ldap/servers/plugins/acl/acl.c | 4 +- ldap/servers/slapd/add.c | 17 -------- ldap/servers/slapd/attrsyntax.c | 36 ++++++++++++++++++ ldap/servers/slapd/back-ldbm/id2entry.c | 15 ------- ldap/servers/slapd/back-ldbm/init.c | 57 ++++------------------------- ldap/servers/slapd/entry.c | 61 +++++++++++++++++++++++--------- ldap/servers/slapd/modify.c | 35 ------------------ ldap/servers/slapd/pw_mgmt.c | 4 ++ ldap/servers/slapd/slap.h | 2 + ldap/servers/slapd/slapi-plugin.h | 1 ldap/servers/slapd/slapi-private.h | 2 + 11 files changed, 101 insertions(+), 133 deletions(-)

New commits: commit c06a8faa9140668836dcf02722908319ec2e6e1e Author: Noriko Hosoi nhosoi@jiji.usersys.redhat.com Date: Tue Oct 18 14:16:44 2011 -0700

Keep unhashed password psuedo-attribute in the adding entry

Description: unhashed password pseudo-attribute is necessary for plugins that handle passwords. The plugin could be any one including pre/post- plugin and be-txn-pre/post-plugin. On the other hand, the pseudo- attribute should not be in the database.

This patch declares the unhashed password pseudo-attribute as an operational attribute and allows the pseudo-attribute in an entry in the memory. When creating a flat entry by entry2str_ function to store in the database, it omits the pseudo-attribute.

Reviewed by rmeggins@redhat.com and nkinder@redhat.com (Thank you!!)

diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c index 2794694..657c5ec 100644 --- a/ldap/servers/plugins/acl/acl.c +++ b/ldap/servers/plugins/acl/acl.c @@ -1386,7 +1386,9 @@ acl_check_mods( } if (lastmod && (strcmp (mod->mod_type, "modifiersname")== 0 || - strcmp (mod->mod_type, "modifytimestamp")== 0)) { + strcmp (mod->mod_type, "modifytimestamp")== 0 || + strcmp (mod->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)== 0) + ) { continue; }

diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c index 0bf6ef0..19a7690 100644 --- a/ldap/servers/slapd/add.c +++ b/ldap/servers/slapd/add.c @@ -668,15 +668,6 @@ static void op_shared_add (Slapi_PBlock *pb)

slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database); set_db_default_result_handlers(pb); - - /* Remove the unhashed password pseudo-attribute - from the entry before duplicating the entry */ - - if (unhashed_password_vals) - { - slapi_entry_delete_values(e, pwdtype, NULL); - } - /* because be_add frees the entry */ ec = slapi_entry_dup(e); add_target_dn= slapi_ch_strdup(slapi_sdn_get_ndn(slapi_entry_get_sdn_const(ec))); @@ -722,14 +713,6 @@ static void op_shared_add (Slapi_PBlock *pb) send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Function not implemented", 0, NULL); } - - /* Reattach the unhashed password pseudo-attribute - to the entry copy (ec), before calling the postop plugin */ - if(unhashed_password_vals) - { - slapi_entry_add_values_sv(ec, pwdtype, unhashed_password_vals); - } - slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc); plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_POST_ADD_FN : SLAPI_PLUGIN_POST_ADD_FN); diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c index dac3cc1..62dfea1 100644 --- a/ldap/servers/slapd/attrsyntax.c +++ b/ldap/servers/slapd/attrsyntax.c @@ -1074,3 +1074,39 @@ slapi_attr_syntax_exists(const char *attr_name) { return attr_syntax_exists(attr_name); } + +/* + * Add an attribute syntax using some default flags, etc. + * Returns an LDAP error code (LDAP_SUCCESS if all goes well) + */ +int +slapi_add_internal_attr_syntax( const char *name, const char *oid, + const char *syntax, const char *mr_equality, unsigned long extraflags ) +{ + int rc = LDAP_SUCCESS; + struct asyntaxinfo *asip; + char *names[2]; + char *origins[2]; + unsigned long std_flags = SLAPI_ATTR_FLAG_STD_ATTR | SLAPI_ATTR_FLAG_OPATTR; + + names[0] = (char *)name; + names[1] = NULL; + + origins[0] = SLAPD_VERSION_STR; + origins[1] = NULL; + + rc = attr_syntax_create( oid, names, 1, + "internal server defined attribute type", + NULL, /* superior */ + mr_equality, NULL, NULL, /* matching rules */ + origins, syntax, + SLAPI_SYNTAXLENGTH_NONE, + std_flags | extraflags, + &asip ); + + if ( rc == LDAP_SUCCESS ) { + rc = attr_syntax_add( asip ); + } + + return rc; +} diff --git a/ldap/servers/slapd/back-ldbm/id2entry.c b/ldap/servers/slapd/back-ldbm/id2entry.c index 432f80a..12e2951 100644 --- a/ldap/servers/slapd/back-ldbm/id2entry.c +++ b/ldap/servers/slapd/back-ldbm/id2entry.c @@ -46,10 +46,6 @@

