IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-28 01:41:14 -06:00
Code Issues Packages Projects Releases Wiki Activity

Purely indentiation, trailing spaces, cosmetic fixes

Browse Source
This commit is contained in:
Simo Sorce 2008-02-21 09:36:35 -05:00
parent 0996e55573
commit f87db10a07
1 changed files with 173 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
View File

@ -5,7 +5,7 @@
* *
* This Program is distributed in the hope that it will be useful, but WITHOUT * This Program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details
* *
* You should have received a copy of the GNU General Public License along with * You should have received a copy of the GNU General Public License along with
* this Program; if not, write to the Free Software Foundation, Inc., 59 Temple * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
@ -22,13 +22,13 @@
* the Approved Interfaces without causing the resulting work to be covered by * the Approved Interfaces without causing the resulting work to be covered by
* the GNU General Public License. Only Red Hat, Inc. may make changes or * the GNU General Public License. Only Red Hat, Inc. may make changes or
* additions to the list of Approved Interfaces. You must obey the GNU General * additions to the list of Approved Interfaces. You must obey the GNU General
* Public License in all respects for all of the Program code and other code used * Public License in all respects for all of the Program code and other code
* in conjunction with the Program except the Non-GPL Code covered by this * used in conjunction with the Program except the Non-GPL Code covered by this
* exception. If you modify this file, you may extend this exception to your * exception. If you modify this file, you may extend this exception to your
* version of the file, but you are not obligated to do so. If you do not wish to * version of the file, but you are not obligated to do so. If you do not wish
* provide this exception without modification, you must delete this exception * to provide this exception without modification, you must delete this
* statement from your version and license this file solely under the GPL without * exception statement from your version and license this file solely under the
* exception. * GPL without exception.
* *
* Authors: * Authors:
* Simo Sorce <ssorce@redhat.com> * Simo Sorce <ssorce@redhat.com>
@ -73,7 +73,8 @@
/* Type of connection for this operation;*/ /* Type of connection for this operation;*/
#define LDAP_EXTOP_PASSMOD_CONN_SECURE #define LDAP_EXTOP_PASSMOD_CONN_SECURE
/* Uncomment the following line FOR TESTING: allows non-SSL connections to use the password change extended op */ /* Uncomment the following #undef FOR TESTING:
* allows non-SSL connections to use the password change extended op */
/* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */ /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */
/* ber tags for the PasswdModifyRequestValue sequence */ /* ber tags for the PasswdModifyRequestValue sequence */
@ -228,7 +229,10 @@ static int filter_keys(struct ipapwd_keyset *kset)
for (i = 0; i < kset->num_keys; i++) { for (i = 0; i < kset->num_keys; i++) {
for (j = 0; j < config->num_supp_encsalts; j++) { for (j = 0; j < config->num_supp_encsalts; j++) {
if (kset->keys[i].ekey->type == config->supp_encsalts[j].enc_type) break; if (kset->keys[i].ekey->type ==
config->supp_encsalts[j].enc_type) {
break;
}
} }
if (j == config->num_supp_encsalts) { /* not valid */ if (j == config->num_supp_encsalts) { /* not valid */
@ -257,7 +261,7 @@ static int filter_keys(struct ipapwd_keyset *kset)
} }
/* new key has been moved to this position, make sure /* new key has been moved to this position, make sure
* we do not skip it, by neutralizing next i increment */ * we do not skip it, by neutralizing next increment */
i--; i--;
} }
} }
@ -1257,7 +1261,8 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data)
} }
/* FIXME: *else* report an error ? */ /* FIXME: *else* report an error ? */
} else { } else {
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "Warning: Last Password Change Time is not available"); slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"Warning: Last Password Change Time is not available");
} }
