[Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on all connections with SSF>1

Tue, 27 Sep 2011 01:34:23 -0700 

Hi,

currently the change password plugin does not check if the connection is
coming from a local LDAPI socket and denies password change requests via
LDAPI. This patch changes the check to just look at the overall SSF of
the connection which covers all types of connection.

There is a similar check in ipa_enrollment.c. But I think enrollments via
LDAPI does not make much sense so it does not need to be changed.

This patch should fix https://fedorahosted.org/freeipa/ticket/1877.

bye,
Sumit

From 8ed807a42982aabe958a4d0cac47d5f4511be11c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 27 Sep 2011 10:06:50 +0200
Subject: [PATCH] ipa-pwd-extop: allow password change on all connections with
 SSF>1

---
 .../ipa-pwd-extop/ipapwd_common.c                  |   19 ++++++-------------
 1 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index 
c5da141787dbe2f85d766447a329a12932b81538..9e203be2763b13328e2d392c76e8545ba7ab549a
 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -544,7 +544,7 @@ done:
 int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
                       struct ipapwd_krbcfg **config, int check_flags)
 {
-    int ret, sasl_ssf, is_ssl;
+    int ret, ssf;
     int rc = LDAP_SUCCESS;
     Slapi_Backend *be;
     const Slapi_DN *psdn;
@@ -555,23 +555,16 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
 
 #ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
     if (check_flags & IPAPWD_CHECK_CONN_SECURE) {
-        /* Allow password modify only for SSL/TLS established connections and
-         * connections using SASL privacy layers */
-        if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
-            LOG("Could not get SASL SSF from connection\n");
+       /* Allow password modify on all connections with a Security Strength
+        * Factor (SSF) higher than 1 */
+        if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+            LOG("Could not get SSF from connection\n");
             *errMesg = "Operation requires a secure connection.\n";
             rc = LDAP_OPERATIONS_ERROR;
             goto done;
         }
 
-        if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
-            LOG("Could not get IS SSL from connection\n");
-            *errMesg = "Operation requires a secure connection.\n";
-            rc = LDAP_OPERATIONS_ERROR;
-            goto done;
-        }
-
-        if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+        if (ssf <= 1) {
             *errMesg = "Operation requires a secure connection.\n";
             rc = LDAP_CONFIDENTIALITY_REQUIRED;
             goto done;
-- 
1.7.6


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to