ldap/servers/plugins/acl/acl.c | 4 +-
ldap/servers/slapd/add.c | 17 --------
ldap/servers/slapd/attrsyntax.c | 36 ++++++++++++++++++
ldap/servers/slapd/back-ldbm/id2entry.c | 15 -------
ldap/servers/slapd/back-ldbm/init.c | 57 ++++-------------------------
ldap/servers/slapd/entry.c | 61 +++++++++++++++++++++++---------
ldap/servers/slapd/modify.c | 35 ------------------
ldap/servers/slapd/pw_mgmt.c | 4 ++
ldap/servers/slapd/slap.h | 2 +
ldap/servers/slapd/slapi-plugin.h | 1
ldap/servers/slapd/slapi-private.h | 2 +
11 files changed, 101 insertions(+), 133 deletions(-)
New commits:
commit c06a8faa9140668836dcf02722908319ec2e6e1e
Author: Noriko Hosoi <nhosoi(a)jiji.usersys.redhat.com>
Date: Tue Oct 18 14:16:44 2011 -0700
Keep unhashed password psuedo-attribute in the adding entry
Description:
unhashed password pseudo-attribute is necessary for plugins that
handle passwords. The plugin could be any one including pre/post-
plugin and be-txn-pre/post-plugin. On the other hand, the pseudo-
attribute should not be in the database.
This patch declares the unhashed password pseudo-attribute as an
operational attribute and allows the pseudo-attribute in an entry
in the memory. When creating a flat entry by entry2str_ function
to store in the database, it omits the pseudo-attribute.
Reviewed by rmeggins(a)redhat.com and nkinder(a)redhat.com (Thank you!!)
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index 2794694..657c5ec 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -1386,7 +1386,9 @@ acl_check_mods(
}
if (lastmod &&
(strcmp (mod->mod_type, "modifiersname")== 0 ||
- strcmp (mod->mod_type, "modifytimestamp")== 0)) {
+ strcmp (mod->mod_type, "modifytimestamp")== 0 ||
+ strcmp (mod->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)== 0)
+ ) {
continue;
}
diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
index 0bf6ef0..19a7690 100644
--- a/ldap/servers/slapd/add.c
+++ b/ldap/servers/slapd/add.c
@@ -668,15 +668,6 @@ static void op_shared_add (Slapi_PBlock *pb)
slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database);
set_db_default_result_handlers(pb);
-
- /* Remove the unhashed password pseudo-attribute
- from the entry before duplicating the entry */
-
- if (unhashed_password_vals)
- {
- slapi_entry_delete_values(e, pwdtype, NULL);
- }
-
/* because be_add frees the entry */
ec = slapi_entry_dup(e);
add_target_dn= slapi_ch_strdup(slapi_sdn_get_ndn(slapi_entry_get_sdn_const(ec)));
@@ -722,14 +713,6 @@ static void op_shared_add (Slapi_PBlock *pb)
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"Function not implemented", 0, NULL);
}
-
- /* Reattach the unhashed password pseudo-attribute
- to the entry copy (ec), before calling the postop plugin */
- if(unhashed_password_vals)
- {
- slapi_entry_add_values_sv(ec, pwdtype, unhashed_password_vals);
- }
-
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc);
plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_POST_ADD_FN :
SLAPI_PLUGIN_POST_ADD_FN);
diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c
index dac3cc1..62dfea1 100644
--- a/ldap/servers/slapd/attrsyntax.c
+++ b/ldap/servers/slapd/attrsyntax.c
@@ -1074,3 +1074,39 @@ slapi_attr_syntax_exists(const char *attr_name)
{
return attr_syntax_exists(attr_name);
}
+
+/*
+ * Add an attribute syntax using some default flags, etc.
