[Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on all connections with SSF>1

Sumit Bose sbose at redhat.com
Tue Sep 27 08:15:48 UTC 2011 

Hi,

currently the change password plugin does not check if the connection is
coming from a local LDAPI socket and denies password change requests via
LDAPI. This patch changes the check to just look at the overall SSF of
the connection which covers all types of connection.

There is a similar check in ipa_enrollment.c. But I think enrollments via
LDAPI does not make much sense so it does not need to be changed.

This patch should fix https://fedorahosted.org/freeipa/ticket/1877.

bye,
Sumit
-------------- next part --------------
From 8ed807a42982aabe958a4d0cac47d5f4511be11c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 27 Sep 2011 10:06:50 +0200
Subject: [PATCH] ipa-pwd-extop: allow password change on all connections with
 SSF>1

---
 .../ipa-pwd-extop/ipapwd_common.c                  |   19 ++++++-------------
 1 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index c5da141787dbe2f85d766447a329a12932b81538..9e203be2763b13328e2d392c76e8545ba7ab549a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -544,7 +544,7 @@ done:
 int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
                       struct ipapwd_krbcfg **config, int check_flags)
 {
-    int ret, sasl_ssf, is_ssl;
+    int ret, ssf;
     int rc = LDAP_SUCCESS;
     Slapi_Backend *be;
     const Slapi_DN *psdn;
@@ -555,23 +555,16 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
 
 #ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
     if (check_flags & IPAPWD_CHECK_CONN_SECURE) {
-        /* Allow password modify only for SSL/TLS established connections and
-         * connections using SASL privacy layers */
-        if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
-            LOG("Could not get SASL SSF from connection\n");
+       /* Allow password modify on all connections with a Security Strength
+        * Factor (SSF) higher than 1 */
+        if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+            LOG("Could not get SSF from connection\n");
             *errMesg = "Operation requires a secure connection.\n";
             rc = LDAP_OPERATIONS_ERROR;
             goto done;
         }
 
-        if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
-            LOG("Could not get IS SSL from connection\n");
-            *errMesg = "Operation requires a secure connection.\n";
-            rc = LDAP_OPERATIONS_ERROR;
-            goto done;
-        }
-
-        if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+        if (ssf <= 1) {
             *errMesg = "Operation requires a secure connection.\n";
             rc = LDAP_CONFIDENTIALITY_REQUIRED;
             goto done;
-- 
1.7.6

More information about the Freeipa-devel mailing list