/* find the entry with the password policy */ /* find the entry with the password policy */
@ -1274,8 +1279,8 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data)
/* check for reset cases */ /* check for reset cases */
if (strcmp(krbPasswordExpiration, krbLastPwdChange) == 0) { if (strcmp(krbPasswordExpiration, krbLastPwdChange) == 0) {
/* Expiration and last change time are the same /* Expiration and last change time are the same this
* this happens only when a password is reset by an admin * happens only when a password is reset by an admin
* or no expiration policy is set, PASS */ * or no expiration policy is set, PASS */
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"ipapwd_checkPolicy: Ignore krbMinPwdLife Expiration and Last change dates match\n"); "ipapwd_checkPolicy: Ignore krbMinPwdLife Expiration and Last change dates match\n");
@ -1752,7 +1757,8 @@ static int ipapwd_chpwop(Slapi_PBlock *pb)
{ {
if (ber_scanf(ber, "a", &dn) == LBER_ERROR) { if (ber_scanf(ber, "a", &dn) == LBER_ERROR) {
slapi_ch_free_string(&dn); slapi_ch_free_string(&dn);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed :{\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
errMesg = "ber_scanf failed at userID parse.\n"; errMesg = "ber_scanf failed at userID parse.\n";
rc = LDAP_PROTOCOL_ERROR; rc = LDAP_PROTOCOL_ERROR;
goto free_and_return; goto free_and_return;
@ -1765,7 +1771,8 @@ static int ipapwd_chpwop(Slapi_PBlock *pb)
if (tag == LDAP_EXTOP_PASSMOD_TAG_OLDPWD ) if (tag == LDAP_EXTOP_PASSMOD_TAG_OLDPWD )
{ {
if (ber_scanf(ber, "a", &oldPasswd) == LBER_ERROR) { if (ber_scanf(ber, "a", &oldPasswd) == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed :{\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
errMesg = "ber_scanf failed at oldPasswd parse.\n"; errMesg = "ber_scanf failed at oldPasswd parse.\n";
rc = LDAP_PROTOCOL_ERROR; rc = LDAP_PROTOCOL_ERROR;
goto free_and_return; goto free_and_return;
@ -1777,7 +1784,8 @@ static int ipapwd_chpwop(Slapi_PBlock *pb)
if (tag == LDAP_EXTOP_PASSMOD_TAG_NEWPWD ) if (tag == LDAP_EXTOP_PASSMOD_TAG_NEWPWD )
{ {
if (ber_scanf(ber, "a", &newPasswd) == LBER_ERROR) { if (ber_scanf(ber, "a", &newPasswd) == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed :{\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
errMesg = "ber_scanf failed at newPasswd parse.\n"; errMesg = "ber_scanf failed at newPasswd parse.\n";
rc = LDAP_PROTOCOL_ERROR; rc = LDAP_PROTOCOL_ERROR;
goto free_and_return; goto free_and_return;
@ -1785,15 +1793,17 @@ static int ipapwd_chpwop(Slapi_PBlock *pb)
} }
parse_req_done: parse_req_done:
/* Uncomment for debugging, otherwise we don't want to leak the password values into the log... */ /* Uncomment for debugging, otherwise we don't want to leak the
/* LDAPDebug( LDAP_DEBUG_ARGS, "passwd: dn (%s), oldPasswd (%s) ,newPasswd (%s)\n", * password values into the log... */
dn, oldPasswd, newPasswd); */ /* LDAPDebug( LDAP_DEBUG_ARGS, "passwd: dn (%s), oldPasswd (%s),
* newPasswd (%s)\n", dn, oldPasswd, newPasswd); */
/* Get Bind DN */ /* Get Bind DN */
slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN); slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN);
/* If the connection is bound anonymously, we must refuse to process this operation. */ /* If the connection is bound anonymously, we must refuse
* to process this operation. */
if (bindDN == NULL || *bindDN == '\0') { if (bindDN == NULL || *bindDN == '\0') {
/* Refuse the operation because they're bound anonymously */ /* Refuse the operation because they're bound anonymously */
errMesg = "Anonymous Binds are not allowed.\n"; errMesg = "Anonymous Binds are not allowed.\n";
@ -1843,17 +1853,17 @@ parse_req_done:
} }
/* First thing to do is to ask access control if the bound identity has /* First thing to do is to ask access control if the bound identity has
rights to modify the userpassword attribute on this entry. If not, then * rights to modify the userpassword attribute on this entry. If not,
we fail immediately with insufficient access. This means that we don't * then we fail immediately with insufficient access. This means that
leak any useful information to the client such as current password * we don't leak any useful information to the client such as current
wrong, etc. * password wrong, etc.
