VERSION.sh | 2 -
ldap/servers/plugins/deref/deref.c | 6 ++++
ldap/servers/slapd/attr.c | 9 +++++-
ldap/servers/slapd/auditlog.c | 17 +++++++++++
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 5 +++
ldap/servers/slapd/entry.c | 43 +++++++++++++++++++++++++----
ldap/servers/slapd/entrywsi.c | 29 ++++++++++++++++---
ldap/servers/slapd/libglobs.c | 19 ++++++++++++
ldap/servers/slapd/pblock.c | 16 ++++++++++
ldap/servers/slapd/plugin_internal_op.c | 27 ++++++++++++++----
ldap/servers/slapd/proto-slap.h | 5 ++-
ldap/servers/slapd/pw_mgmt.c | 5 ++-
ldap/servers/slapd/schema.c | 15 ++++++----
ldap/servers/slapd/slap.h | 2 +
ldap/servers/slapd/slapi-private.h | 1
15 files changed, 176 insertions(+), 25 deletions(-)
New commits:
commit 82abebea0b5e3c0b54dca17385edcce4f67ba9bb
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Thu Jun 21 15:22:48 2012 -0600
bump version to 1.2.10.11
diff --git a/VERSION.sh b/VERSION.sh
index 1fdb59e..7dc03d0 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=2
-VERSION_MAINT=10.10
+VERSION_MAINT=10.11
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 271f6556e4b5f6fb568ff2a1bed869fdf787be5a
Author: Noriko Hosoi <nhosoi(a)totoro.usersys.redhat.com>
Date: Tue Jun 12 16:41:39 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password
https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: unhashed#user#password is skipped to check acl
in acl_check_mod.
Fix Description: Set SLAPI_ATTR_FLAG_NOUSERMOD to unhashed#user#
password schema. It makes clients' modifying the unhashed password
fail by UNWILLING TO PERFORM.
(cherry picked from commit 1629311d7201a6a7842db15865e02042a2894383)
diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index 28b0491..d6c897d 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -308,7 +308,10 @@ pw_init ( void ) {
slapi_add_internal_attr_syntax( PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID,
- OCTETSTRING_SYNTAX_OID, 0, 0 );
+ OCTETSTRING_SYNTAX_OID, 0,
+ /* Clients don't need to directly modify
+ * PSEUDO_ATTR_UNHASHEDUSERPASSWORD */
+ SLAPI_ATTR_FLAG_NOUSERMOD );
}
commit f3c6aa463a133f9d1160042cf78463128601f173
Author: Noriko Hosoi <nhosoi(a)totoro.usersys.redhat.com>
Date: Mon Jun 11 16:57:50 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password
https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: Deref still retrieved unhashed password.
Fix Description: Added code to Deref plugin to check the deref attribute.
If it is unhashed password, skip it.
(cherry picked from commit 26b5121d84232cf453fa917f11ba6518a40358ea)
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index 86055b2..772601c 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -634,6 +634,12 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char
*derefdn,
int needpartialattr = 1; /* need PartialAttribute sequence? */
int needvalsset = 1;
+ if (is_type_forbidden(retattrs[ii])) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
+ "skip forbidden attribute [%s]\n", derefdn);
+ continue;
+ }
+
deref_get_values(entries[0], retattrs[ii], &results,
&type_name_disposition,
&actual_type_name, flags, &buffer_flags);
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 202fd7c..1c48793 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -624,7 +624,7 @@ int is_rootdse( const char *dn );
int get_entry_object_type();
int entry_computed_attr_init();
void send_referrals_from_entry(Slapi_PBlock *pb, Slapi_Entry *referral);
-
+int is_type_forbidden(const char *type);
/*
* dse.c
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index ce2e03c..db4a317 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -331,7 +331,6 @@ int entry_next_deleted_attribute( const Slapi_Entry *e, Slapi_Attr
**a);
/* entry.c */
int entry_apply_mods( Slapi_Entry *e, LDAPMod **mods );
int is_type_protected(const char *type);
-int is_type_forbidden(const char *type);
int slapi_entries_diff(Slapi_Entry **old_entries, Slapi_Entry **new_entries, int testall,
const char *logging_prestr, const int force_update, void *plg_id);
commit f91a1fd94f5a488e237f0d36e96d8db105c58ea7
Author: Noriko Hosoi <nhosoi(a)totoro.usersys.redhat.com>
Date: Fri Jun 8 14:22:24 2012 -0700
Ticket 365 - passwords in clear text in the audit log
Bug Description: after changing a user password, an additional modify is added to
the
mods: "unhashed#user#password: <clear text
password>"
e.g. PSEUDO_ATTR_UNHASHEDUSERPASSWORD
Fix Description: Added new config param
"nsslapd-audit-logging-hide-unhashed-pw".
