ldap/servers/plugins/deref/deref.c | 6 ++++++
ldap/servers/slapd/attr.c | 9 ++++++++-
ldap/servers/slapd/auditlog.c | 2 +-
ldap/servers/slapd/entry.c | 26 +++++++++++++++++++++++---
ldap/servers/slapd/entrywsi.c | 12 ++++++++++--
ldap/servers/slapd/libglobs.c | 2 +-
ldap/servers/slapd/pblock.c | 16 ++++++++++++++++
ldap/servers/slapd/plugin_internal_op.c | 27 ++++++++++++++++++++++-----
ldap/servers/slapd/proto-slap.h | 2 +-
ldap/servers/slapd/pw_mgmt.c | 5 ++++-
ldap/servers/slapd/schema.c | 15 +++++++++------
11 files changed, 101 insertions(+), 21 deletions(-)
New commits:
commit df5293373d49c3a875d6fba3fec44babfff7b4f6
Author: Noriko Hosoi <nhosoi(a)totoro.usersys.redhat.com>
Date: Thu Jun 14 14:40:27 2012 -0700
audit log does not log unhashed password: enabled, by default.
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 81afe3e..f6afd10 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -55,7 +55,7 @@ char *attr_changetype = ATTR_CHANGETYPE;
char *attr_newrdn = ATTR_NEWRDN;
char *attr_deleteoldrdn = ATTR_DELETEOLDRDN;
char *attr_modifiersname = ATTR_MODIFIERSNAME;
-static int hide_unhashed_pw = 0;
+static int hide_unhashed_pw = 1;
/* Forward Declarations */
static void write_audit_file( int optype, const char *dn, void *change, int flag, time_t
curtime );
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 282fc0d..3226ede 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1080,7 +1080,7 @@ FrontendConfig_init () {
cfg->auditlog_minfreespace = 5;
cfg->auditlog_exptime = 1;
cfg->auditlog_exptimeunit = slapi_ch_strdup("month");
- cfg->auditlog_logging_hide_unhashed_pw = LDAP_OFF;
+ cfg->auditlog_logging_hide_unhashed_pw = LDAP_ON;
cfg->entryusn_global = LDAP_OFF;
cfg->entryusn_import_init = slapi_ch_strdup("0");
commit 75224010ef566f96a953e9070dff10542a7a20a1
Author: Noriko Hosoi <nhosoi(a)totoro.usersys.redhat.com>
Date: Tue Jun 12 16:41:39 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password
https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: unhashed#user#password is skipped to check acl
in acl_check_mod.
Fix Description: Set SLAPI_ATTR_FLAG_NOUSERMOD to unhashed#user#
password schema. It makes clients' modifying the unhashed password
fail by UNWILLING TO PERFORM.
(cherry picked from commit 1629311d7201a6a7842db15865e02042a2894383)
diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index 8d99879..f6f3cf3 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -306,7 +306,10 @@ pw_init ( void ) {
slapi_add_internal_attr_syntax( PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID,
- OCTETSTRING_SYNTAX_OID, 0, 0 );
+ OCTETSTRING_SYNTAX_OID, 0,
+ /* Clients don't need to directly modify
+ * PSEUDO_ATTR_UNHASHEDUSERPASSWORD */
+ SLAPI_ATTR_FLAG_NOUSERMOD );
}
commit 9e15a73380e32947f08e2d8cc3bce87f467fab80
Author: Noriko Hosoi <nhosoi(a)totoro.usersys.redhat.com>
Date: Mon Jun 11 16:57:50 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password
https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: Deref still retrieved unhashed password.
Fix Description: Added code to Deref plugin to check the deref attribute.
If it is unhashed password, skip it.