*/ */
is_root = slapi_dn_isroot(bindDN); is_root = slapi_dn_isroot(bindDN);
slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &is_root); slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &is_root);
/* In order to perform the access control check , we need to select a backend (even though /* In order to perform the access control check, we need to select a
* we don't actually need it otherwise). * backend (even though we don't actually need it otherwise).
*/ */
{ {
Slapi_Backend *be = NULL; Slapi_Backend *be = NULL;
@ -1867,7 +1877,7 @@ parse_req_done:
slapi_pblock_set(pb, SLAPI_BACKEND, be); slapi_pblock_set(pb, SLAPI_BACKEND, be);
} }
ret = slapi_access_allowed ( pb, targetEntry, "krbPrincipalKey", NULL, SLAPI_ACL_WRITE ); ret = slapi_access_allowed( pb, targetEntry, "krbPrincipalKey", NULL, SLAPI_ACL_WRITE );
if ( ret != LDAP_SUCCESS ) { if ( ret != LDAP_SUCCESS ) {
errMesg = "Insufficient access rights\n"; errMesg = "Insufficient access rights\n";
rc = LDAP_INSUFFICIENT_ACCESS; rc = LDAP_INSUFFICIENT_ACCESS;
@ -1879,9 +1889,11 @@ parse_req_done:
* Is the old password valid ? * Is the old password valid ?
*/ */
if (oldPasswd && *oldPasswd) { if (oldPasswd && *oldPasswd) {
/* If user is authenticated, they already gave their password during /* If user is authenticated, they already gave their password
the bind operation (or used sasl or client cert auth or OS creds) */ * during the bind operation (or used sasl or client cert auth
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "oldPasswd provided, but we will ignore it"); * or OS creds) */
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"oldPasswd provided, but we will ignore it");
} }
memset(&pwdata, 0, sizeof(pwdata)); memset(&pwdata, 0, sizeof(pwdata));
@ -1929,7 +1941,8 @@ parse_req_done:
/* Now we're ready to set the kerberos key material */ /* Now we're ready to set the kerberos key material */
ret = ipapwd_SetPassword(&pwdata); ret = ipapwd_SetPassword(&pwdata);
if (ret != LDAP_SUCCESS) { if (ret != LDAP_SUCCESS) {
/* Failed to modify the password, e.g. because insufficient access allowed */ /* Failed to modify the password,
* e.g. because insufficient access allowed */
errMesg = "Failed to update password"; errMesg = "Failed to update password";
if (ret > 0) { if (ret > 0) {
rc = ret; rc = ret;
@ -2004,14 +2017,16 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
svals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *)); svals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *));
if (!svals) { if (!svals) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "memory allocation failed\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"memory allocation failed\n");
rc = LDAP_OPERATIONS_ERROR; rc = LDAP_OPERATIONS_ERROR;
goto free_and_return; goto free_and_return;
} }
krberr = krb5_init_context(&krbctx); krberr = krb5_init_context(&krbctx);
if (krberr) { if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb5_init_context failed\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"krb5_init_context failed\n");
rc = LDAP_OPERATIONS_ERROR; rc = LDAP_OPERATIONS_ERROR;
goto free_and_return; goto free_and_return;
} }
@ -2019,7 +2034,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
/* Get Bind DN */ /* Get Bind DN */
slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN); slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN);
