[Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on all connections with SSF>1
Sumit Bose
sbose at redhat.com
Wed Oct 5 14:36:47 UTC 2011
On Wed, Oct 05, 2011 at 03:06:19PM +0200, Jan Cholasta wrote:
> On 5.10.2011 11:58, Sumit Bose wrote:
> >On Tue, Oct 04, 2011 at 11:15:04AM +0200, Jan Cholasta wrote:
> >>On 27.9.2011 10:15, Sumit Bose wrote:
> >>>Hi,
> >>>
> >>>currently the change password plugin does not check if the connection is
> >>>coming from a local LDAPI socket and denies password change requests via
> >>>LDAPI. This patch changes the check to just look at the overall SSF of
> >>>the connection which covers all types of connection.
> >>>
> >>>There is a similar check in ipa_enrollment.c. But I think enrollments via
> >>>LDAPI does not make much sense so it does not need to be changed.
> >>
> >>IMHO it should be changed anyway, for the sake of consistency.
> >>
> >>>
> >>>This patch should fix https://fedorahosted.org/freeipa/ticket/1877.
> >>>
> >>>bye,
> >>>Sumit
> >>>
> >>
> >>The patch has trailing whitespace on lines 20 and 32-35 and needs to
> >>be rebased.
> >>
> >>Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as expected.
> >
> >Thank you for the review. I have changed ipa_enrollment.c accordingly
> >and checked that the patch applies against master as well as against
> >ipa-2-1 and that git does not complain about trailing whitespace. New
> >version attached.
> >
> >bye,
> >Sumit
>
> "git apply" still complains about the patch:
>
> $ git status -sb
> ## ipa-2-1
>
> $ git apply freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
>
> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:23:
> trailing whitespace.
> int ssf;
> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:39:
> trailing whitespace.
> /* Allow password modify on all connections with a Security Strength
> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:40:
> trailing whitespace.
> * Factor (SSF) higher than 1 */
> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:41:
> trailing whitespace.
> if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:42:
> trailing whitespace.
> LOG_TRACE("Could not get SSF from connection\n");
> error: patch failed:
> daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:80
> error: daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:
> patch does not apply
> error: patch failed:
> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:615
> error: daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:
> patch does not apply
>
>
> It can be applied with "patch", but it complains too:
>
> $ patch -p1 --no-backup-if-mismatch <freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
>
> (Stripping trailing CRs from patch.)
> patching file daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
> (Stripping trailing CRs from patch.)
> patching file daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
>
>
> The comment in ipa-enrollment.c should be changed from "Allow
> password modify on ..." to "Allow enrollment on ...".
I changed the comment and send the patch not in base64.
bye,
Sumit
>
> Honza
>
> >
> >>
> >>Honza
> >>
> >>--
> >>Jan Cholasta
> >>
> >>
> >>_______________________________________________
> >>Freeipa-devel mailing list
> >>Freeipa-devel at redhat.com
> >>https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
> --
> Jan Cholasta
-------------- next part --------------
>From d3dfd8c7a93ba7cd16a967fb8b6075830fed8c8a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 27 Sep 2011 10:06:50 +0200
Subject: [PATCH] ipa-pwd-extop: allow password change on all connections with
SSF>1
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
---
.../ipa-enrollment/ipa_enrollment.c | 19 ++++++-------------
.../ipa-pwd-extop/ipapwd_common.c | 19 ++++++-------------
2 files changed, 12 insertions(+), 26 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index 51231231fd1a597e27ac283c855bbd5146db3e24..78fb359cdb91455a629836df317aa639f35a516e 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -80,22 +80,15 @@ static const char *ipa_realm_dn;
static int
ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
{
- int sasl_ssf, is_ssl;
+ int ssf;
int rc = LDAP_SUCCESS;
LOG_TRACE("=> ipaenrollment_secure\n");
- /* Allow enrollment only for SSL/TLS established connections and
- * connections using SASL privacy layers */
- if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
- LOG_TRACE("Could not get SASL SSF from connection\n");
- *errMesg = "Operation requires a secure connection.\n";
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
- if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
- LOG_TRACE("Could not get IS SSL from connection\n");
+ /* Allow enrollment on all connections with a Security Strength
+ * Factor (SSF) higher than 1 */
+ if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+ LOG_TRACE("Could not get SSF from connection\n");
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_OPERATIONS_ERROR;
goto done;
@@ -108,7 +101,7 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
goto done;
}
- if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+ if (ssf <= 1) {
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_CONFIDENTIALITY_REQUIRED;
goto done;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index 7bc2e7d54da095cf1db232d3d173270f585a76f6..3ee7fefd47dd8c06799bc2eb3b37f17bc2b10444 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -615,7 +615,7 @@ done:
int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
struct ipapwd_krbcfg **config, int check_flags)
{
- int ret, sasl_ssf, is_ssl;
+ int ret, ssf;
int rc = LDAP_SUCCESS;
Slapi_Backend *be;
const Slapi_DN *psdn;
@@ -626,23 +626,16 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
#ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
if (check_flags & IPAPWD_CHECK_CONN_SECURE) {
- /* Allow password modify only for SSL/TLS established connections and
- * connections using SASL privacy layers */
- if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
- LOG("Could not get SASL SSF from connection\n");
+ /* Allow password modify on all connections with a Security Strength
+ * Factor (SSF) higher than 1 */
+ if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+ LOG("Could not get SSF from connection\n");
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
- if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
- LOG("Could not get IS SSL from connection\n");
- *errMesg = "Operation requires a secure connection.\n";
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
- if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+ if (ssf <= 1) {
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_CONFIDENTIALITY_REQUIRED;
goto done;
--
1.7.6
More information about the Freeipa-devel
mailing list