diff options
author | Sumit Bose <sbose@redhat.com> | 2011-09-27 10:06:50 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2011-10-05 17:20:37 +0200 |
commit | 5bc83239640aa111e83720d8f5d4eec911a79451 (patch) | |
tree | f15282717b4e136d3967f4167bc6bf1f400186d6 /daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c | |
parent | 92ee5ee90df9d704a053e808ab0daf01005cb4be (diff) | |
download | freeipa-5bc83239640aa111e83720d8f5d4eec911a79451.tar.gz freeipa-5bc83239640aa111e83720d8f5d4eec911a79451.tar.xz freeipa-5bc83239640aa111e83720d8f5d4eec911a79451.zip |
ipa-pwd-extop: allow password change on all connections with SSF>1
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
https://fedorahosted.org/freeipa/ticket/1877
Diffstat (limited to 'daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c')
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c | 19 |
1 files changed, 6 insertions, 13 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c index 51231231f..78fb359cd 100644 --- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c +++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c @@ -80,22 +80,15 @@ static const char *ipa_realm_dn; static int ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg) { - int sasl_ssf, is_ssl; + int ssf; int rc = LDAP_SUCCESS; LOG_TRACE("=> ipaenrollment_secure\n"); - /* Allow enrollment only for SSL/TLS established connections and - * connections using SASL privacy layers */ - if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { - LOG_TRACE("Could not get SASL SSF from connection\n"); - *errMesg = "Operation requires a secure connection.\n"; - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - - if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) { - LOG_TRACE("Could not get IS SSL from connection\n"); + /* Allow enrollment on all connections with a Security Strength + * Factor (SSF) higher than 1 */ + if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) { + LOG_TRACE("Could not get SSF from connection\n"); *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_OPERATIONS_ERROR; goto done; @@ -108,7 +101,7 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg) goto done; } - if ((0 == is_ssl) && (sasl_ssf <= 1)) { + if (ssf <= 1) { *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; goto done; |