/* If the connection is bound anonymously, we must refuse to process this operation. */ /* If the connection is bound anonymously, we must refuse to process
* this operation. */
if (bindDN == NULL || *bindDN == '\0') { if (bindDN == NULL || *bindDN == '\0') {
/* Refuse the operation because they're bound anonymously */ /* Refuse the operation because they're bound anonymously */
errMesg = "Anonymous Binds are not allowed.\n"; errMesg = "Anonymous Binds are not allowed.\n";
@ -2066,7 +2082,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
/* ber parse code */ /* ber parse code */
rtag = ber_scanf(ber, "{a{", &serviceName); rtag = ber_scanf(ber, "{a{", &serviceName);
if (rtag == LBER_ERROR) { if (rtag == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
errMesg = "Invalid payload, failed to decode.\n"; errMesg = "Invalid payload, failed to decode.\n";
rc = LDAP_PROTOCOL_ERROR; rc = LDAP_PROTOCOL_ERROR;
goto free_and_return; goto free_and_return;
@ -2076,16 +2093,19 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
krberr = krb5_parse_name(krbctx, serviceName, &krbname); krberr = krb5_parse_name(krbctx, serviceName, &krbname);
if (krberr) { if (krberr) {
slapi_ch_free_string(&serviceName); slapi_ch_free_string(&serviceName);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb5_parse_name failed\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"krb5_parse_name failed\n");
rc = LDAP_OPERATIONS_ERROR; rc = LDAP_OPERATIONS_ERROR;
goto free_and_return; goto free_and_return;
} else { } else {
/* invert so that we get the canonical form (add REALM if not present for example) */ /* invert so that we get the canonical form
* (add REALM if not present for example) */
char *canonname; char *canonname;
krberr = krb5_unparse_name(krbctx, krbname, &canonname); krberr = krb5_unparse_name(krbctx, krbname, &canonname);
if (krberr) { if (krberr) {
slapi_ch_free_string(&serviceName); slapi_ch_free_string(&serviceName);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb5_unparse_name failed\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"krb5_unparse_name failed\n");
rc = LDAP_OPERATIONS_ERROR; rc = LDAP_OPERATIONS_ERROR;
goto free_and_return; goto free_and_return;
} }
@ -2149,16 +2169,17 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
targetEntry = es[0]; targetEntry = es[0];
/* First thing to do is to ask access control if the bound identity has /* First thing to do is to ask access control if the bound identity has
rights to modify the userpassword attribute on this entry. If not, then * rights to modify the userpassword attribute on this entry. If not,
we fail immediately with insufficient access. This means that we don't * then we fail immediately with insufficient access. This means that
leak any useful information to the client such as current password * we don't leak any useful information to the client such as current
wrong, etc. * password wrong, etc.
*/ */
is_root = slapi_dn_isroot(bindDN); is_root = slapi_dn_isroot(bindDN);
slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &is_root); slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &is_root);
/* In order to perform the access control check , we need to select a backend (even though /* In order to perform the access control check,
* we need to select a backend (even though
* we don't actually need it otherwise). * we don't actually need it otherwise).