(cherry picked from commit 26b5121d84232cf453fa917f11ba6518a40358ea)
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index fb6a54a..d97dc0a 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -632,6 +632,12 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char
*derefdn,
int needpartialattr = 1; /* need PartialAttribute sequence? */
int needvalsset = 1;
+ if (is_type_forbidden(retattrs[ii])) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
+ "skip forbidden attribute [%s]\n", derefdn);
+ continue;
+ }
+
deref_get_values(entries[0], retattrs[ii], &results,
&type_name_disposition,
&actual_type_name, flags, &buffer_flags);
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index c3ebd79..1b62c13 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -639,7 +639,7 @@ int is_rootdse( const char *dn );
int get_entry_object_type();
int entry_computed_attr_init();
void send_referrals_from_entry(Slapi_PBlock *pb, Slapi_Entry *referral);
-
+int is_type_forbidden(const char *type);
/*
* dse.c
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 2f0afc7..75f8e8f 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -331,7 +331,6 @@ int entry_next_deleted_attribute( const Slapi_Entry *e, Slapi_Attr
**a);
/* entry.c */
int entry_apply_mods( Slapi_Entry *e, LDAPMod **mods );
int is_type_protected(const char *type);
-int is_type_forbidden(const char *type);
int slapi_entries_diff(Slapi_Entry **old_entries, Slapi_Entry **new_entries, int testall,
const char *logging_prestr, const int force_update, void *plg_id);
commit 8f9e49e73efb45f6741dee371b7dec3cd2fc1ddd
Author: Noriko Hosoi <nhosoi(a)totoro.usersys.redhat.com>
Date: Fri Jun 8 11:39:56 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password
https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: unhashed password is stored in the entry in memory
when an entry/a password is added or the password is modified.
The password could be visible by the ordinary search if the type
"unhashed#user#password" is specified in the attribute list.
Fix Description:
1. Set "unhashed#user#password" to the forbidden attribute list,
which is dropped from the search attribute list.
2. Get effective right does not return "unhashed#user#password"
3. In the modify operation, adding "unhashed#user#password" to or
deleting "unhashed#user#password" from the entry never returns
an error regardless of the attribute value. Internally, the
operation is ignored.
(cherry picked from commit 9df3c438ebd05bbaa5e7b2506fc5d5e9f3ff4a95)
(cherry picked from commit 8f0811a86a1b233cf9566349653ef7f184278144)
(Fixed conflicts in ldap/servers/slapd/{entry.c,entrywsi.c,slapi-private.h)
diff --git a/ldap/servers/slapd/attr.c b/ldap/servers/slapd/attr.c
index 95a7808..eab20e5 100644
--- a/ldap/servers/slapd/attr.c
+++ b/ldap/servers/slapd/attr.c
@@ -805,7 +805,14 @@ attr_add_valuearray(Slapi_Attr *a, Slapi_Value **vals, const char
*dn)
for ( i = 0; vals[i] != NULL; ++i ) {
if ( slapi_attr_value_find( a, slapi_value_get_berval(vals[i]) ) == 0 ) {
duplicate_index = i;
- rc = LDAP_TYPE_OR_VALUE_EXISTS;
+ if (is_type_forbidden(a->a_type)) {
+ /* If the attr is in the forbidden list
+ * (e.g., unhashed password),
+ * we don't return any useful info to the clients. */
+ rc = LDAP_OTHER;
+ } else {
+ rc = LDAP_TYPE_OR_VALUE_EXISTS;
+ }
break;
}
}
diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
index 03ec117..4f60703 100644
--- a/ldap/servers/slapd/entry.c
+++ b/ldap/servers/slapd/entry.c
@@ -70,6 +70,9 @@ static char *protected_attrs_all [] =
{PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
SLAPI_ATTR_ENTRYDN,
NULL};
+static char *forbidden_attrs [] = {PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
+ NULL};
+
/*
* An attribute name is of the form 'basename[;option]'.
* The state informaion is encoded in options. For example:
@@ -1624,6 +1627,18 @@ is_type_protected(const char *type)
return 0;
}
+int
+is_type_forbidden(const char *type)
+{
+ char **paap = NULL;
+ for (paap = forbidden_attrs; paap && *paap; paap++) {
+ if (0 == strcasecmp(type, *paap)) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
static void
entry2str_internal_put_attrlist( const Slapi_Attr *attrlist, int attr_state, int
entry2str_ctrl, char **ecur, char **typebuf, size_t *typebuf_len)
{
@@ -3408,7 +3423,7 @@ delete_values_sv_internal(
* add/mod operation is done, while the retried entry from the db does not
* contain the attribute.
