[389-commits] Branch '389-ds-base-1.3.1' - ldap/servers

Mark Reynolds mreynolds at fedoraproject.org
Tue Sep 30 19:13:08 UTC 2014 

 ldap/servers/slapd/add.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

New commits:
commit 7b7d0929f2129801edb55b8c480f0b8ea8e4a2dc
Author: Mark Reynolds <mreynolds at redhat.com>
Date:   Tue Sep 30 10:07:33 2014 -0400

    Ticket 47900 - Adding an entry with an invalid password as rootDN is incorrectly rejected
    
    Bug Description:  Root DN and password administrators should bypass all password
                      restrictions and syntax checks, but on ADD operations the password
                      checks were still be applied to root/password admins.
    
    Fix Description:  Do not check the password syntax if the bind DN is a rootDN/password admin.
    
    https://fedorahosted.org/389/ticket/47900
    
    Reviewed by: nhosoi(Thanks!)
    
    (cherry picked from commit 50820f80c2da853c29962485b5e9806e68d5aece)

diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
index 875ad22..2a89358 100644
--- a/ldap/servers/slapd/add.c
+++ b/ldap/servers/slapd/add.c
@@ -456,12 +456,14 @@ static void op_shared_add (Slapi_PBlock *pb)
 	int proxy_err = LDAP_SUCCESS;
 	char *errtext = NULL;
 	Slapi_DN *sdn = NULL;
+	passwdPolicy *pwpolicy;
 
 	slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
 	slapi_pblock_get (pb, SLAPI_ADD_ENTRY, &e);
 	slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);	
 	slapi_pblock_get (pb, SLAPI_IS_LEGACY_REPLICATED_OPERATION, &legacy_op);
 	internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
+	pwpolicy = new_passwdPolicy(pb, slapi_entry_get_dn(e));
 
 	/* target spec is used to decide which plugins are applicable for the operation */
 	operation_set_target_spec (operation, slapi_entry_get_sdn (e));
@@ -577,9 +579,12 @@ static void op_shared_add (Slapi_PBlock *pb)
 					goto done;
 				}
 
-				/* check password syntax */
+				/*
+				 * Check password syntax, unless this is a pwd admin/rootDN
+				 */
 				present_values = attr_get_present_values(attr);
-				if (check_pw_syntax(pb, slapi_entry_get_sdn_const(e),
+				if (!pw_is_pwp_admin(pb, pwpolicy) &&
+				    check_pw_syntax(pb, slapi_entry_get_sdn_const(e),
 				                    present_values, NULL, e, 0) != 0) {
 					/* error result is sent from check_pw_syntax */
 					goto done;

More information about the 389-commits mailing list