Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31927/ldap/servers/slapd
Modified Files:
pw.c result.c
Log Message:
Resolves: 216522
Summary: Make password modify extop use fine-grained password policies correctly.
Index: pw.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/pw.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- pw.c 27 Aug 2008 21:05:49 -0000 1.18
+++ pw.c 24 Nov 2008 17:16:55 -0000 1.19
@@ -1414,9 +1414,7 @@
slapi_pblock_get( pb, SLAPI_OPERATION, &op);
slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &optype );
- if (slapdFrontendConfig->pwpolicy_local == 1) {
- if ( !operation_is_flag_set( op, OP_FLAG_INTERNAL ) && dn ) {
-
+ if (dn && (slapdFrontendConfig->pwpolicy_local == 1)) {
/* If we're doing an add, COS does not apply yet so we check
parents for the pwdpolicysubentry. We look only for virtual
attributes, because real ones are for single-target policy. */
@@ -1462,196 +1460,195 @@
}
if (values != NULL) {
- Slapi_Value *v = NULL;
- const struct berval *bvp = NULL;
+ Slapi_Value *v = NULL;
+ const struct berval *bvp = NULL;
- if ( ((rc = slapi_valueset_first_value( values, &v )) != -1) &&
- ( bvp = slapi_value_get_berval( v )) != NULL ) {
- if ( bvp != NULL ) {
- /* we got the pwdpolicysubentry value */
- pw_entry = get_entry ( pb, bvp->bv_val);
- }
- }
+ if ( ((rc = slapi_valueset_first_value( values, &v )) != -1) &&
+ ( bvp = slapi_value_get_berval( v )) != NULL ) {
+ if ( bvp != NULL ) {
+ /* we got the pwdpolicysubentry value */
+ pw_entry = get_entry ( pb, bvp->bv_val);
+ }
+ }
- slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
+ slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
- slapi_entry_free( e );
+ slapi_entry_free( e );
- if ( pw_entry == NULL ) {
- LDAPDebug(LDAP_DEBUG_ANY, "loading global password policy for %s"
- "--local policy entry not found\n", escape_string(dn, ebuf),0,0);
- goto done;
- }
+ if ( pw_entry == NULL ) {
+ LDAPDebug(LDAP_DEBUG_ANY, "loading global password policy for %s"
+ "--local policy entry not found\n", escape_string(dn, ebuf),0,0);
+ goto done;
+ }
- for (slapi_entry_first_attr(pw_entry, &attr); attr;
- slapi_entry_next_attr(pw_entry, attr, &attr))
- {
- slapi_attr_get_type(attr, &attr_name);
- if (!strcasecmp(attr_name, "passwordminage")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_minage = slapi_value_get_long(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordmaxage")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_maxage = slapi_value_get_long(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordwarning")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_warning = slapi_value_get_long(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordhistory")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_history =
- pw_boolean_str2value(slapi_value_get_string(*sval));
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordinhistory")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_inhistory = slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordlockout")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_lockout =
- pw_boolean_str2value(slapi_value_get_string(*sval));
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordmaxfailure")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_maxfailure = slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordunlock")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_unlock =
- pw_boolean_str2value(slapi_value_get_string(*sval));
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordlockoutduration")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_lockduration = slapi_value_get_long(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordresetfailurecount")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_resetfailurecount = slapi_value_get_long(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordchange")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_change =
- pw_boolean_str2value(slapi_value_get_string(*sval));
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordmustchange")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_must_change =
- pw_boolean_str2value(slapi_value_get_string(*sval));
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordchecksyntax")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_syntax =
- pw_boolean_str2value(slapi_value_get_string(*sval));
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordminlength")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_minlength = slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name,
"passwordmindigits")) {
- if ((sval =
attr_get_present_values(attr))) {
- pwdpolicy->pw_mindigits =
slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordminalphas")) {
- if ((sval =
attr_get_present_values(attr))) {
- pwdpolicy->pw_minalphas =
slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name,
"passwordminuppers")) {
- if ((sval =
attr_get_present_values(attr))) {
- pwdpolicy->pw_minuppers =
slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name,
"passwordminlowers")) {
- if ((sval =
attr_get_present_values(attr))) {
- pwdpolicy->pw_minlowers =
slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name,
"passwordminspecials")) {
- if ((sval =
attr_get_present_values(attr))) {
- pwdpolicy->pw_minspecials =
slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordmin8bit")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_min8bit = slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordmaxrepeats")) {
- if ((sval =
attr_get_present_values(attr))) {
- pwdpolicy->pw_maxrepeats =
slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name,
"passwordmincategories")) {
- if ((sval =
attr_get_present_values(attr))) {
- pwdpolicy->pw_mincategories =
slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name,
"passwordmintokenlength")) {