The default is "on". When "on" that single
modify op is skipped from
the audit logging.
https://fedorahosted.org/389/ticket/365
(cherry picked from commit 43fb648fd4d7663c61c7ea7ff649ffddb9cbf006)
(cherry picked from commit 2f24c1f557c3698fb0ecf36b8187b30a6223f8af)
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 0128f2f..7dd8ff6 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -55,6 +55,7 @@ char *attr_changetype = ATTR_CHANGETYPE;
char *attr_newrdn = ATTR_NEWRDN;
char *attr_deleteoldrdn = ATTR_DELETEOLDRDN;
char *attr_modifiersname = ATTR_MODIFIERSNAME;
+static int hide_unhashed_pw = 1;
/* Forward Declarations */
static void write_audit_file( int optype, const char *dn, void *change, int flag, time_t
curtime );
@@ -151,6 +152,10 @@ write_audit_file(
for ( j = 0; mods[j] != NULL; j++ )
{
int operationtype= mods[j]->mod_op & ~LDAP_MOD_BVALUES;
+
+ if((strcmp(mods[j]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD) == 0) &&
hide_unhashed_pw){
+ continue;
+ }
switch ( operationtype )
{
case LDAP_MOD_ADD:
@@ -245,3 +250,15 @@ write_audit_file(
lenstr_free( &l );
}
+
+void
+auditlog_hide_unhashed_pw()
+{
+ hide_unhashed_pw = 1;
+}
+
+void
+auditlog_expose_unhashed_pw()
+{
+ hide_unhashed_pw = 0;
+}
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index aafbd7e..14f8f20 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -453,6 +453,9 @@ static struct config_get_and_set {
{CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE, NULL,
log_set_logging, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_logging_enabled, CONFIG_ON_OFF,
NULL},
+ {CONFIG_AUDITLOG_LOGGING_HIDE_UNHASHED_PW, config_set_auditlog_unhashed_pw,
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.auditlog_logging_hide_unhashed_pw,
CONFIG_ON_OFF, NULL},
{CONFIG_ACCESSLOG_BUFFERING_ATTRIBUTE, config_set_accesslogbuffering,
NULL, 0,
(void**)&global_slapdFrontendConfig.accesslogbuffering, CONFIG_ON_OFF, NULL},
@@ -1040,6 +1043,7 @@ FrontendConfig_init () {
cfg->auditlog_minfreespace = 5;
cfg->auditlog_exptime = 1;
cfg->auditlog_exptimeunit = slapi_ch_strdup("month");
+ cfg->auditlog_logging_hide_unhashed_pw = LDAP_ON;
cfg->entryusn_global = LDAP_OFF;
cfg->entryusn_import_init = slapi_ch_strdup("0");
@@ -1133,6 +1137,21 @@ get_entry_point( int ep_name, caddr_t *ep_addr )
return rc;
}
+int
+config_set_auditlog_unhashed_pw(const char *attrname, char *value, char *errorbuf, int
apply)
+{
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ int retVal = LDAP_SUCCESS;
+
+ retVal = config_set_onoff ( attrname, value,
&(slapdFrontendConfig->auditlog_logging_hide_unhashed_pw),
+ errorbuf, apply);
+ if(strcasecmp(value,"on") == 0){
+ auditlog_hide_unhashed_pw();
+ } else {
+ auditlog_expose_unhashed_pw();
+ }
+ return retVal;
+}
/*
* Utility function called by many of the config_set_XXX() functions.
