[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication windows_protocol_util.c, 1.28, 1.29 windowsrepl.h, 1.10, 1.11
Nathan Kinder (nkinder)
fedora-directory-commits at redhat.com
Mon Aug 27 17:16:50 UTC 2007
- Previous message (by thread): [Fedora-directory-commits] adminserver/admserv/newinst/src AdminUtil.pm.in, 1.13, 1.14 RegDSDialogs.pm, 1.1, 1.2 register-ds-admin.pl.in, 1.3, 1.4 register-ds-admin.res.in, 1.1, 1.2
- Next message (by thread): [Fedora-directory-commits] ldapserver/ldap/admin/src/scripts DSMigration.pm.in, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10633
Modified Files:
windows_protocol_util.c windowsrepl.h
Log Message:
Resolves: 207893
Summary: Check if passwords are already hashed before sync'ing with AD.
Index: windows_protocol_util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_protocol_util.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- windows_protocol_util.c 23 Aug 2007 20:50:56 -0000 1.28
+++ windows_protocol_util.c 27 Aug 2007 17:16:48 -0000 1.29
@@ -1375,7 +1375,37 @@
slapi_valueset_first_value(vs,&value);
password_value = slapi_value_get_string(value);
- *password = slapi_ch_strdup(password_value);
+ /* We need to check if the first character of password_value is an
+ * opening brace since strstr will simply return it's first argument
+ * if it is an empty string. */
+ if (password_value && (*password_value == '{')) {
+ if (strchr( password_value, '}' )) {
+ /* A storage scheme is present. Check if it's the
+ * clear storage scheme. */
+ if ((strlen(password_value) >= PASSWD_CLEAR_PREFIX_LEN + 1) &&
+ (strncasecmp(password_value, PASSWD_CLEAR_PREFIX, PASSWD_CLEAR_PREFIX_LEN) == 0)) {
+ /* This password is in clear text. Strip off the clear prefix
+ * and sync it. */
+ *password = slapi_ch_strdup(password_value + PASSWD_CLEAR_PREFIX_LEN);
+ } else {
+ /* This password is stored in a non-cleartext format.
+ * We can only sync cleartext passwords. */
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
+ "%s: windows_create_remote_entry: "
+ "Password is already hashed. Not syncing.\n",
+ agmt_get_long_name(prp->agmt));
+ }
+ } else {
+ /* This password doesn't have a storage prefix but
+ * just happens to start with the '{' character. We'll
+ * assume that it's just a cleartext password without
+ * the proper storage prefix. */
+ *password = slapi_ch_strdup(password_value);
+ }
+ } else {
+ /* This password has no storage prefix, or the password is empty */
+ *password = slapi_ch_strdup(password_value);
+ }
}
}
@@ -1554,7 +1584,37 @@
{
char *password_value = NULL;
password_value = mod->mod_bvalues[0]->bv_val;
- *password = slapi_ch_strdup(password_value);
+ /* We need to check if the first character of password_value is an
+ * opening brace since strstr will simply return it's first argument
+ * if it is an empty string. */
+ if (password_value && (*password_value == '{')) {
+ if (strchr( password_value, '}' )) {
+ /* A storage scheme is present. Check if it's the
+ * clear storage scheme. */
+ if ((strlen(password_value) >= PASSWD_CLEAR_PREFIX_LEN + 1) &&
+ (strncasecmp(password_value, PASSWD_CLEAR_PREFIX, PASSWD_CLEAR_PREFIX_LEN) == 0)) {
+ /* This password is in clear text. Strip off the clear prefix
+ * and sync it. */
+ *password = slapi_ch_strdup(password_value + PASSWD_CLEAR_PREFIX_LEN);
+ } else {
+ /* This password is stored in a non-cleartext format.
+ * We can only sync cleartext passwords. */
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
+ "%s: windows_create_remote_entry: "
+ "Password is already hashed. Not syncing.\n",
+ agmt_get_long_name(prp->agmt));
+ }
+ } else {
+ /* This password doesn't have a storage prefix but
+ * just happens to start with the '{' character. We'll
+ * assume that it's just a cleartext password without
+ * the proper storage prefix. */
+ *password = slapi_ch_strdup(password_value);
+ }
+ } else {
+ /* This password has no storage prefix, or the password is empty */
+ *password = slapi_ch_strdup(password_value);
+ }
}
}
}
Index: windowsrepl.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windowsrepl.h,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- windowsrepl.h 23 Aug 2007 20:50:56 -0000 1.10
+++ windowsrepl.h 27 Aug 2007 17:16:48 -0000 1.11
@@ -99,4 +99,6 @@
#define FAKE_STREET_ATTR_NAME "in#place#of#streetaddress"
/* Used to work around contrained attribute legth for initials on AD */
#define AD_INITIALS_LENGTH 6
-
+/* Used to check for pre-hashed passwords when syncing */
+#define PASSWD_CLEAR_PREFIX "{clear}"
+#define PASSWD_CLEAR_PREFIX_LEN 7
- Previous message (by thread): [Fedora-directory-commits] adminserver/admserv/newinst/src AdminUtil.pm.in, 1.13, 1.14 RegDSDialogs.pm, 1.1, 1.2 register-ds-admin.pl.in, 1.3, 1.4 register-ds-admin.res.in, 1.1, 1.2
- Next message (by thread): [Fedora-directory-commits] ldapserver/ldap/admin/src/scripts DSMigration.pm.in, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list