IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Purely indentiation, trailing spaces, cosmetic fixes

Browse Source
This commit is contained in:
Simo Sorce 2008-02-21 09:36:35 -05:00
parent 0996e55573
commit f87db10a07
1 changed files with 173 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
View File

@ -5,7 +5,7 @@
*
* This Program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details
*
* You should have received a copy of the GNU General Public License along with
* this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
@ -22,13 +22,13 @@
* the Approved Interfaces without causing the resulting work to be covered by
* the GNU General Public License. Only Red Hat, Inc. may make changes or
* additions to the list of Approved Interfaces. You must obey the GNU General
* Public License in all respects for all of the Program code and other code used
* in conjunction with the Program except the Non-GPL Code covered by this
* Public License in all respects for all of the Program code and other code
* used in conjunction with the Program except the Non-GPL Code covered by this
* exception. If you modify this file, you may extend this exception to your
* version of the file, but you are not obligated to do so. If you do not wish to
* provide this exception without modification, you must delete this exception
* statement from your version and license this file solely under the GPL without
* exception.
* version of the file, but you are not obligated to do so. If you do not wish
* to provide this exception without modification, you must delete this
* exception statement from your version and license this file solely under the
* GPL without exception.
*
* Authors:
* Simo Sorce <ssorce@redhat.com>
@ -73,7 +73,8 @@
/* Type of connection for this operation;*/
#define LDAP_EXTOP_PASSMOD_CONN_SECURE
/* Uncomment the following line FOR TESTING: allows non-SSL connections to use the password change extended op */
/* Uncomment the following #undef FOR TESTING:
* allows non-SSL connections to use the password change extended op */
/* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */
/* ber tags for the PasswdModifyRequestValue sequence */
@ -228,7 +229,10 @@ static int filter_keys(struct ipapwd_keyset *kset)
for (i = 0; i < kset->num_keys; i++) {
for (j = 0; j < config->num_supp_encsalts; j++) {
if (kset->keys[i].ekey->type == config->supp_encsalts[j].enc_type) break;
if (kset->keys[i].ekey->type ==
config->supp_encsalts[j].enc_type) {
break;
}
}
if (j == config->num_supp_encsalts) { /* not valid */
@ -257,7 +261,7 @@ static int filter_keys(struct ipapwd_keyset *kset)
}
/* new key has been moved to this position, make sure
* we do not skip it, by neutralizing next i increment */
* we do not skip it, by neutralizing next increment */
i--;
}
}
@ -1257,7 +1261,8 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data)
}
/* FIXME: *else* report an error ? */
} else {
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "Warning: Last Password Change Time is not available");
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"Warning: Last Password Change Time is not available");
}
/* find the entry with the password policy */
@ -1274,8 +1279,8 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data)
/* check for reset cases */
if (strcmp(krbPasswordExpiration, krbLastPwdChange) == 0) {
/* Expiration and last change time are the same
* this happens only when a password is reset by an admin
/* Expiration and last change time are the same this
* happens only when a password is reset by an admin
