + char *htype, const char **text ); LDAP_SLAPD_F (struct berval *) slap_passwd_return( struct berval *cred ); LDAP_SLAPD_F (int) slap_passwd_parse( - struct berval *reqdata, - struct berval *id, - struct berval *oldpass, - struct berval *newpass, - const char **text ); + struct berval *reqdata, + struct berval *id, + struct berval *oldpass, + struct berval *newpass, + const char **text ); /* * phonetic.c -- 2.39.5