#define ID2ENTRY "id2entry"

-static char *protected_attrs_all [] = {PSEUDO_ATTR_UNHASHEDUSERPASSWORD, - LDBM_ENTRYDN_STR, - NULL}; - /* * The caller MUST check for DB_LOCK_DEADLOCK and DB_RUNRECOVERY returned */ @@ -64,7 +60,6 @@ id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn, int encrypt int len, rc; char temp_id[sizeof(ID)]; struct backentry *encrypted_entry = NULL; - char **paap = NULL; char *entrydn = NULL;

LDAPDebug( LDAP_DEBUG_TRACE, "=> id2entry_add( %lu, "%s" )\n", @@ -125,16 +120,6 @@ id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn, int encrypt LDAPDebug2Args( LDAP_DEBUG_TRACE, "=> id2entry_add (dncache) ( %lu, "%s" )\n", (u_long)e->ep_id, slapi_entry_get_dn_const(entry_to_use) ); - /* - * If protected attributes exist in the entry, - * we have to remove them before writing the entry to the database. - */ - for (paap = protected_attrs_all; paap && *paap; paap++) { - if (0 == slapi_entry_attr_find(entry_to_use, *paap, &eattr)) { - /* a protected attr exists in the entry. removed it. */ - slapi_entry_delete_values(entry_to_use, *paap, NULL); - } - } } data.dptr = slapi_entry2str_with_options(entry_to_use, &len, options); data.dsize = len + 1; diff --git a/ldap/servers/slapd/back-ldbm/init.c b/ldap/servers/slapd/back-ldbm/init.c index b41faba..6859b29 100644 --- a/ldap/servers/slapd/back-ldbm/init.c +++ b/ldap/servers/slapd/back-ldbm/init.c @@ -51,9 +51,6 @@ static void *IDL_api[3]; static Slapi_PluginDesc pdesc = { "ldbm-backend", VENDOR, DS_PACKAGE_VERSION, "high-performance LDAP backend database plugin" };

-static int add_ldbm_internal_attr_syntax( const char *name, const char *oid, - const char *syntax, const char *mr_equality, unsigned long extraflags ); - #ifdef _WIN32 int *module_ldap_debug = 0;

@@ -69,21 +66,21 @@ int ldbm_back_add_schema( Slapi_PBlock *pb ) { int rc = 0; - rc = add_ldbm_internal_attr_syntax( LDBM_ENTRYDN_STR, + rc = slapi_add_internal_attr_syntax( LDBM_ENTRYDN_STR, LDBM_ENTRYDN_OID, DN_SYNTAX_OID, DNMATCH_NAME, - SLAPI_ATTR_FLAG_SINGLE ); + SLAPI_ATTR_FLAG_SINGLE|SLAPI_ATTR_FLAG_NOUSERMOD );

- rc |= add_ldbm_internal_attr_syntax( "dncomp", + rc |= slapi_add_internal_attr_syntax( "dncomp", LDBM_DNCOMP_OID, DN_SYNTAX_OID, DNMATCH_NAME, - 0 ); + SLAPI_ATTR_FLAG_NOUSERMOD );

- rc |= add_ldbm_internal_attr_syntax( LDBM_PARENTID_STR, + rc |= slapi_add_internal_attr_syntax( LDBM_PARENTID_STR, LDBM_PARENTID_OID, DIRSTRING_SYNTAX_OID, CASEIGNOREMATCH_NAME, - SLAPI_ATTR_FLAG_SINGLE ); + SLAPI_ATTR_FLAG_SINGLE|SLAPI_ATTR_FLAG_NOUSERMOD );

- rc |= add_ldbm_internal_attr_syntax( "entryid", + rc |= slapi_add_internal_attr_syntax( "entryid", LDBM_ENTRYID_OID, DIRSTRING_SYNTAX_OID, CASEIGNOREMATCH_NAME, - SLAPI_ATTR_FLAG_SINGLE ); + SLAPI_ATTR_FLAG_SINGLE|SLAPI_ATTR_FLAG_NOUSERMOD );