+ * Returns an LDAP error code (LDAP_SUCCESS if all goes well)
+ */
+int
+slapi_add_internal_attr_syntax( const char *name, const char *oid,
+ const char *syntax, const char *mr_equality, unsigned long extraflags )
+{
+ int rc = LDAP_SUCCESS;
+ struct asyntaxinfo *asip;
+ char *names[2];
+ char *origins[2];
+ unsigned long std_flags = SLAPI_ATTR_FLAG_STD_ATTR | SLAPI_ATTR_FLAG_OPATTR;
+
+ names[0] = (char *)name;
+ names[1] = NULL;
+
+ origins[0] = SLAPD_VERSION_STR;
+ origins[1] = NULL;
+
+ rc = attr_syntax_create( oid, names, 1,
+ "internal server defined attribute type",
+ NULL, /* superior */
+ mr_equality, NULL, NULL, /* matching rules */
+ origins, syntax,
+ SLAPI_SYNTAXLENGTH_NONE,
+ std_flags | extraflags,
+ &asip );
+
+ if ( rc == LDAP_SUCCESS ) {
+ rc = attr_syntax_add( asip );
+ }
+
+ return rc;
+}
diff --git a/ldap/servers/slapd/back-ldbm/id2entry.c
b/ldap/servers/slapd/back-ldbm/id2entry.c
index 432f80a..12e2951 100644
--- a/ldap/servers/slapd/back-ldbm/id2entry.c
+++ b/ldap/servers/slapd/back-ldbm/id2entry.c
@@ -46,10 +46,6 @@
#define ID2ENTRY "id2entry"
-static char *protected_attrs_all [] = {PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
- LDBM_ENTRYDN_STR,
- NULL};
-
/*
* The caller MUST check for DB_LOCK_DEADLOCK and DB_RUNRECOVERY returned
*/
@@ -64,7 +60,6 @@ id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn, int
encrypt
int len, rc;
char temp_id[sizeof(ID)];
struct backentry *encrypted_entry = NULL;
- char **paap = NULL;
char *entrydn = NULL;
LDAPDebug( LDAP_DEBUG_TRACE, "=> id2entry_add( %lu, \"%s\"
)\n",
@@ -125,16 +120,6 @@ id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn,
int encrypt
LDAPDebug2Args( LDAP_DEBUG_TRACE,
"=> id2entry_add (dncache) ( %lu, \"%s\" )\n",
(u_long)e->ep_id, slapi_entry_get_dn_const(entry_to_use) );
- /*
- * If protected attributes exist in the entry,
- * we have to remove them before writing the entry to the database.
- */
- for (paap = protected_attrs_all; paap && *paap; paap++) {
- if (0 == slapi_entry_attr_find(entry_to_use, *paap, &eattr)) {
- /* a protected attr exists in the entry. removed it. */
- slapi_entry_delete_values(entry_to_use, *paap, NULL);
- }
- }
}
data.dptr = slapi_entry2str_with_options(entry_to_use, &len, options);
data.dsize = len + 1;
diff --git a/ldap/servers/slapd/back-ldbm/init.c b/ldap/servers/slapd/back-ldbm/init.c
index b41faba..6859b29 100644
--- a/ldap/servers/slapd/back-ldbm/init.c
+++ b/ldap/servers/slapd/back-ldbm/init.c
@@ -51,9 +51,6 @@ static void *IDL_api[3];
static Slapi_PluginDesc pdesc = { "ldbm-backend", VENDOR,
DS_PACKAGE_VERSION, "high-performance LDAP backend database plugin" };
-static int add_ldbm_internal_attr_syntax( const char *name, const char *oid,
- const char *syntax, const char *mr_equality, unsigned long extraflags );
-
#ifdef _WIN32
int *module_ldap_debug = 0;
@@ -69,21 +66,21 @@ int
ldbm_back_add_schema( Slapi_PBlock *pb )
{
int rc = 0;
- rc = add_ldbm_internal_attr_syntax( LDBM_ENTRYDN_STR,
+ rc = slapi_add_internal_attr_syntax( LDBM_ENTRYDN_STR,
LDBM_ENTRYDN_OID, DN_SYNTAX_OID, DNMATCH_NAME,
- SLAPI_ATTR_FLAG_SINGLE );
+ SLAPI_ATTR_FLAG_SINGLE|SLAPI_ATTR_FLAG_NOUSERMOD );
- rc |= add_ldbm_internal_attr_syntax( "dncomp",
+ rc |= slapi_add_internal_attr_syntax( "dncomp",
LDBM_DNCOMP_OID, DN_SYNTAX_OID, DNMATCH_NAME,
- 0 );
+ SLAPI_ATTR_FLAG_NOUSERMOD );
- rc |= add_ldbm_internal_attr_syntax( LDBM_PARENTID_STR,
+ rc |= slapi_add_internal_attr_syntax( LDBM_PARENTID_STR,
LDBM_PARENTID_OID, DIRSTRING_SYNTAX_OID, CASEIGNOREMATCH_NAME,
- SLAPI_ATTR_FLAG_SINGLE );
+ SLAPI_ATTR_FLAG_SINGLE|SLAPI_ATTR_FLAG_NOUSERMOD );
- rc |= add_ldbm_internal_attr_syntax( "entryid",
+ rc |= slapi_add_internal_attr_syntax( "entryid",
LDBM_ENTRYID_OID, DIRSTRING_SYNTAX_OID, CASEIGNOREMATCH_NAME,
- SLAPI_ATTR_FLAG_SINGLE );
+ SLAPI_ATTR_FLAG_SINGLE|SLAPI_ATTR_FLAG_NOUSERMOD );
return rc;
}
@@ -280,41 +277,3 @@ fail:
slapi_pblock_set( pb, SLAPI_PLUGIN_PRIVATE, NULL );
return( -1 );
}
-
-
-/*
- * Add an attribute syntax using some default flags, etc.