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index e60d1a8..202fd7c 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -379,6 +379,7 @@ int config_set_entryusn_global( const char *attrname, char *value,
char *errorbu
int config_set_allowed_to_delete_attrs( const char *attrname, char *value, char
*errorbuf, int apply );
int config_set_entryusn_import_init( const char *attrname, char *value, char *errorbuf,
int apply );
int config_set_default_naming_context( const char *attrname, char *value, char *errorbuf,
int apply );
+int config_set_auditlog_unhashed_pw(const char *attrname, char *value, char *errorbuf,
int apply);
#if !defined(_WIN32) && !defined(AIX)
int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int
apply );
@@ -1176,6 +1177,8 @@ void factory_destroy_extension(int type,void *object,void
*parent,void **extensi
*/
void write_audit_log_entry( Slapi_PBlock *pb);
+void auditlog_hide_unhashed_pw();
+void auditlog_expose_unhashed_pw();
/*
* eventq.c
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index b855ff0..c01e590 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1856,6 +1856,7 @@ typedef struct _slapdEntryPoints {
#define CONFIG_ACCESSLOG_LOGGING_ENABLED_ATTRIBUTE
"nsslapd-accesslog-logging-enabled"
#define CONFIG_ERRORLOG_LOGGING_ENABLED_ATTRIBUTE
"nsslapd-errorlog-logging-enabled"
#define CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE
"nsslapd-auditlog-logging-enabled"
+#define CONFIG_AUDITLOG_LOGGING_HIDE_UNHASHED_PW
"nsslapd-auditlog-logging-hide-unhashed-pw"
#define CONFIG_ROOTDN_ATTRIBUTE "nsslapd-rootdn"
#define CONFIG_ROOTPW_ATTRIBUTE "nsslapd-rootpw"
#define CONFIG_ROOTPWSTORAGESCHEME_ATTRIBUTE "nsslapd-rootpwstoragescheme"
@@ -2134,6 +2135,7 @@ typedef struct _slapdFrontendConfig {
int auditlog_minfreespace;
int auditlog_exptime;
char *auditlog_exptimeunit;
+ int auditlog_logging_hide_unhashed_pw;
int return_exact_case; /* Return attribute names with the same case
* as they appear in at.conf */
commit 7059152aad67625f7d5bd56e8a6b2b7f5cec2b70
Author: Noriko Hosoi <nhosoi(a)totoro.usersys.redhat.com>
Date: Fri Jun 8 11:39:56 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password
https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: unhashed password is stored in the entry in memory
when an entry/a password is added or the password is modified.
The password could be visible by the ordinary search if the type
"unhashed#user#password" is specified in the attribute list.
Fix Description:
1. Set "unhashed#user#password" to the forbidden attribute list,
which is dropped from the search attribute list.
2. Get effective right does not return "unhashed#user#password"
3. In the modify operation, adding "unhashed#user#password" to or
deleting "unhashed#user#password" from the entry never returns
an error regardless of the attribute value. Internally, the
operation is ignored.
