From 3fb40170cb70a87515ec9d3466099fa3417a4086 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 27 Sep 2011 10:06:50 +0200 Subject: [PATCH] ipa-pwd-extop: allow password change on all connections with SSF>1 Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection the global SSF is checked for password changes and enrollments. https://fedorahosted.org/freeipa/ticket/1877 --- .../ipa-enrollment/ipa_enrollment.c | 19 ++++++------------- .../ipa-pwd-extop/ipapwd_common.c | 19 ++++++------------- 2 files changed, 12 insertions(+), 26 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c index bc9fd0848..1f5ce9b47 100644 --- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c +++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c @@ -80,22 +80,15 @@ static const char *ipa_realm_dn; static int ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg) { - int sasl_ssf, is_ssl; + int ssf; int rc = LDAP_SUCCESS; LOG_TRACE("=> ipaenrollment_secure\n"); - /* Allow enrollment only for SSL/TLS established connections and - * connections using SASL privacy layers */ - if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { - LOG_TRACE("Could not get SASL SSF from connection\n"); - *errMesg = "Operation requires a secure connection.\n"; - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - - if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) { - LOG_TRACE("Could not get IS SSL from connection\n"); + /* Allow enrollment on all connections with a Security Strength + * Factor (SSF) higher than 1 */ + if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) { + LOG_TRACE("Could not get SSF from connection\n"); *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_OPERATIONS_ERROR; goto done; @@ -108,7 +101,7 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg) goto done; } - if ((0 == is_ssl) && (sasl_ssf <= 1)) { + if (ssf <= 1) { *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; goto done; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index c5da14178..9e203be27 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -544,7 +544,7 @@ done: int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, struct ipapwd_krbcfg **config, int check_flags) { - int ret, sasl_ssf, is_ssl; + int ret, ssf; int rc = LDAP_SUCCESS; Slapi_Backend *be; const Slapi_DN *psdn; @@ -555,23 +555,16 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, #ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE if (check_flags & IPAPWD_CHECK_CONN_SECURE) { - /* Allow password modify only for SSL/TLS established connections and - * connections using SASL privacy layers */ - if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { - LOG("Could not get SASL SSF from connection\n"); + /* Allow password modify on all connections with a Security Strength + * Factor (SSF) higher than 1 */ + if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) { + LOG("Could not get SSF from connection\n"); *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_OPERATIONS_ERROR; goto done; } - if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) { - LOG("Could not get IS SSL from connection\n"); - *errMesg = "Operation requires a secure connection.\n"; - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - - if ((0 == is_ssl) && (sasl_ssf <= 1)) { + if (ssf <= 1) { *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; goto done;