*/ */
slapi_pblock_set(pb, SLAPI_BACKEND, be); slapi_pblock_set(pb, SLAPI_BACKEND, be);
@ -2360,7 +2381,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
/* change Last Password Change field with the current date */ /* change Last Password Change field with the current date */
if (!gmtime_r(&(time_now), &utctime)) { if (!gmtime_r(&(time_now), &utctime)) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "failed to retrieve current date (buggy gmtime_r ?)\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"failed to retrieve current date (buggy gmtime_r ?)\n");
slapi_mods_free(&smods); slapi_mods_free(&smods);
goto free_and_return; goto free_and_return;
} }
@ -2370,7 +2392,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
/* FIXME: set Password Expiration date ? */ /* FIXME: set Password Expiration date ? */
#if 0 #if 0
if (!gmtime_r(&(data->expireTime), &utctime)) { if (!gmtime_r(&(data->expireTime), &utctime)) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "failed to convert expiration date\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"failed to convert expiration date\n");
slapi_ch_free_string(&randPasswd); slapi_ch_free_string(&randPasswd);
slapi_mods_free(&smods); slapi_mods_free(&smods);
rc = LDAP_OPERATIONS_ERROR; rc = LDAP_OPERATIONS_ERROR;
@ -2512,12 +2535,14 @@ static int new_ipapwd_encsalt(krb5_context krbctx, const char * const *encsalts,
enc = strdup(encsalts[i]); enc = strdup(encsalts[i]);
if (!enc) { if (!enc) {
slapi_log_error( SLAPI_LOG_PLUGIN, "ipapwd_start", "Allocation error\n"); slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_start",
"Allocation error\n");
return LDAP_OPERATIONS_ERROR; return LDAP_OPERATIONS_ERROR;
} }
salt = strchr(enc, ':'); salt = strchr(enc, ':');
if (!salt) { if (!salt) {
slapi_log_error( SLAPI_LOG_PLUGIN, "ipapwd_start", "Invalid krb5 enc string\n"); slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_start",
"Invalid krb5 enc string\n");
free(enc); free(enc);
continue; continue;
} }
@ -2526,7 +2551,8 @@ static int new_ipapwd_encsalt(krb5_context krbctx, const char * const *encsalts,
krberr = krb5_string_to_enctype(enc, &tmpenc); krberr = krb5_string_to_enctype(enc, &tmpenc);
if (krberr) { if (krberr) {
slapi_log_error( SLAPI_LOG_PLUGIN, "ipapwd_start", "Invalid krb5 enctype\n"); slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_start",
"Invalid krb5 enctype\n");
free(enc); free(enc);
continue; continue;
} }
@ -2572,19 +2598,22 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
config = malloc(sizeof(struct ipapwd_config)); config = malloc(sizeof(struct ipapwd_config));
if (!config) { if (!config) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory!\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Out of memory!\n");
goto free_and_error; goto free_and_error;
} }
kmkey = malloc(sizeof(krb5_keyblock)); kmkey = malloc(sizeof(krb5_keyblock));
if (!kmkey) { if (!kmkey) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory!\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Out of memory!\n");
goto free_and_error; goto free_and_error;
} }
config->kmkey = kmkey; config->kmkey = kmkey;
ret = krb5_get_default_realm(krbctx, &config->realm); ret = krb5_get_default_realm(krbctx, &config->realm);
if (ret) { if (ret) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Failed to get default realm?!\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Failed to get default realm?!\n");
goto free_and_error; goto free_and_error;
} }
@ -2592,7 +2621,8 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
/* get the Realm Container entry */ /* get the Realm Container entry */
ret = ipapwd_getEntry(realm_dn, &realm_entry, NULL); ret = ipapwd_getEntry(realm_dn, &realm_entry, NULL);
if (ret != LDAP_SUCCESS) { if (ret != LDAP_SUCCESS) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "No realm Entry?\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"No realm Entry?\n");
goto free_and_error; goto free_and_error;
} }
@ -2600,26 +2630,30 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
ret = slapi_entry_attr_find(realm_entry, "krbMKey", &a); ret = slapi_entry_attr_find(realm_entry, "krbMKey", &a);
if (ret == -1) { if (ret == -1) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "No master key??\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"No master key??\n");
goto free_and_error; goto free_and_error;
} }
/* there should be only one value here */ /* there should be only one value here */
ret = slapi_attr_first_value(a, &v); ret = slapi_attr_first_value(a, &v);
