Use new 389-ds-base cleartext password API

The way how unhashed password is stored in the entry was changed in 389-ds-base-1.3.0, it is now stored in an entry extension rather than in a magic attribute unhashed#user#password. New API using an entry extension was introduced. ipa-pwd-extop should take advantage of the new API as the old one will be removed in 389-ds-base-1.3.1. https://fedorahosted.org/freeipa/ticket/3439
2025-02-25 18:55:28 -06:00 · 2013-03-08 13:01:45 +01:00
parent 99b62aa66f
commit dcc6f13a58
1 changed files with 12 additions and 8 deletions
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -211,13 +211,19 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
            slapi_ch_free_string(&userpw);
            userpw = tmp;
        } else if (slapi_is_encoded(userpw)) {
-            /* check if we have access to the unhashed user password */
-            char *userpw_clear =
-                slapi_entry_attr_get_charptr(e, "unhashed#user#password");
+            const char *userpw_clear = NULL;
+            Slapi_Value **pwvals = NULL;

-            /* unhashed#user#password doesn't always contain the clear text
-             * password, therefore we need to check if its value isn't the same
-             * as userPassword to make sure */
+            /* Try to get clear password from an entry extension.
+             * This function does not return a copy of the values,
+             * no need to free them. */
+            rc = slapi_pw_get_entry_ext(e, &pwvals);
+            if (LDAP_SUCCESS == rc) {
+                userpw_clear = slapi_value_get_string(pwvals[0]);
+            }
+
+            /* Fail if we did not get a real clear text password from
+             * the extension. This will happen if the password is hashed. */
            if (!userpw_clear || (0 == strcmp(userpw, userpw_clear))) {
                rc = LDAP_CONSTRAINT_VIOLATION;
                slapi_ch_free_string(&userpw);
@@ -225,8 +231,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
                userpw = slapi_ch_strdup(userpw_clear);
            }

-            slapi_ch_free_string(&userpw_clear);
-
            if (rc != LDAP_SUCCESS) {
                /* we don't have access to the clear text password;
                 * let it slide if migration is enabled, but don't