- * Returns an LDAP error code (LDAP_SUCCESS if all goes well)
- */
-static int
-add_ldbm_internal_attr_syntax( const char *name, const char *oid,
- const char *syntax, const char *mr_equality, unsigned long extraflags )
-{
- int rc = LDAP_SUCCESS;
- struct asyntaxinfo *asip;
- char *names[2];
- char *origins[2];
- unsigned long std_flags = SLAPI_ATTR_FLAG_STD_ATTR | SLAPI_ATTR_FLAG_OPATTR
- | SLAPI_ATTR_FLAG_NOUSERMOD;
-
- names[0] = (char *)name;
- names[1] = NULL;
-
- origins[0] = SLAPD_VERSION_STR;
- origins[1] = NULL;
-
- rc = attr_syntax_create( oid, names, 1,
- "internal server defined attribute type",
- NULL, /* superior */
- mr_equality, NULL, NULL, /* matching rules */
- origins, syntax,
- SLAPI_SYNTAXLENGTH_NONE,
- std_flags | extraflags,
- &asip );
-
- if ( rc == LDAP_SUCCESS ) {
- rc = attr_syntax_add( asip );
- }
-
- return rc;
-}
diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
index 9e0f0fb..8a91e39 100644
--- a/ldap/servers/slapd/entry.c
+++ b/ldap/servers/slapd/entry.c
@@ -63,6 +63,13 @@
/* a helper function to set special rdn to a tombstone entry */
static int _entry_set_tombstone_rdn(Slapi_Entry *e, const char *normdn);
+static int is_type_protected(const char *type);
+
+/* protected attributes which are not included in the flattened entry,
+ * which will be stored in the db. */
+static char *protected_attrs_all [] = {PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
+ SLAPI_ATTR_ENTRYDN,
+ NULL};
/*
* An attribute name is of the form 'basename[;option]'.
@@ -1431,27 +1438,34 @@ slapi_str2entry_ext( const char *dn, char *s, int flags )
return e;
}
+/*
+ * If the attribute type is in the protected list, it returns size 0.
+ */
static size_t
-entry2str_internal_size_value( const char *attrtype, const Slapi_Value *v, int
entry2str_ctrl, int attribute_state, int value_state )
-{
- size_t elen= 0;
- if(attrtype!=NULL)
+entry2str_internal_size_value( const char *attrtype, const Slapi_Value *v,
+ int entry2str_ctrl, int attribute_state,
+ int value_state )
+{
+ size_t elen = 0;
+ size_t attrtypelen;
+ if((NULL == attrtype) || is_type_protected(attrtype)) {
+ goto bail;
+ }
+ attrtypelen = strlen(attrtype);
+ if(entry2str_ctrl & SLAPI_DUMP_STATEINFO)
{
- size_t attrtypelen= strlen(attrtype);
- if(entry2str_ctrl & SLAPI_DUMP_STATEINFO)
+ attrtypelen+= csnset_string_size(v->v_csnset);
+ if (attribute_state==ATTRIBUTE_DELETED)
{
- attrtypelen+= csnset_string_size(v->v_csnset);
- if (attribute_state==ATTRIBUTE_DELETED)
- {
- attrtypelen += DELETED_ATTR_STRSIZE;
- }
- if(value_state==VALUE_DELETED)
- {
- attrtypelen += DELETED_VALUE_STRSIZE;
- }
+ attrtypelen += DELETED_ATTR_STRSIZE;
+ }
+ if(value_state==VALUE_DELETED)
+ {
+ attrtypelen += DELETED_VALUE_STRSIZE;
}
- elen = LDIF_SIZE_NEEDED(attrtypelen, slapi_value_get_berval(v)->bv_len);
}
+ elen = LDIF_SIZE_NEEDED(attrtypelen, slapi_value_get_berval(v)->bv_len);
+bail:
return elen;
}
@@ -1599,6 +1613,18 @@ entry2str_internal_put_valueset( const char *attrtype, const CSN
*attrcsn, CSNTy
}
}
+static int
+is_type_protected(const char *type)
+{
+ char **paap = NULL;
+ for (paap = protected_attrs_all; paap && *paap; paap++) {
+ if (0 == strcasecmp(type, *paap)) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
static void
entry2str_internal_put_attrlist( const Slapi_Attr *attrlist, int attr_state, int
entry2str_ctrl, char **ecur, char **typebuf, size_t *typebuf_len)
{
@@ -1614,7 +1640,8 @@ entry2str_internal_put_attrlist( const Slapi_Attr *attrlist, int
attr_state, int
/* don't dump uniqueid if not asked */
if (!(strcasecmp(a->a_type, SLAPI_ATTR_UNIQUEID) == 0 &&
- !(SLAPI_DUMP_UNIQUEID & entry2str_ctrl)))
+ !(SLAPI_DUMP_UNIQUEID & entry2str_ctrl)) &&
+ !is_type_protected(a->a_type))
{
/* Putting present attribute values */
/* put "<type>:[:] <value>" line for each value */
