IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipapwd_extop should use TARGET_DN defined by a pre-extop plugin

Browse Source 
ipapwd_extop allows to update the password on a specific entry, identified by its DN.
It can be usefull to support virtual DN in the extop so that update of a virtual entry
would land into the proper real entry.

If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value
of TARGET_DN, instead of using the original one (in the ber req)
There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955)

https://fedorahosted.org/freeipa/ticket/5946

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Thierry Bordaz 2016-06-10 15:34:40 +02:00 committed by Martin Basti
parent d64513f1ff
commit 1ce8d32fd6
2 changed files with 29 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
View File

@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
char *attrlist[] = {"*", "passwordHistory", NULL }; char *attrlist[] = {"*", "passwordHistory", NULL };
struct ipapwd_data pwdata; struct ipapwd_data pwdata;
int is_krb, is_smb, is_ipant; int is_krb, is_smb, is_ipant;
char *principal = NULL; char *principal = NULL;
Slapi_PBlock *chpwop_pb = NULL; Slapi_PBlock *chpwop_pb = NULL;
Slapi_DN *target_sdn = NULL;
char *target_dn = NULL;
/* Get the ber value of the extended operation */ /* Get the ber value of the extended operation */
slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
@ -327,14 +329,32 @@ parse_req_done:
} }
} }
/* Determine the target DN for this operation */ /* Determine the target DN for this operation */
/* Did they give us a DN ? */ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
if (dn == NULL || *dn == '\0') { if (target_sdn != NULL) {
/* Get the DN from the bind identity on this connection */ /* If there is a TARGET_DN we are consuming it */
dn = slapi_ch_strdup(bindDN); slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL);
LOG_TRACE("Missing userIdentity in request, " target_dn = slapi_sdn_get_ndn(target_sdn);
"using the bind DN instead.\n");
} }
if (target_dn == NULL || *target_dn == '\0') {
/* Did they give us a DN ? */
if (dn == NULL || *dn == '\0') {
/* Get the DN from the bind identity on this connection */
dn = slapi_ch_strdup(bindDN);
LOG_TRACE("Missing userIdentity in request, "
"using the bind DN instead.\n");
}
LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : "<empty>");
} else {
/* At this point if SLAPI_TARGET_SDN was set that means
* that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it
* So take this one rather that the raw one that is in the ber
*/
LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "<empty>", target_dn);
slapi_ch_free_string(&dn);
dn = slapi_ch_strdup(target_dn);
}
slapi_sdn_free(&target_sdn);
if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) {
LOG_FATAL("slapi_pblock_set failed!\n"); LOG_FATAL("slapi_pblock_set failed!\n");

2
freeipa.spec.in
View File

@ -154,7 +154,7 @@ Requires(pre): systemd-units
Requires(post): systemd-units Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version} Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version}
Requires: slapi-nis >= 0.55-1 Requires: slapi-nis >= 0.56.0
Requires: pki-ca >= 10.3.3 Requires: pki-ca >= 10.3.3
Requires: pki-kra >= 10.3.3 Requires: pki-kra >= 10.3.3
Requires(preun): python systemd-units Requires(preun): python systemd-units