return rc; } @@ -280,41 +277,3 @@ fail: slapi_pblock_set( pb, SLAPI_PLUGIN_PRIVATE, NULL ); return( -1 ); } - - -/* - * Add an attribute syntax using some default flags, etc. - * Returns an LDAP error code (LDAP_SUCCESS if all goes well) - */ -static int -add_ldbm_internal_attr_syntax( const char *name, const char *oid, - const char *syntax, const char *mr_equality, unsigned long extraflags ) -{ - int rc = LDAP_SUCCESS; - struct asyntaxinfo *asip; - char *names[2]; - char *origins[2]; - unsigned long std_flags = SLAPI_ATTR_FLAG_STD_ATTR | SLAPI_ATTR_FLAG_OPATTR - | SLAPI_ATTR_FLAG_NOUSERMOD; - - names[0] = (char *)name; - names[1] = NULL; - - origins[0] = SLAPD_VERSION_STR; - origins[1] = NULL; - - rc = attr_syntax_create( oid, names, 1, - "internal server defined attribute type", - NULL, /* superior */ - mr_equality, NULL, NULL, /* matching rules */ - origins, syntax, - SLAPI_SYNTAXLENGTH_NONE, - std_flags | extraflags, - &asip ); - - if ( rc == LDAP_SUCCESS ) { - rc = attr_syntax_add( asip ); - } - - return rc; -} diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c index 9e0f0fb..8a91e39 100644 --- a/ldap/servers/slapd/entry.c +++ b/ldap/servers/slapd/entry.c @@ -63,6 +63,13 @@

/* a helper function to set special rdn to a tombstone entry */ static int _entry_set_tombstone_rdn(Slapi_Entry *e, const char *normdn); +static int is_type_protected(const char *type); + +/* protected attributes which are not included in the flattened entry, + * which will be stored in the db. */ +static char *protected_attrs_all [] = {PSEUDO_ATTR_UNHASHEDUSERPASSWORD, + SLAPI_ATTR_ENTRYDN, + NULL};

/* * An attribute name is of the form 'basename[;option]'. @@ -1431,27 +1438,34 @@ slapi_str2entry_ext( const char *dn, char *s, int flags ) return e; }

+/* + * If the attribute type is in the protected list, it returns size 0. + */ static size_t -entry2str_internal_size_value( const char *attrtype, const Slapi_Value *v, int entry2str_ctrl, int attribute_state, int value_state ) -{ - size_t elen= 0; - if(attrtype!=NULL) +entry2str_internal_size_value( const char *attrtype, const Slapi_Value *v, + int entry2str_ctrl, int attribute_state, + int value_state ) +{ + size_t elen = 0; + size_t attrtypelen; + if((NULL == attrtype) || is_type_protected(attrtype)) { + goto bail; + } + attrtypelen = strlen(attrtype); + if(entry2str_ctrl & SLAPI_DUMP_STATEINFO) { - size_t attrtypelen= strlen(attrtype); - if(entry2str_ctrl & SLAPI_DUMP_STATEINFO) + attrtypelen+= csnset_string_size(v->v_csnset); + if (attribute_state==ATTRIBUTE_DELETED) { - attrtypelen+= csnset_string_size(v->v_csnset); - if (attribute_state==ATTRIBUTE_DELETED) - { - attrtypelen += DELETED_ATTR_STRSIZE; - } - if(value_state==VALUE_DELETED) - { - attrtypelen += DELETED_VALUE_STRSIZE; - } + attrtypelen += DELETED_ATTR_STRSIZE; + } + if(value_state==VALUE_DELETED) + { + attrtypelen += DELETED_VALUE_STRSIZE; } - elen = LDIF_SIZE_NEEDED(attrtypelen, slapi_value_get_berval(v)->bv_len); } + elen = LDIF_SIZE_NEEDED(attrtypelen, slapi_value_get_berval(v)->bv_len); +bail: return elen; }

@@ -1599,6 +1613,18 @@ entry2str_internal_put_valueset( const char *attrtype, const CSN *attrcsn, CSNTy } }

+static int +is_type_protected(const char *type) +{ + char **paap = NULL; + for (paap = protected_attrs_all; paap && *paap; paap++) { + if (0 == strcasecmp(type, *paap)) { + return 1; + } + } + return 0; +} + static void entry2str_internal_put_attrlist( const Slapi_Attr *attrlist, int attr_state, int entry2str_ctrl, char **ecur, char **typebuf, size_t *typebuf_len) { @@ -1614,7 +1640,8 @@ entry2str_internal_put_attrlist( const Slapi_Attr *attrlist, int attr_state, int