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 219ac72..e240237 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -870,19 +870,6 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char
*old_pw)
slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database);
set_db_default_result_handlers(pb);
-
- /* Remove the unhashed password pseudo-attribute prior */
- /* to db access */
- slapi_mods_init_passin (&smods, mods);
- if (!unhashed_pw_attr) {
- unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
- }
- if (slapi_mods_get_num_mods(&smods)) {
- remove_mod (&smods, unhashed_pw_attr, &unhashed_pw_smod);
- slapi_pblock_set (pb, SLAPI_MODIFY_MODS,
- (void*)slapi_mods_get_ldapmods_passout (&smods));
- }
-
if (be->be_modify != NULL)
{
if ((rc = (*be->be_modify)(pb)) == 0)
@@ -920,27 +907,6 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char
*old_pw)
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"Function not implemented", 0, NULL);
}
- /* Add the pseudo-attribute prior to calling the postop plugins */
- if (pw_change)
- {
- LDAPMod *lc_mod = NULL;
-
- slapi_pblock_get (pb, SLAPI_MODIFY_MODS, &mods);
- slapi_mods_init_passin (&smods, mods);
- for ( lc_mod = slapi_mods_get_first_mod(&unhashed_pw_smod); lc_mod;
- lc_mod = slapi_mods_get_next_mod(&unhashed_pw_smod) )
- {
- Slapi_Mod lc_smod;
- slapi_mod_init_byval(&lc_smod, lc_mod); /* copies lc_mod */
- /* this extracts the copy of lc_mod and finalizes lc_smod too */
- slapi_mods_add_ldapmod(&smods,
- slapi_mod_get_ldapmod_passout(&lc_smod));
- }
- slapi_pblock_set (pb, SLAPI_MODIFY_MODS,
- (void*)slapi_mods_get_ldapmods_passout (&smods));
- }
- slapi_mods_done(&unhashed_pw_smod); /* can finalize now */
-
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc);
plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN :
@@ -973,6 +939,7 @@ free_and_return:
slapi_be_Unlock(be);
slapi_sdn_done(&sdn);
+ slapi_mods_done(&unhashed_pw_smod); /* can finalize now */
if (unhashed_pw_attr)
slapi_ch_free ((void**)&unhashed_pw_attr);
diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index 7aca148..aa76e03 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -301,6 +301,10 @@ pw_init ( void ) {
slapdFrontendConfig = getFrontendConfig();
pw_mod_allowchange_aci (!slapdFrontendConfig->pw_policy.pw_change &&
!slapdFrontendConfig->pw_policy.pw_must_change);
+
+ slapi_add_internal_attr_syntax( PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
+ PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID,
+ OCTETSTRING_SYNTAX_OID, 0, 0 );
}
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 98ba79c..3a54564 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -2291,6 +2291,8 @@ extern char *attr_dataversion;
#define MTN_CONTROL_USE_ONE_BACKEND_OID "2.16.840.1.113730.3.4.14"
#define MTN_CONTROL_USE_ONE_BACKEND_EXT_OID "2.16.840.1.113730.3.4.20"
+#define PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID "2.16.840.1.113730.3.1.2110"
+
/* virtualListViewError is a relatively new concept that was added long
* after we implemented VLV. Until added to LDAP SDK, we define
* virtualListViewError here. Once it's added, this define would go away. */
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index 862a23b..c63e312 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -374,6 +374,7 @@ NSPR_API(PRUint32) PR_fprintf(struct PRFileDesc* fd, const char *fmt,
...)
#define SLAPI_ATTR_NSCP_ENTRYDN "nscpEntryDN"
#define SLAPI_ATTR_ENTRYUSN "entryusn"
#define SLAPI_ATTR_ENTRYUSN_PREV "preventryusn"
+#define SLAPI_ATTR_ENTRYDN "entrydn"
/* opaque structures */
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 6f1e2ca..bedc9f5 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -1235,6 +1235,8 @@ int plugin_enabled(const char *plugin_name, void *identity);
*/
int is_slapd_running();
+/* attrsyntax.c */
+int slapi_add_internal_attr_syntax( const char *name, const char *oid, const char
*syntax, const char *mr_equality, unsigned long extraflags );
#ifdef __cplusplus
}