[Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on all connections with SSF>1

Wed Oct 5 15:22:07 UTC 2011

On Wed, 2011-10-05 at 16:41 +0200, Jan Cholasta wrote:
> On 5.10.2011 16:36, Sumit Bose wrote:
> > On Wed, Oct 05, 2011 at 03:06:19PM +0200, Jan Cholasta wrote:
> >> On 5.10.2011 11:58, Sumit Bose wrote:
> >>> On Tue, Oct 04, 2011 at 11:15:04AM +0200, Jan Cholasta wrote:
> >>>> On 27.9.2011 10:15, Sumit Bose wrote:
> >>>>> Hi,
> >>>>>
> >>>>> currently the change password plugin does not check if the connection is
> >>>>> coming from a local LDAPI socket and denies password change requests via
> >>>>> LDAPI. This patch changes the check to just look at the overall SSF of
> >>>>> the connection which covers all types of connection.
> >>>>>
> >>>>> There is a similar check in ipa_enrollment.c. But I think enrollments via
> >>>>> LDAPI does not make much sense so it does not need to be changed.
> >>>>
> >>>> IMHO it should be changed anyway, for the sake of consistency.
> >>>>
> >>>>>
> >>>>> This patch should fix https://fedorahosted.org/freeipa/ticket/1877.
> >>>>>
> >>>>> bye,
> >>>>> Sumit
> >>>>>
> >>>>
> >>>> The patch has trailing whitespace on lines 20 and 32-35 and needs to
> >>>> be rebased.
> >>>>
> >>>> Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as expected.
> >>>
> >>> Thank you for the review. I have changed ipa_enrollment.c accordingly
> >>> and checked that the patch applies against master as well as against
> >>> ipa-2-1 and that git does not complain about trailing whitespace. New
> >>> version attached.
> >>>
> >>> bye,
> >>> Sumit
> >>
> >> "git apply" still complains about the patch:
> >>
> >> $ git status -sb
> >> ## ipa-2-1
> >>
> >> $ git apply freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
> >>
> >> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:23:
> >> trailing whitespace.
> >>      int ssf;
> >> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:39:
> >> trailing whitespace.
> >>      /* Allow password modify on all connections with a Security Strength
> >> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:40:
> >> trailing whitespace.
> >>       * Factor (SSF) higher than 1 */
> >> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:41:
> >> trailing whitespace.
> >>      if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF,&ssf) != 0) {
> >> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:42:
> >> trailing whitespace.
> >>          LOG_TRACE("Could not get SSF from connection\n");
> >> error: patch failed:
> >> daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:80
> >> error: daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:
> >> patch does not apply
> >> error: patch failed:
> >> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:615
> >> error: daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:
> >> patch does not apply
> >>
> >>
> >> It can be applied with "patch", but it complains too:
> >>
> >> $ patch -p1 --no-backup-if-mismatch<freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
> >>
> >> (Stripping trailing CRs from patch.)
> >> patching file daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
> >> (Stripping trailing CRs from patch.)
> >> patching file daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
> >>
> >>
> >> The comment in ipa-enrollment.c should be changed from "Allow
> >> password modify on ..." to "Allow enrollment on ...".
> >
> > I changed the comment and send the patch not in base64.
> >
> > bye,
> > Sumit
> 
> Thank you, ACK.
> 
> Honza

Added missing trac ticket reference to Sumit's patch.

Pushed to master, ipa-2-1.

Martin