- if ((sval =
attr_get_present_values(attr))) {
- pwdpolicy->pw_mintokenlength =
slapi_value_get_int(*sval);
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordexp")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_exp =
- pw_boolean_str2value(slapi_value_get_string(*sval));
- }
- }
- else
- if (!strcasecmp(attr_name, "passwordgracelimit")) {
- if ((sval = attr_get_present_values(attr))) {
- pwdpolicy->pw_gracelimit = slapi_value_get_int(*sval);
- }
+ for (slapi_entry_first_attr(pw_entry, &attr); attr;
+ slapi_entry_next_attr(pw_entry, attr, &attr))
+ {
+ slapi_attr_get_type(attr, &attr_name);
+ if (!strcasecmp(attr_name, "passwordminage")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_minage = slapi_value_get_long(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordmaxage")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_maxage = slapi_value_get_long(*sval);
}
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordwarning")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_warning = slapi_value_get_long(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordhistory")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_history =
+ pw_boolean_str2value(slapi_value_get_string(*sval));
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordinhistory")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_inhistory = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordlockout")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_lockout =
+ pw_boolean_str2value(slapi_value_get_string(*sval));
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordmaxfailure")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_maxfailure = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordunlock")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_unlock =
+ pw_boolean_str2value(slapi_value_get_string(*sval));
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordlockoutduration")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_lockduration = slapi_value_get_long(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordresetfailurecount")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_resetfailurecount = slapi_value_get_long(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordchange")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_change =
+ pw_boolean_str2value(slapi_value_get_string(*sval));
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordmustchange")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_must_change =
+ pw_boolean_str2value(slapi_value_get_string(*sval));
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordchecksyntax")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_syntax =
+ pw_boolean_str2value(slapi_value_get_string(*sval));
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordminlength")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_minlength = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordmindigits")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_mindigits = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordminalphas")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_minalphas = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordminuppers")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_minuppers = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordminlowers")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_minlowers = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordminspecials")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_minspecials = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordmin8bit")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_min8bit = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordmaxrepeats")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_maxrepeats = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordmincategories")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_mincategories = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordmintokenlength")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_mintokenlength = slapi_value_get_int(*sval);
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordexp")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_exp =
+ pw_boolean_str2value(slapi_value_get_string(*sval));
+ }
+ }
+ else
+ if (!strcasecmp(attr_name, "passwordgracelimit")) {
+ if ((sval = attr_get_present_values(attr))) {
+ pwdpolicy->pw_gracelimit = slapi_value_get_int(*sval);
+ }
+ }
- } /* end of for() loop */
- if (pw_entry) {
- slapi_entry_free(pw_entry);
- }
- return pwdpolicy;
- } else if ( e ) {
- slapi_entry_free( e );
+ } /* end of for() loop */
+ if (pw_entry) {
+ slapi_entry_free(pw_entry);
}
+ return pwdpolicy;
+ } else if ( e ) {
+ slapi_entry_free( e );
}
}
Index: result.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/result.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- result.c 29 Oct 2008 19:16:29 -0000 1.16
+++ result.c 24 Nov 2008 17:16:55 -0000 1.17
@@ -293,17 +293,12 @@
char *dn;
passwdPolicy *pwpolicy = NULL;
-
- slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
- pwpolicy = new_passwdPolicy(pb, dn);
-
slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
if ( ber != NULL ) {
flush_ber_element = 0;
}
-
if(err != LDAP_SUCCESS){
/* count the error for snmp */
/* first check for security errors */
@@ -370,10 +365,12 @@
/* invalid password. Update the password retry here */
/* put this here for now. It could be a send_result pre-op plugin. */
- if ( err == LDAP_INVALID_CREDENTIALS &&
- pwpolicy->pw_lockout == 1 ) {
-
- update_pw_retry ( pb );
+ if (err == LDAP_INVALID_CREDENTIALS) {
+ slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn );
+ pwpolicy = new_passwdPolicy(pb, dn);
+ if (pwpolicy && (pwpolicy->pw_lockout == 1)) {
+ update_pw_retry ( pb );
+ }
}
if ( ber == NULL ) {