ldap/ldif/template-dse.ldif.in | 5 +--- ldap/servers/plugins/uiduniq/7bit.c | 37 ++++++++++++++++++++++++++---------- 2 files changed, 29 insertions(+), 13 deletions(-)
New commits: commit 2c88c960df07c7f6a1cc9b6504b03aef80da9550 Author: Anupam Jain anjain@localhost.localdomain Date: Fri Jul 5 16:32:29 2013 -0700
Ticket #47363 - 7-bit checking is not necessary for userPassword
Fix description: removed userpassword attribute from the 7-bit checking list
https://fedorahosted.org/389/ticket/47363
Reviewed by nhosoi.
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in index 11595aa..189c4aa 100644 --- a/ldap/ldif/template-dse.ldif.in +++ b/ldap/ldif/template-dse.ldif.in @@ -630,9 +630,8 @@ nsslapd-plugintype: betxnpreoperation nsslapd-pluginenabled: on nsslapd-pluginarg0: uid nsslapd-pluginarg1: mail -nsslapd-pluginarg2: userpassword -nsslapd-pluginarg3: , -nsslapd-pluginarg4: %ds_suffix% +nsslapd-pluginarg2: , +nsslapd-pluginarg3: %ds_suffix% nsslapd-plugin-depends-on-type: database
dn: cn=Account Usability Plugin,cn=plugins,cn=config
commit d804aaf7ee15841ac1aeaf831879fe56da23931d Author: Anupam Jain anjain@localhost.localdomain Date: Wed Jul 10 17:18:03 2013 -0700
Ticket #47423 - 7-bit check plugin does not work for userpassword attribute
Bug description: 7-bit check plugin fails to validate userpassword attribute
Fix description: This patch corrects the validation code for userpassword attribute. It fetches the unhashed userpassword from the extension instead of the entry attribute value
https://fedorahosted.org/389/ticket/47423
Reviewed by nhosoi.
diff --git a/ldap/servers/plugins/uiduniq/7bit.c b/ldap/servers/plugins/uiduniq/7bit.c index ca9792b..a83122e 100644 --- a/ldap/servers/plugins/uiduniq/7bit.c +++ b/ldap/servers/plugins/uiduniq/7bit.c @@ -218,7 +218,8 @@ preop_add(Slapi_PBlock *pb) { int result; char *violated = NULL; - + char *pwd = NULL; + char *origpwd = NULL; #ifdef DEBUG slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name, "ADD begin\n"); #endif @@ -236,12 +237,14 @@ preop_add(Slapi_PBlock *pb) const char *dn; Slapi_DN *sdn = NULL; Slapi_Entry *e; - Slapi_Attr *attr; char **firstSubtree; char **subtreeDN; int subtreeCnt; int is_replicated_operation; - + struct berval *vals[2]; + struct berval val; + vals[0] = &val; + vals[1] = NULL; /* * Get the arguments */ @@ -288,19 +291,26 @@ preop_add(Slapi_PBlock *pb) for (attrName = argv; strcmp(*attrName, ",") != 0; attrName++ ) { /* - * if the attribute is userpassword, check unhashed#user#password + * if the attribute is userpassword, check unhashed user password * instead. "userpassword" is encoded; it will always pass the 7bit * check. */ - char *attr_name; + char *attr_name = NULL; + Slapi_Attr *attr = NULL; if ( strcasecmp(*attrName, "userpassword") == 0 ) { - attr_name = "unhashed#user#password"; + origpwd = pwd = slapi_get_first_clear_text_pw(e); + if (pwd == NULL) + { + continue; + } + val.bv_val = pwd; + val.bv_len = strlen(val.bv_val); } else { attr_name = *attrName; + err = slapi_entry_attr_find(e, attr_name, &attr); + if (err) continue; /* break;*/ /* no 7-bit attribute */ } - err = slapi_entry_attr_find(e, attr_name, &attr); - if (err) continue; /* break;*/ /* no 7-bit attribute */
/* * For each DN in the managed list, do 7-bit checking if @@ -323,7 +333,14 @@ preop_add(Slapi_PBlock *pb) /* * Check if the value is 7-bit clean */ - result = bit_check(attr, NULL, &violated); + if(pwd) + { + result = bit_check(attr, vals, &violated); + if(!result) + pwd = NULL; + } + else + result = bit_check(attr, NULL, &violated); if (result) break; } } @@ -335,7 +352,7 @@ preop_add(Slapi_PBlock *pb) if (result) { issue_error(pb, result, "ADD", violated); } - + slapi_ch_free_string(&origpwd); return (result==LDAP_SUCCESS)?0:-1; }