/* don't dump uniqueid if not asked */ if (!(strcasecmp(a->a_type, SLAPI_ATTR_UNIQUEID) == 0 && - !(SLAPI_DUMP_UNIQUEID & entry2str_ctrl))) + !(SLAPI_DUMP_UNIQUEID & entry2str_ctrl)) && + !is_type_protected(a->a_type)) { /* Putting present attribute values */ /* put "<type>:[:] <value>" line for each value */ diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c index 219ac72..e240237 100644 --- a/ldap/servers/slapd/modify.c +++ b/ldap/servers/slapd/modify.c @@ -870,19 +870,6 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)

slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database); set_db_default_result_handlers(pb); - - /* Remove the unhashed password pseudo-attribute prior */ - /* to db access */ - slapi_mods_init_passin (&smods, mods); - if (!unhashed_pw_attr) { - unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD); - } - if (slapi_mods_get_num_mods(&smods)) { - remove_mod (&smods, unhashed_pw_attr, &unhashed_pw_smod); - slapi_pblock_set (pb, SLAPI_MODIFY_MODS, - (void*)slapi_mods_get_ldapmods_passout (&smods)); - } - if (be->be_modify != NULL) { if ((rc = (*be->be_modify)(pb)) == 0) @@ -920,27 +907,6 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Function not implemented", 0, NULL); } - /* Add the pseudo-attribute prior to calling the postop plugins */ - if (pw_change) - { - LDAPMod *lc_mod = NULL; - - slapi_pblock_get (pb, SLAPI_MODIFY_MODS, &mods); - slapi_mods_init_passin (&smods, mods); - for ( lc_mod = slapi_mods_get_first_mod(&unhashed_pw_smod); lc_mod; - lc_mod = slapi_mods_get_next_mod(&unhashed_pw_smod) ) - { - Slapi_Mod lc_smod; - slapi_mod_init_byval(&lc_smod, lc_mod); /* copies lc_mod */ - /* this extracts the copy of lc_mod and finalizes lc_smod too */ - slapi_mods_add_ldapmod(&smods, - slapi_mod_get_ldapmod_passout(&lc_smod)); - } - slapi_pblock_set (pb, SLAPI_MODIFY_MODS, - (void*)slapi_mods_get_ldapmods_passout (&smods)); - } - slapi_mods_done(&unhashed_pw_smod); /* can finalize now */ -

slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc); plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN : @@ -973,6 +939,7 @@ free_and_return: slapi_be_Unlock(be); slapi_sdn_done(&sdn);

+ slapi_mods_done(&unhashed_pw_smod); /* can finalize now */ if (unhashed_pw_attr) slapi_ch_free ((void**)&unhashed_pw_attr);

diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c index 7aca148..aa76e03 100644 --- a/ldap/servers/slapd/pw_mgmt.c +++ b/ldap/servers/slapd/pw_mgmt.c @@ -301,6 +301,10 @@ pw_init ( void ) { slapdFrontendConfig = getFrontendConfig(); pw_mod_allowchange_aci (!slapdFrontendConfig->pw_policy.pw_change && !slapdFrontendConfig->pw_policy.pw_must_change); + + slapi_add_internal_attr_syntax( PSEUDO_ATTR_UNHASHEDUSERPASSWORD, + PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID, + OCTETSTRING_SYNTAX_OID, 0, 0 ); }

diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 98ba79c..3a54564 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -2291,6 +2291,8 @@ extern char *attr_dataversion; #define MTN_CONTROL_USE_ONE_BACKEND_OID "2.16.840.1.113730.3.4.14" #define MTN_CONTROL_USE_ONE_BACKEND_EXT_OID "2.16.840.1.113730.3.4.20"

+#define PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID "2.16.840.1.113730.3.1.2110" + /* virtualListViewError is a relatively new concept that was added long * after we implemented VLV. Until added to LDAP SDK, we define * virtualListViewError here. Once it's added, this define would go away. */ diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h index 862a23b..c63e312 100644 --- a/ldap/servers/slapd/slapi-plugin.h +++ b/ldap/servers/slapd/slapi-plugin.h @@ -374,6 +374,7 @@ NSPR_API(PRUint32) PR_fprintf(struct PRFileDesc* fd, const char *fmt, ...) #define SLAPI_ATTR_NSCP_ENTRYDN "nscpEntryDN" #define SLAPI_ATTR_ENTRYUSN "entryusn" #define SLAPI_ATTR_ENTRYUSN_PREV "preventryusn" +#define SLAPI_ATTR_ENTRYDN "entrydn"

/* opaque structures */ diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h index 6f1e2ca..bedc9f5 100644 --- a/ldap/servers/slapd/slapi-private.h +++ b/ldap/servers/slapd/slapi-private.h @@ -1235,6 +1235,8 @@ int plugin_enabled(const char *plugin_name, void *identity); */ int is_slapd_running();

+/* attrsyntax.c */ +int slapi_add_internal_attr_syntax( const char *name, const char *oid, const char *syntax, const char *mr_equality, unsigned long extraflags );

#ifdef __cplusplus }