mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
ipa-pwd-extop: Enforce old password checks
If a user is changing his own password, then require the old password to be sent for validation purposes. https://fedorahosted.org/freeipa/ticket/1814
This commit is contained in:
parent
fb6abb2acc
commit
a7b6a6e498
@ -271,7 +271,7 @@ parse_req_done:
|
||||
dn = slapi_ch_strdup(bindDN);
|
||||
LOG_TRACE("Missing userIdentity in request, "
|
||||
"using the bind DN instead.\n");
|
||||
}
|
||||
}
|
||||
|
||||
if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) {
|
||||
LOG_FATAL("slapi_pblock_set failed!\n");
|
||||
@ -289,6 +289,69 @@ parse_req_done:
|
||||
goto free_and_return;
|
||||
}
|
||||
|
||||
if (dn) {
|
||||
Slapi_DN *bind_sdn;
|
||||
Slapi_DN *target_sdn;
|
||||
|
||||
/* if the user changing the password is self, we must request the
|
||||
* old password and verify it matches the current one before
|
||||
* proceeding with the password change */
|
||||
bind_sdn = slapi_sdn_new_dn_byref(bindDN);
|
||||
target_sdn = slapi_sdn_new_dn_byref(dn);
|
||||
if (!bind_sdn || !target_sdn) {
|
||||
LOG_OOM();
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
goto free_and_return;
|
||||
}
|
||||
/* this one will normalize and compare, so difference in case will be
|
||||
* correctly handled */
|
||||
ret = slapi_sdn_compare(bind_sdn, target_sdn);
|
||||
if (ret == 0) {
|
||||
Slapi_Value *cpw[2] = { NULL, NULL };
|
||||
Slapi_Value *pw;
|
||||
char *cur_pw;
|
||||
|
||||
if (oldPasswd == NULL || *oldPasswd == '\0') {
|
||||
LOG_FATAL("Old password was not provided!\n");
|
||||
rc = LDAP_INVALID_CREDENTIALS;
|
||||
goto free_and_return;
|
||||
}
|
||||
|
||||
/* if the user is changing his own password we need to check that
|
||||
* oldPasswd matches the current password */
|
||||
cur_pw = slapi_entry_attr_get_charptr(targetEntry,
|
||||
"userPassword");
|
||||
if (!cur_pw) {
|
||||
LOG_FATAL("User has no current password?\n");
|
||||
rc = LDAP_UNWILLING_TO_PERFORM;
|
||||
goto free_and_return;
|
||||
}
|
||||
|
||||
cpw[0] = slapi_value_new_string(cur_pw);
|
||||
pw = slapi_value_new_string(oldPasswd);
|
||||
if (!cpw[0] || !pw) {
|
||||
LOG_OOM();
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
goto free_and_return;
|
||||
}
|
||||
|
||||
ret = slapi_pw_find_sv(cpw, pw);
|
||||
|
||||
slapi_value_free(&cpw[0]);
|
||||
slapi_value_free(&pw);
|
||||
|
||||
if (ret != 0) {
|
||||
LOG_TRACE("Invalid password!\n");
|
||||
rc = LDAP_INVALID_CREDENTIALS;
|
||||
goto free_and_return;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
LOG_TRACE("Undefined target DN!\n");
|
||||
rc = LDAP_OPERATIONS_ERROR;
|
||||
goto free_and_return;
|
||||
}
|
||||
|
||||
rc = ipapwd_entry_checks(pb, targetEntry,
|
||||
&is_root, &is_krb, &is_smb,
|
||||
SLAPI_USERPWD_ATTR, SLAPI_ACL_WRITE);
|
||||
|
Loading…
Reference in New Issue
Block a user