* or no expiration policy is set, PASS */
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"ipapwd_checkPolicy: Ignore krbMinPwdLife Expiration and Last change dates match\n");
@ -1752,7 +1757,8 @@ static int ipapwd_chpwop(Slapi_PBlock *pb)
{
if (ber_scanf(ber, "a", &dn) == LBER_ERROR) {
slapi_ch_free_string(&dn);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed :{\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
errMesg = "ber_scanf failed at userID parse.\n";
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
@ -1765,7 +1771,8 @@ static int ipapwd_chpwop(Slapi_PBlock *pb)
if (tag == LDAP_EXTOP_PASSMOD_TAG_OLDPWD )
{
if (ber_scanf(ber, "a", &oldPasswd) == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed :{\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
errMesg = "ber_scanf failed at oldPasswd parse.\n";
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
@ -1777,7 +1784,8 @@ static int ipapwd_chpwop(Slapi_PBlock *pb)
if (tag == LDAP_EXTOP_PASSMOD_TAG_NEWPWD )
{
if (ber_scanf(ber, "a", &newPasswd) == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed :{\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
errMesg = "ber_scanf failed at newPasswd parse.\n";
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
@ -1785,15 +1793,17 @@ static int ipapwd_chpwop(Slapi_PBlock *pb)
}
parse_req_done:
/* Uncomment for debugging, otherwise we don't want to leak the password values into the log... */
/* LDAPDebug( LDAP_DEBUG_ARGS, "passwd: dn (%s), oldPasswd (%s) ,newPasswd (%s)\n",
dn, oldPasswd, newPasswd); */
/* Uncomment for debugging, otherwise we don't want to leak the
* password values into the log... */
/* LDAPDebug( LDAP_DEBUG_ARGS, "passwd: dn (%s), oldPasswd (%s),
* newPasswd (%s)\n", dn, oldPasswd, newPasswd); */
/* Get Bind DN */
slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN);
/* If the connection is bound anonymously, we must refuse to process this operation. */
/* If the connection is bound anonymously, we must refuse
* to process this operation. */
if (bindDN == NULL || *bindDN == '\0') {
/* Refuse the operation because they're bound anonymously */
errMesg = "Anonymous Binds are not allowed.\n";
@ -1843,17 +1853,17 @@ parse_req_done:
}
/* First thing to do is to ask access control if the bound identity has
rights to modify the userpassword attribute on this entry. If not, then
we fail immediately with insufficient access. This means that we don't
leak any useful information to the client such as current password
wrong, etc.
* rights to modify the userpassword attribute on this entry. If not,
* then we fail immediately with insufficient access. This means that
* we don't leak any useful information to the client such as current
* password wrong, etc.
*/
is_root = slapi_dn_isroot(bindDN);
slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &is_root);
/* In order to perform the access control check , we need to select a backend (even though
* we don't actually need it otherwise).
/* In order to perform the access control check, we need to select a
* backend (even though we don't actually need it otherwise).
*/
{
Slapi_Backend *be = NULL;
@ -1867,7 +1877,7 @@ parse_req_done:
slapi_pblock_set(pb, SLAPI_BACKEND, be);
}
ret = slapi_access_allowed ( pb, targetEntry, "krbPrincipalKey", NULL, SLAPI_ACL_WRITE );
ret = slapi_access_allowed( pb, targetEntry, "krbPrincipalKey", NULL, SLAPI_ACL_WRITE );
if ( ret != LDAP_SUCCESS ) {
errMesg = "Insufficient access rights\n";
rc = LDAP_INSUFFICIENT_ACCESS;
@ -1879,9 +1889,11 @@ parse_req_done:
* Is the old password valid ?
