[Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree
Alexander Bokovoy
abokovoy at redhat.com
Wed Jun 22 17:02:30 UTC 2016
On Wed, 22 Jun 2016, thierry bordaz wrote:
>>I think FreeIPA also needs to raise dependency to slapi-nis >= 0.56.0
>>for this.
>>
>
>Testing with slapi-nis 0.56.0-2, successful update of password from
>compat tree users.
Great, ACK!
>
>
>
>From 034a07211de4d11c6cb998676cc5f7439af981c6 Mon Sep 17 00:00:00 2001
>From: Thierry Bordaz <tbordaz at redhat.com>
>Date: Fri, 10 Jun 2016 15:34:40 +0200
>Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop
> plugin
>
>ipapwd_extop allows to update the password on a specific entry, identified by its DN.
>It can be usefull to support virtual DN in the extop so that update of a virtual entry
>would land into the proper real entry.
>
>If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value
>of TARGET_DN, instead of using the original one (in the ber req)
>There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955)
>
>https://fedorahosted.org/freeipa/ticket/5946
>---
> .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +++++++++++++++++-----
> freeipa.spec.in | 2 +-
> 2 files changed, 29 insertions(+), 9 deletions(-)
>
>diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
>index 440e221..3c2c44f 100644
>--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
>+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
>@@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
> char *attrlist[] = {"*", "passwordHistory", NULL };
> struct ipapwd_data pwdata;
> int is_krb, is_smb, is_ipant;
>- char *principal = NULL;
>+ char *principal = NULL;
> Slapi_PBlock *chpwop_pb = NULL;
>+ Slapi_DN *target_sdn = NULL;
>+ char *target_dn = NULL;
>
> /* Get the ber value of the extended operation */
> slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
>@@ -327,14 +329,32 @@ parse_req_done:
> }
> }
>
>- /* Determine the target DN for this operation */
>- /* Did they give us a DN ? */
>- if (dn == NULL || *dn == '\0') {
>- /* Get the DN from the bind identity on this connection */
>- dn = slapi_ch_strdup(bindDN);
>- LOG_TRACE("Missing userIdentity in request, "
>- "using the bind DN instead.\n");
>+ /* Determine the target DN for this operation */
>+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
>+ if (target_sdn != NULL) {
>+ /* If there is a TARGET_DN we are consuming it */
>+ slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL);
>+ target_dn = slapi_sdn_get_ndn(target_sdn);
> }
>+ if (target_dn == NULL || *target_dn == '\0') {
>+ /* Did they give us a DN ? */
>+ if (dn == NULL || *dn == '\0') {
>+ /* Get the DN from the bind identity on this connection */
>+ dn = slapi_ch_strdup(bindDN);
>+ LOG_TRACE("Missing userIdentity in request, "
>+ "using the bind DN instead.\n");
>+ }
>+ LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : "<empty>");
>+ } else {
>+ /* At this point if SLAPI_TARGET_SDN was set that means
>+ * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it
>+ * So take this one rather that the raw one that is in the ber
>+ */
>+ LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "<empty>", target_dn);
>+ slapi_ch_free_string(&dn);
>+ dn = slapi_ch_strdup(target_dn);
>+ }
>+ slapi_sdn_free(&target_sdn);
>
> if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) {
> LOG_FATAL("slapi_pblock_set failed!\n");
>diff --git a/freeipa.spec.in b/freeipa.spec.in
>index 0d5c745..84a1d65 100644
>--- a/freeipa.spec.in
>+++ b/freeipa.spec.in
>@@ -154,7 +154,7 @@ Requires(pre): systemd-units
> Requires(post): systemd-units
> Requires: selinux-policy >= %{selinux_policy_version}
> Requires(post): selinux-policy-base >= %{selinux_policy_version}
>-Requires: slapi-nis >= 0.55-1
>+Requires: slapi-nis >= 0.56.0
> Requires: pki-ca >= 10.3.2
> Requires: pki-kra >= 10.3.2
> Requires(preun): python systemd-units
>--
>2.5.0
>
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list