mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
ipa-pwd-extop: allow password change on all connections with SSF>1
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection the global SSF is checked for password changes and enrollments. https://fedorahosted.org/freeipa/ticket/1877
This commit is contained in:
parent
e9c8581ffc
commit
3fb40170cb
@ -80,22 +80,15 @@ static const char *ipa_realm_dn;
|
|||||||
static int
|
static int
|
||||||
ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
|
ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
|
||||||
{
|
{
|
||||||
int sasl_ssf, is_ssl;
|
int ssf;
|
||||||
int rc = LDAP_SUCCESS;
|
int rc = LDAP_SUCCESS;
|
||||||
|
|
||||||
LOG_TRACE("=> ipaenrollment_secure\n");
|
LOG_TRACE("=> ipaenrollment_secure\n");
|
||||||
|
|
||||||
/* Allow enrollment only for SSL/TLS established connections and
|
/* Allow enrollment on all connections with a Security Strength
|
||||||
* connections using SASL privacy layers */
|
* Factor (SSF) higher than 1 */
|
||||||
if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
|
if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
|
||||||
LOG_TRACE("Could not get SASL SSF from connection\n");
|
LOG_TRACE("Could not get SSF from connection\n");
|
||||||
*errMesg = "Operation requires a secure connection.\n";
|
|
||||||
rc = LDAP_OPERATIONS_ERROR;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
|
|
||||||
LOG_TRACE("Could not get IS SSL from connection\n");
|
|
||||||
*errMesg = "Operation requires a secure connection.\n";
|
*errMesg = "Operation requires a secure connection.\n";
|
||||||
rc = LDAP_OPERATIONS_ERROR;
|
rc = LDAP_OPERATIONS_ERROR;
|
||||||
goto done;
|
goto done;
|
||||||
@ -108,7 +101,7 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
|
|||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((0 == is_ssl) && (sasl_ssf <= 1)) {
|
if (ssf <= 1) {
|
||||||
*errMesg = "Operation requires a secure connection.\n";
|
*errMesg = "Operation requires a secure connection.\n";
|
||||||
rc = LDAP_CONFIDENTIALITY_REQUIRED;
|
rc = LDAP_CONFIDENTIALITY_REQUIRED;
|
||||||
goto done;
|
goto done;
|
||||||
|
@ -544,7 +544,7 @@ done:
|
|||||||
int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
|
int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
|
||||||
struct ipapwd_krbcfg **config, int check_flags)
|
struct ipapwd_krbcfg **config, int check_flags)
|
||||||
{
|
{
|
||||||
int ret, sasl_ssf, is_ssl;
|
int ret, ssf;
|
||||||
int rc = LDAP_SUCCESS;
|
int rc = LDAP_SUCCESS;
|
||||||
Slapi_Backend *be;
|
Slapi_Backend *be;
|
||||||
const Slapi_DN *psdn;
|
const Slapi_DN *psdn;
|
||||||
@ -555,23 +555,16 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
|
|||||||
|
|
||||||
#ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
|
#ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
|
||||||
if (check_flags & IPAPWD_CHECK_CONN_SECURE) {
|
if (check_flags & IPAPWD_CHECK_CONN_SECURE) {
|
||||||
/* Allow password modify only for SSL/TLS established connections and
|
/* Allow password modify on all connections with a Security Strength
|
||||||
* connections using SASL privacy layers */
|
* Factor (SSF) higher than 1 */
|
||||||
if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
|
if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
|
||||||
LOG("Could not get SASL SSF from connection\n");
|
LOG("Could not get SSF from connection\n");
|
||||||
*errMesg = "Operation requires a secure connection.\n";
|
*errMesg = "Operation requires a secure connection.\n";
|
||||||
rc = LDAP_OPERATIONS_ERROR;
|
rc = LDAP_OPERATIONS_ERROR;
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
|
if (ssf <= 1) {
|
||||||
LOG("Could not get IS SSL from connection\n");
|
|
||||||
*errMesg = "Operation requires a secure connection.\n";
|
|
||||||
rc = LDAP_OPERATIONS_ERROR;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((0 == is_ssl) && (sasl_ssf <= 1)) {
|
|
||||||
*errMesg = "Operation requires a secure connection.\n";
|
*errMesg = "Operation requires a secure connection.\n";
|
||||||
rc = LDAP_CONFIDENTIALITY_REQUIRED;
|
rc = LDAP_CONFIDENTIALITY_REQUIRED;
|
||||||
goto done;
|
goto done;
|
||||||
|
Loading…
Reference in New Issue
Block a user