(cherry picked from commit 9df3c438ebd05bbaa5e7b2506fc5d5e9f3ff4a95)
(Fixed conflicts in ldap/servers/slapd/{entry.c,entrywsi.c,slapi-private.h)
(cherry picked from commit 8f0811a86a1b233cf9566349653ef7f184278144)
diff --git a/ldap/servers/slapd/attr.c b/ldap/servers/slapd/attr.c
index 26d5947..6072ba4 100644
--- a/ldap/servers/slapd/attr.c
+++ b/ldap/servers/slapd/attr.c
@@ -805,7 +805,14 @@ attr_add_valuearray(Slapi_Attr *a, Slapi_Value **vals, const char
*dn)
for ( i = 0; vals[i] != NULL; ++i ) {
if ( slapi_attr_value_find( a, slapi_value_get_berval(vals[i]) ) == 0 ) {
duplicate_index = i;
- rc = LDAP_TYPE_OR_VALUE_EXISTS;
+ if (is_type_forbidden(a->a_type)) {
+ /* If the attr is in the forbidden list
+ * (e.g., unhashed password),
+ * we don't return any useful info to the clients. */
+ rc = LDAP_OTHER;
+ } else {
+ rc = LDAP_TYPE_OR_VALUE_EXISTS;
+ }
break;
}
}
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index 943a095..ca8216f 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -336,6 +336,11 @@ ldbm_back_modify( Slapi_PBlock *pb )
}
if ( !change_entry || ldap_result_code != 0 ) {
/* change_entry == 0 is not an error, but we need to free lock etc */
+ if (LDAP_OTHER == ldap_result_code) {
+ /* We don't proceed the op, but we don't want to return the reason.
+ * E.g., unhashed password modify failed. */
+ ldap_result_code = 0;
+ }
goto error_return;
}
}
diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
index 5afba09..a292b87 100644
--- a/ldap/servers/slapd/entry.c
+++ b/ldap/servers/slapd/entry.c
@@ -63,7 +63,6 @@
/* a helper function to set special rdn to a tombstone entry */
static int _entry_set_tombstone_rdn(Slapi_Entry *e, const char *normdn);
-static int is_type_protected(const char *type);
/* protected attributes which are not included in the flattened entry,
* which will be stored in the db. */
@@ -71,6 +70,9 @@ static char *protected_attrs_all [] =
{PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
SLAPI_ATTR_ENTRYDN,
NULL};
+static char *forbidden_attrs [] = {PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
+ NULL};
+
/*
* An attribute name is of the form 'basename[;option]'.
* The state informaion is encoded in options. For example:
@@ -1613,7 +1615,7 @@ entry2str_internal_put_valueset( const char *attrtype, const CSN
*attrcsn, CSNTy
}
}
-static int
+int
is_type_protected(const char *type)
{
char **paap = NULL;
@@ -1625,6 +1627,18 @@ is_type_protected(const char *type)
return 0;
}
+int
+is_type_forbidden(const char *type)
+{
+ char **paap = NULL;
+ for (paap = forbidden_attrs; paap && *paap; paap++) {
+ if (0 == strcasecmp(type, *paap)) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
static void
entry2str_internal_put_attrlist( const Slapi_Attr *attrlist, int attr_state, int
entry2str_ctrl, char **ecur, char **typebuf, size_t *typebuf_len)
{
@@ -3405,12 +3419,25 @@ delete_values_sv_internal(
Slapi_Attr *a;
int retVal= LDAP_SUCCESS;
+ /*
+ * If type is in the protected_attrs_all list, we could ignore the failure,
+ * as the attribute could only exist in the entry in the memory when the
+ * add/mod operation is done, while the retried entry from the db does not
+ * contain the attribute.
+ */
+ if (is_type_protected(type) || is_type_forbidden(type)) {
+ flags |= SLAPI_VALUE_FLAG_IGNOREERROR;
+ }
+
/* delete the entire attribute */
if ( valuestodelete == NULL || valuestodelete[0] == NULL ){
LDAPDebug( LDAP_DEBUG_ARGS, "removing entire attribute %s\n",
type, 0, 0 );
- return( attrlist_delete( &e->e_attrs, type) ?