*/
- if (is_type_protected(type)) {
+ if (is_type_protected(type) || is_type_forbidden(type)) {
flags |= SLAPI_VALUE_FLAG_IGNOREERROR;
}
@@ -3419,7 +3434,6 @@ delete_values_sv_internal(
retVal = attrlist_delete( &e->e_attrs, type);
if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
return LDAP_SUCCESS;
- } else {
}
return(retVal ? LDAP_NO_SUCH_ATTRIBUTE : LDAP_SUCCESS);
}
@@ -3429,6 +3443,9 @@ delete_values_sv_internal(
if ( a == NULL ) {
LDAPDebug( LDAP_DEBUG_ARGS, "could not find attribute %s\n",
type, 0, 0 );
+ if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
+ return LDAP_SUCCESS;
+ }
return( LDAP_NO_SUCH_ATTRIBUTE );
}
@@ -3457,8 +3474,11 @@ delete_values_sv_internal(
"value for attribute type %s found in "
"entry %s\n", a->a_type, slapi_entry_get_dn_const(e), 0 );
}
+ if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
+ retVal = LDAP_SUCCESS;
+ }
}
- }
+ }
return( retVal );
}
diff --git a/ldap/servers/slapd/entrywsi.c b/ldap/servers/slapd/entrywsi.c
index 05dbb36..8c6a122 100644
--- a/ldap/servers/slapd/entrywsi.c
+++ b/ldap/servers/slapd/entrywsi.c
@@ -634,7 +634,13 @@ entry_delete_present_values_wsi(Slapi_Entry *e, const char *type,
struct berval
}
else if (attr_state==ATTRIBUTE_DELETED)
{
- retVal= LDAP_NO_SUCH_ATTRIBUTE;
+ /* If the type is in the forbidden attr list (e.g., unhashed password),
+ * we don't return the reason of the failure to the clients. */
+ if (is_type_forbidden(type)) {
+ retVal = LDAP_SUCCESS;
+ } else {
+ retVal= LDAP_NO_SUCH_ATTRIBUTE;
+ }
}
else if (attr_state==ATTRIBUTE_NOTFOUND)
{
@@ -643,8 +649,10 @@ entry_delete_present_values_wsi(Slapi_Entry *e, const char *type,
struct berval
* failure, as the attribute could only exist in the entry in the
* memory when the add/mod operation is done, while the retried entry
* from the db does not contain the attribute.
+ * So is in the forbidden_attrs list. We don't return the reason
+ * of the failure.
*/
- if (is_type_protected(type)) {
+ if (is_type_protected(type) || is_type_forbidden(type)) {
retVal = LDAP_SUCCESS;
} else {
if (!urp) {
diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
index 4be8efd..baee7a7 100644
--- a/ldap/servers/slapd/pblock.c
+++ b/ldap/servers/slapd/pblock.c
@@ -3060,6 +3060,22 @@ slapi_pblock_set( Slapi_PBlock *pblock, int arg, void *value )
case SLAPI_SEARCH_ATTRS:
if(pblock->pb_op!=NULL)
{
+ char **attrs;
+ for (attrs = (char **)value; attrs && *attrs; attrs++) {
+ /* Get rid of forbidden attr, e.g.,
+ * PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
+ * which never be returned. */
+ if (is_type_forbidden(*attrs)) {
+ char **ptr;
+ for (ptr = attrs; ptr && *ptr; ptr++) {
+ if (ptr == attrs) {
+ slapi_ch_free_string(ptr); /* free unhashed type */
+ }
+ *ptr = *(ptr + 1); /* attrs is NULL terminated;
+ the NULL is copied here. */
+ }
+ }
+ }
pblock->pb_op->o_params.p.p_search.search_attrs = (char **) value;
}
break;
diff --git a/ldap/servers/slapd/plugin_internal_op.c
b/ldap/servers/slapd/plugin_internal_op.c
index cf65c2c..4c7462d 100644
--- a/ldap/servers/slapd/plugin_internal_op.c
+++ b/ldap/servers/slapd/plugin_internal_op.c
@@ -291,6 +291,7 @@ slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base,
int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || base == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -304,7 +305,9 @@ slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base,
slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &scope);
slapi_pblock_set(pb, SLAPI_SEARCH_STRFILTER, (void*)filter);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
if (uniqueid)
{
@@ -322,6 +325,7 @@ slapi_search_internal_set_pb_ext (Slapi_PBlock *pb, Slapi_DN *sdn,