*/
if (oldPasswd && *oldPasswd) {
/* If user is authenticated, they already gave their password during
the bind operation (or used sasl or client cert auth or OS creds) */
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "oldPasswd provided, but we will ignore it");
/* If user is authenticated, they already gave their password
* during the bind operation (or used sasl or client cert auth
* or OS creds) */
slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop",
"oldPasswd provided, but we will ignore it");
}
memset(&pwdata, 0, sizeof(pwdata));
@ -1929,7 +1941,8 @@ parse_req_done:
/* Now we're ready to set the kerberos key material */
ret = ipapwd_SetPassword(&pwdata);
if (ret != LDAP_SUCCESS) {
/* Failed to modify the password, e.g. because insufficient access allowed */
/* Failed to modify the password,
* e.g. because insufficient access allowed */
errMesg = "Failed to update password";
if (ret > 0) {
rc = ret;
@ -2004,14 +2017,16 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
svals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *));
if (!svals) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "memory allocation failed\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"memory allocation failed\n");
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
krberr = krb5_init_context(&krbctx);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb5_init_context failed\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"krb5_init_context failed\n");
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
@ -2019,7 +2034,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
/* Get Bind DN */
slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN);
/* If the connection is bound anonymously, we must refuse to process this operation. */
/* If the connection is bound anonymously, we must refuse to process
* this operation. */
if (bindDN == NULL || *bindDN == '\0') {
/* Refuse the operation because they're bound anonymously */
errMesg = "Anonymous Binds are not allowed.\n";
@ -2066,7 +2082,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
/* ber parse code */
rtag = ber_scanf(ber, "{a{", &serviceName);
if (rtag == LBER_ERROR) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"ber_scanf failed\n");
errMesg = "Invalid payload, failed to decode.\n";
rc = LDAP_PROTOCOL_ERROR;
goto free_and_return;
@ -2076,16 +2093,19 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
krberr = krb5_parse_name(krbctx, serviceName, &krbname);
if (krberr) {
slapi_ch_free_string(&serviceName);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb5_parse_name failed\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"krb5_parse_name failed\n");
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
} else {
/* invert so that we get the canonical form (add REALM if not present for example) */
/* invert so that we get the canonical form
* (add REALM if not present for example) */
char *canonname;
krberr = krb5_unparse_name(krbctx, krbname, &canonname);
if (krberr) {
slapi_ch_free_string(&serviceName);
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb5_unparse_name failed\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"krb5_unparse_name failed\n");
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
@ -2149,16 +2169,17 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
targetEntry = es[0];
/* First thing to do is to ask access control if the bound identity has
rights to modify the userpassword attribute on this entry. If not, then
we fail immediately with insufficient access. This means that we don't
leak any useful information to the client such as current password
wrong, etc.
* rights to modify the userpassword attribute on this entry. If not,
* then we fail immediately with insufficient access. This means that
* we don't leak any useful information to the client such as current
* password wrong, etc.
*/
is_root = slapi_dn_isroot(bindDN);
slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &is_root);
/* In order to perform the access control check , we need to select a backend (even though
/* In order to perform the access control check,
* we need to select a backend (even though
* we don't actually need it otherwise).
*/
slapi_pblock_set(pb, SLAPI_BACKEND, be);
@ -2360,7 +2381,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
/* change Last Password Change field with the current date */
if (!gmtime_r(&(time_now), &utctime)) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "failed to retrieve current date (buggy gmtime_r ?)\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"failed to retrieve current date (buggy gmtime_r ?)\n");
slapi_mods_free(&smods);
goto free_and_return;
}
@ -2370,7 +2392,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb)
/* FIXME: set Password Expiration date ? */
#if 0
if (!gmtime_r(&(data->expireTime), &utctime)) {
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "failed to convert expiration date\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop",
"failed to convert expiration date\n");
slapi_ch_free_string(&randPasswd);
slapi_mods_free(&smods);
rc = LDAP_OPERATIONS_ERROR;
@ -2512,12 +2535,14 @@ static int new_ipapwd_encsalt(krb5_context krbctx, const char * const *encsalts,
enc = strdup(encsalts[i]);
if (!enc) {
slapi_log_error( SLAPI_LOG_PLUGIN, "ipapwd_start", "Allocation error\n");
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_start",
"Allocation error\n");
return LDAP_OPERATIONS_ERROR;
}