- LDAP_NO_SUCH_ATTRIBUTE : LDAP_SUCCESS );
+ retVal = attrlist_delete( &e->e_attrs, type);
+ if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
+ return LDAP_SUCCESS;
+ }
+ return(retVal ? LDAP_NO_SUCH_ATTRIBUTE : LDAP_SUCCESS);
}
/* delete specific values - find the attribute first */
@@ -3418,6 +3445,9 @@ delete_values_sv_internal(
if ( a == NULL ) {
LDAPDebug( LDAP_DEBUG_ARGS, "could not find attribute %s\n",
type, 0, 0 );
+ if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
+ return LDAP_SUCCESS;
+ }
return( LDAP_NO_SUCH_ATTRIBUTE );
}
@@ -3446,8 +3476,11 @@ delete_values_sv_internal(
"value for attribute type %s found in "
"entry %s\n", a->a_type, slapi_entry_get_dn_const(e), 0 );
}
+ if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
+ retVal = LDAP_SUCCESS;
+ }
}
- }
+ }
return( retVal );
}
diff --git a/ldap/servers/slapd/entrywsi.c b/ldap/servers/slapd/entrywsi.c
index a749cee..d812783 100644
--- a/ldap/servers/slapd/entrywsi.c
+++ b/ldap/servers/slapd/entrywsi.c
@@ -634,14 +634,33 @@ entry_delete_present_values_wsi(Slapi_Entry *e, const char *type,
struct berval
}
else if (attr_state==ATTRIBUTE_DELETED)
{
- retVal= LDAP_NO_SUCH_ATTRIBUTE;
+ /* If the type is in the forbidden attr list (e.g., unhashed password),
+ * we don't return the reason of the failure to the clients. */
+ if (is_type_forbidden(type)) {
+ retVal = LDAP_SUCCESS;
+ } else {
+ retVal= LDAP_NO_SUCH_ATTRIBUTE;
+ }
}
else if (attr_state==ATTRIBUTE_NOTFOUND)
{
- if (!urp)
- {
- /* Only warn if not urping */
- LDAPDebug( LDAP_DEBUG_ARGS, "could not find attribute %s\n", type, 0, 0 );
+ /*
+ * If type is in the protected_attrs_all list, we could ignore the
+ * failure, as the attribute could only exist in the entry in the
+ * memory when the add/mod operation is done, while the retried entry
+ * from the db does not contain the attribute.
+ * So is in the forbidden_attrs list. We don't return the reason
+ * of the failure.
+ */
+ if (is_type_protected(type) || is_type_forbidden(type)) {
+ retVal = LDAP_SUCCESS;
+ } else {
+ if (!urp) {
+ /* Only warn if not urping */
+ LDAPDebug1Arg(LDAP_DEBUG_ARGS, "could not find attribute %s\n",
+ type);
+ }
+ retVal = LDAP_NO_SUCH_ATTRIBUTE;
}
retVal= LDAP_NO_SUCH_ATTRIBUTE;
/* NOTE: LDAP says that a MOD REPLACE with no vals of a non-existent
diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
index 79d96f0..523d672 100644
--- a/ldap/servers/slapd/pblock.c
+++ b/ldap/servers/slapd/pblock.c
@@ -3006,6 +3006,22 @@ slapi_pblock_set( Slapi_PBlock *pblock, int arg, void *value )
case SLAPI_SEARCH_ATTRS:
if(pblock->pb_op!=NULL)
{
+ char **attrs;
+ for (attrs = (char **)value; attrs && *attrs; attrs++) {
+ /* Get rid of forbidden attr, e.g.,
+ * PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
+ * which never be returned. */
+ if (is_type_forbidden(*attrs)) {
+ char **ptr;
+ for (ptr = attrs; ptr && *ptr; ptr++) {
+ if (ptr == attrs) {
+ slapi_ch_free_string(ptr); /* free unhashed type */
+ }
+ *ptr = *(ptr + 1); /* attrs is NULL terminated;
+ the NULL is copied here. */
+ }
+ }
+ }
pblock->pb_op->o_params.p.p_search.search_attrs = (char **) value;
}
break;
diff --git a/ldap/servers/slapd/plugin_internal_op.c
b/ldap/servers/slapd/plugin_internal_op.c
index 9654780..412c7c3 100644
--- a/ldap/servers/slapd/plugin_internal_op.c
+++ b/ldap/servers/slapd/plugin_internal_op.c
@@ -291,6 +291,7 @@ slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base,
int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || base == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -304,7 +305,9 @@ slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base,
slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &scope);
slapi_pblock_set(pb, SLAPI_SEARCH_STRFILTER, (void*)filter);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