int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || sdn == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -337,7 +341,9 @@ slapi_search_internal_set_pb_ext (Slapi_PBlock *pb, Slapi_DN *sdn,
slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &scope);
slapi_pblock_set(pb, SLAPI_SEARCH_STRFILTER, (void*)filter);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
if (uniqueid)
{
@@ -351,6 +357,7 @@ void slapi_seq_internal_set_pb(Slapi_PBlock *pb, char *base, int type,
char *att
Slapi_ComponentId *plugin_identity, int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || base == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -364,8 +371,10 @@ void slapi_seq_internal_set_pb(Slapi_PBlock *pb, char *base, int
type, char *att
slapi_pblock_set(pb, SLAPI_SEQ_TYPE, &type);
slapi_pblock_set(pb, SLAPI_SEQ_ATTRNAME, attrname);
slapi_pblock_set(pb, SLAPI_SEQ_VAL, val);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
slapi_pblock_set(pb, SLAPI_PLUGIN_IDENTITY, plugin_identity);
}
@@ -383,6 +392,7 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void
*callback_data,
char *base;
char *attrname, *val;
Slapi_DN *sdn = NULL;
+ char **tmp_attrs = NULL;
slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, (void *)&base );
slapi_pblock_get(pb, SLAPI_CONTROLS_ARG, &controls);
@@ -445,6 +455,9 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void
*callback_data,
slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
slapi_sdn_free(&sdn);
slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, NULL);
+ slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &tmp_attrs);
+ slapi_ch_array_free(tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, NULL);
return rc;
}
@@ -731,6 +744,7 @@ search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
char *ifstr;
int opresult;
int rc = 0;
+ char **tmp_attrs = NULL;
PR_ASSERT (pb);
@@ -801,10 +815,13 @@ search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
done:
slapi_ch_free((void **) & fstr);
- if (filter != NULL)
+ if (filter != NULL)
{
slapi_filter_free(filter, 1 /* recurse */);
}
+ slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &tmp_attrs);
+ slapi_ch_array_free(tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, NULL);
return(rc);
}
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index 50b1cbc..12f11c3 100644
--- a/ldap/servers/slapd/schema.c
+++ b/ldap/servers/slapd/schema.c
@@ -1381,15 +1381,18 @@ schema_list_attributes_callback(struct asyntaxinfo *asi, void
*arg)
return ATTR_SYNTAX_ENUM_NEXT;
}
if (aew->flag && (asi->asi_flags & aew->flag)) {
- charray_add(&aew->attrs, slapi_ch_strdup(asi->asi_name));
+ /* skip unhashed password */
+ if (!is_type_forbidden(asi->asi_name)) {
+ charray_add(&aew->attrs, slapi_ch_strdup(asi->asi_name));
if (NULL != asi->asi_aliases) {
- int i;
+ int i;
- for ( i = 0; asi->asi_aliases[i] != NULL; ++i ) {
+ for ( i = 0; asi->asi_aliases[i] != NULL; ++i ) {
charray_add(&aew->attrs,
- slapi_ch_strdup(asi->asi_aliases[i]));
- }
- }
+ slapi_ch_strdup(asi->asi_aliases[i]));
+ }
+ }
+ }
}
return ATTR_SYNTAX_ENUM_NEXT;
}
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 75f8e8f..2f0afc7 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -331,6 +331,7 @@ int entry_next_deleted_attribute( const Slapi_Entry *e, Slapi_Attr
**a);
/* entry.c */
int entry_apply_mods( Slapi_Entry *e, LDAPMod **mods );
int is_type_protected(const char *type);
+int is_type_forbidden(const char *type);
int slapi_entries_diff(Slapi_Entry **old_entries, Slapi_Entry **new_entries, int testall,
const char *logging_prestr, const int force_update, void *plg_id);