if (ret == -1) { if (ret == -1) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "No master key values??\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"No master key values??\n");
goto free_and_error; goto free_and_error;
} }
bval = slapi_value_get_berval(v); bval = slapi_value_get_berval(v);
if (!bval) { if (!bval) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Error retrieving master key berval\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Error retrieving master key berval\n");
goto free_and_error; goto free_and_error;
} }
be = ber_init(bval); be = ber_init(bval);
if (!bval) { if (!bval) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "ber_init() failed!\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"ber_init() failed!\n");
goto free_and_error; goto free_and_error;
} }
@ -2635,7 +2669,8 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
kmkey->length = mkey->bv_len; kmkey->length = mkey->bv_len;
kmkey->contents = malloc(mkey->bv_len); kmkey->contents = malloc(mkey->bv_len);
if (!kmkey->contents) { if (!kmkey->contents) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory!\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Out of memory!\n");
goto free_and_error; goto free_and_error;
} }
memcpy(kmkey->contents, mkey->bv_val, mkey->bv_len); memcpy(kmkey->contents, mkey->bv_val, mkey->bv_len);
@ -2651,7 +2686,8 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
&config->num_supp_encsalts); &config->num_supp_encsalts);
slapi_ch_array_free(encsalts); slapi_ch_array_free(encsalts);
} else { } else {
slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start", "No configured salt types use defaults\n"); slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start",
"No configured salt types use defaults\n");
ret = new_ipapwd_encsalt(krbctx, ipapwd_def_encsalts, ret = new_ipapwd_encsalt(krbctx, ipapwd_def_encsalts,
&config->supp_encsalts, &config->supp_encsalts,
&config->num_supp_encsalts); &config->num_supp_encsalts);
@ -2671,7 +2707,8 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
&config->num_pref_encsalts); &config->num_pref_encsalts);
slapi_ch_array_free(encsalts); slapi_ch_array_free(encsalts);
} else { } else {
slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start", "No configured salt types use defaults\n"); slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start",
"No configured salt types use defaults\n");
ret = new_ipapwd_encsalt(krbctx, ipapwd_def_encsalts, ret = new_ipapwd_encsalt(krbctx, ipapwd_def_encsalts,
&config->pref_encsalts, &config->pref_encsalts,
&config->num_pref_encsalts); &config->num_pref_encsalts);
@ -2745,14 +2782,16 @@ static int ipapwd_extop(Slapi_PBlock *pb)
krberr = krb5_init_context(&krbctx); krberr = krb5_init_context(&krbctx);
if (krberr) { if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "krb5_init_context failed\n"); slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"krb5_init_context failed\n");
errMesg = "Fatal Internal Error"; errMesg = "Fatal Internal Error";
rc = LDAP_OPERATIONS_ERROR; rc = LDAP_OPERATIONS_ERROR;
goto free_and_return; goto free_and_return;
} }
ret = ipapwd_getConfig(krbctx, ipa_realm_dn); ret = ipapwd_getConfig(krbctx, ipa_realm_dn);
if (ret != LDAP_SUCCESS) { if (ret != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", "Error Retrieving Master Key"); slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop",
"Error Retrieving Master Key");
errMesg = "Fatal Internal Error"; errMesg = "Fatal Internal Error";
rc = LDAP_OPERATIONS_ERROR; rc = LDAP_OPERATIONS_ERROR;
goto free_and_return; goto free_and_return;
@ -2760,9 +2799,10 @@ static int ipapwd_extop(Slapi_PBlock *pb)
krb5_free_context(krbctx); krb5_free_context(krbctx);
} }
/* Before going any further, we'll make sure that the right extended operation plugin /* Before going any further, we'll make sure that the right extended
* has been called: i.e., the OID shipped whithin the extended operation request must * operation plugin has been called: i.e., the OID shipped whithin the
* match this very plugin's OIDs: EXOP_PASSWD_OID or KEYTAB_SET_OID. */ * extended operation request must match this very plugin's OIDs:
* EXOP_PASSWD_OID or KEYTAB_SET_OID. */
if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid) != 0) { if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid) != 0) {
errMesg = "Could not get OID value from request.\n"; errMesg = "Could not get OID value from request.\n";
rc = LDAP_OPERATIONS_ERROR; rc = LDAP_OPERATIONS_ERROR;