if (uniqueid)
{
@@ -322,6 +325,7 @@ slapi_search_internal_set_pb_ext (Slapi_PBlock *pb, Slapi_DN *sdn,
int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || sdn == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -337,7 +341,9 @@ slapi_search_internal_set_pb_ext (Slapi_PBlock *pb, Slapi_DN *sdn,
slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &scope);
slapi_pblock_set(pb, SLAPI_SEARCH_STRFILTER, (void*)filter);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
if (uniqueid)
{
@@ -351,6 +357,7 @@ void slapi_seq_internal_set_pb(Slapi_PBlock *pb, char *base, int type,
char *att
Slapi_ComponentId *plugin_identity, int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || base == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -364,8 +371,10 @@ void slapi_seq_internal_set_pb(Slapi_PBlock *pb, char *base, int
type, char *att
slapi_pblock_set(pb, SLAPI_SEQ_TYPE, &type);
slapi_pblock_set(pb, SLAPI_SEQ_ATTRNAME, attrname);
slapi_pblock_set(pb, SLAPI_SEQ_VAL, val);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
slapi_pblock_set(pb, SLAPI_PLUGIN_IDENTITY, plugin_identity);
}
@@ -383,6 +392,7 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void
*callback_data,
char *base;
char *attrname, *val;
Slapi_DN *sdn = NULL;
+ char **tmp_attrs = NULL;
slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, (void *)&base );
slapi_pblock_get(pb, SLAPI_CONTROLS_ARG, &controls);
@@ -445,6 +455,9 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void
*callback_data,
slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
slapi_sdn_free(&sdn);
slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, NULL);
+ slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &tmp_attrs);
+ slapi_ch_array_free(tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, NULL);
return rc;
}
@@ -731,6 +744,7 @@ search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
char *ifstr;
int opresult;
int rc = 0;
+ char **tmp_attrs = NULL;
PR_ASSERT (pb);
@@ -801,10 +815,13 @@ search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
done:
slapi_ch_free((void **) & fstr);
- if (filter != NULL)
+ if (filter != NULL)
{
slapi_filter_free(filter, 1 /* recurse */);
}
+ slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &tmp_attrs);
+ slapi_ch_array_free(tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, NULL);
return(rc);
}
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index 5f1438b..8f3be98 100644
--- a/ldap/servers/slapd/schema.c
+++ b/ldap/servers/slapd/schema.c
@@ -1387,15 +1387,18 @@ schema_list_attributes_callback(struct asyntaxinfo *asi, void
*arg)
return ATTR_SYNTAX_ENUM_NEXT;
}
if (aew->flag && (asi->asi_flags & aew->flag)) {
- charray_add(&aew->attrs, slapi_ch_strdup(asi->asi_name));
+ /* skip unhashed password */
+ if (!is_type_forbidden(asi->asi_name)) {
+ charray_add(&aew->attrs, slapi_ch_strdup(asi->asi_name));
if (NULL != asi->asi_aliases) {
- int i;
+ int i;
- for ( i = 0; asi->asi_aliases[i] != NULL; ++i ) {
+ for ( i = 0; asi->asi_aliases[i] != NULL; ++i ) {
charray_add(&aew->attrs,
- slapi_ch_strdup(asi->asi_aliases[i]));
- }
- }
+ slapi_ch_strdup(asi->asi_aliases[i]));
+ }
+ }
+ }
}
return ATTR_SYNTAX_ENUM_NEXT;
}
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 2ef4288..ce2e03c 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -330,6 +330,8 @@ int entry_next_deleted_attribute( const Slapi_Entry *e, Slapi_Attr
**a);
/* entry.c */
int entry_apply_mods( Slapi_Entry *e, LDAPMod **mods );
+int is_type_protected(const char *type);
+int is_type_forbidden(const char *type);
int slapi_entries_diff(Slapi_Entry **old_entries, Slapi_Entry **new_entries, int testall,
const char *logging_prestr, const int force_update, void *plg_id);