salt = strchr(enc, ':');
if (!salt) {
slapi_log_error( SLAPI_LOG_PLUGIN, "ipapwd_start", "Invalid krb5 enc string\n");
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_start",
"Invalid krb5 enc string\n");
free(enc);
continue;
}
@ -2526,7 +2551,8 @@ static int new_ipapwd_encsalt(krb5_context krbctx, const char * const *encsalts,
krberr = krb5_string_to_enctype(enc, &tmpenc);
if (krberr) {
slapi_log_error( SLAPI_LOG_PLUGIN, "ipapwd_start", "Invalid krb5 enctype\n");
slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_start",
"Invalid krb5 enctype\n");
free(enc);
continue;
}
@ -2572,19 +2598,22 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
config = malloc(sizeof(struct ipapwd_config));
if (!config) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory!\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Out of memory!\n");
goto free_and_error;
}
kmkey = malloc(sizeof(krb5_keyblock));
if (!kmkey) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory!\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Out of memory!\n");
goto free_and_error;
}
config->kmkey = kmkey;
ret = krb5_get_default_realm(krbctx, &config->realm);
if (ret) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Failed to get default realm?!\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Failed to get default realm?!\n");
goto free_and_error;
}
@ -2592,7 +2621,8 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
/* get the Realm Container entry */
ret = ipapwd_getEntry(realm_dn, &realm_entry, NULL);
if (ret != LDAP_SUCCESS) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "No realm Entry?\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"No realm Entry?\n");
goto free_and_error;
}
@ -2600,26 +2630,30 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
ret = slapi_entry_attr_find(realm_entry, "krbMKey", &a);
if (ret == -1) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "No master key??\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"No master key??\n");
goto free_and_error;
}
/* there should be only one value here */
ret = slapi_attr_first_value(a, &v);
if (ret == -1) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "No master key values??\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"No master key values??\n");
goto free_and_error;
}
bval = slapi_value_get_berval(v);
if (!bval) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Error retrieving master key berval\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Error retrieving master key berval\n");
goto free_and_error;
}
be = ber_init(bval);
if (!bval) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "ber_init() failed!\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"ber_init() failed!\n");
goto free_and_error;
}
@ -2635,7 +2669,8 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
kmkey->length = mkey->bv_len;
kmkey->contents = malloc(mkey->bv_len);
if (!kmkey->contents) {
slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory!\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"Out of memory!\n");
goto free_and_error;
}
memcpy(kmkey->contents, mkey->bv_val, mkey->bv_len);
@ -2651,7 +2686,8 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
&config->num_supp_encsalts);
slapi_ch_array_free(encsalts);
} else {
slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start", "No configured salt types use defaults\n");
slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start",
"No configured salt types use defaults\n");
ret = new_ipapwd_encsalt(krbctx, ipapwd_def_encsalts,
&config->supp_encsalts,
&config->num_supp_encsalts);
@ -2671,7 +2707,8 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn)
&config->num_pref_encsalts);
slapi_ch_array_free(encsalts);
} else {
slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start", "No configured salt types use defaults\n");
slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start",
"No configured salt types use defaults\n");
ret = new_ipapwd_encsalt(krbctx, ipapwd_def_encsalts,
&config->pref_encsalts,
&config->num_pref_encsalts);
@ -2745,14 +2782,16 @@ static int ipapwd_extop(Slapi_PBlock *pb)
krberr = krb5_init_context(&krbctx);
if (krberr) {
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "krb5_init_context failed\n");
slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start",
"krb5_init_context failed\n");
errMesg = "Fatal Internal Error";
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
ret = ipapwd_getConfig(krbctx, ipa_realm_dn);
if (ret != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", "Error Retrieving Master Key");
slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop",
"Error Retrieving Master Key");
errMesg = "Fatal Internal Error";
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
@ -2760,9 +2799,10 @@ static int ipapwd_extop(Slapi_PBlock *pb)
krb5_free_context(krbctx);
}
/* Before going any further, we'll make sure that the right extended operation plugin
* has been called: i.e., the OID shipped whithin the extended operation request must
* match this very plugin's OIDs: EXOP_PASSWD_OID or KEYTAB_SET_OID. */
/* Before going any further, we'll make sure that the right extended
* operation plugin has been called: i.e., the OID shipped whithin the
* extended operation request must match this very plugin's OIDs:
* EXOP_PASSWD_OID or KEYTAB_SET_OID. */
if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid) != 0) {
errMesg = "Could not get OID value from request.\n";
rc = LDAP_OPERATIONS_ERROR;