ldap/servers/slapd/pw.c | 52 +++++++++++++++++++++++++-----------------------
1 file changed, 28 insertions(+), 24 deletions(-)
New commits:
commit 0a7ff4a01c3d226067c63bd87e37f9053e066ae0
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Tue Jun 18 17:19:13 2013 -0400
Ticket 47389 - Non-directory manager can change the individual userPassword's
storage scheme
Bug Description: If password syntax checking is off, it is possible for a privledged
user
to change the password storage schema when updating a password.
Fix Description: Move the existing "scheme check" outside of the syntax
check statement block.
https://fedorahosted.org/389/ticket/47389
Reviewed by: richm(Thanks!)
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index eb4ebd4..b9d54a3 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -809,6 +809,32 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn,
Slapi_Value **vals,
slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
internal_op = slapi_operation_is_flag_set(operation, SLAPI_OP_FLAG_INTERNAL);
+ /*
+ * Check if password is already hashed and reject if so. We need to
+ * allow the root DN, password admins, and replicated ops to send
+ * pre-hashed passwords. We also check for a connection object
+ * when processing an internal operation to handle a special
+ * case for the password modify extended operation.
+ */
+ for ( i = 0; vals[ i ] != NULL; ++i ){
+ if (slapi_is_encoded((char *)slapi_value_get_string(vals[i]))) {
+ if ((!is_replication && ((internal_op && pb->pb_conn &&
!slapi_dn_isroot(pb->pb_conn->c_dn)) ||
+ (!internal_op && !pw_is_pwp_admin(pb, pwpolicy))))) {
+ PR_snprintf( errormsg, BUFSIZ,
+ "invalid password syntax - passwords with storage scheme are not
allowed");
+ if ( pwresponse_req == 1 ) {
+ slapi_pwpolicy_make_response_control ( pb, -1, -1,
+ LDAP_PWPOLICY_INVALIDPWDSYNTAX );
+ }
+ pw_send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL, errormsg, 0, NULL );
+ return( 1 );
+ } else {
+ /* We want to skip syntax checking since this is a pre-hashed password */
+ return( 0 );
+ }
+ }
+ }
+
if ( pwpolicy->pw_syntax == 1 ) {
for ( i = 0; vals[ i ] != NULL; ++i ) {
int syntax_violation = 0;
@@ -822,29 +848,6 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn,
Slapi_Value **vals,
int max_repeated = 0;
int num_categories = 0;
- /* Check if password is already hashed and reject if so. We
- * We need to allow the root DN and replicated ops to send
- * pre-hashed passwords. We also check for a connection object
- * when processing an internal operation to handle a special
- * case for the password modify extended operation. */
- if (slapi_is_encoded((char *)slapi_value_get_string(vals[i]))) {
- if ((!is_replication && ((internal_op && pb->pb_conn &&
!slapi_dn_isroot(pb->pb_conn->c_dn)) ||
- (!internal_op && !pw_is_pwp_admin(pb, pwpolicy))))) {
- PR_snprintf( errormsg, BUFSIZ,
- "invalid password syntax - passwords with storage scheme are not
allowed");
- if ( pwresponse_req == 1 ) {
- slapi_pwpolicy_make_response_control ( pb, -1, -1,
- LDAP_PWPOLICY_INVALIDPWDSYNTAX );
- }
- pw_send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL, errormsg, 0, NULL );
- return( 1 );
- } else {
- /* We want to skip syntax checking since this is a pre-hashed
- * password from replication or the root DN. */
- return( 0 );
- }
- }
-
/* check for the minimum password length */
if ( pwpolicy->pw_minlength >
ldap_utf8characters((char *)slapi_value_get_string( vals[i] )) )
@@ -1061,8 +1064,9 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn,
Slapi_Value **vals,
if ( mod_op ) {
/* free e only when called by modify operation */
- slapi_entry_free( e );
+ slapi_entry_free( e );
}
+
return 0; /* success */
}