diff options
| author | Sumit Bose <sbose@redhat.com> | 2011-09-27 10:06:50 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2011-10-05 17:20:13 +0200 |
| commit | 3fb40170cb70a87515ec9d3466099fa3417a4086 (patch) | |
| tree | d5d5313bdbdf96f435716cdd267a5bea4d6e91eb /daemons/ipa-slapi-plugins/ipa-pwd-extop | |
| parent | e9c8581ffcd4a43c4e812037a076967e0d968261 (diff) | |
| download | freeipa-3fb40170cb70a87515ec9d3466099fa3417a4086.tar.gz freeipa-3fb40170cb70a87515ec9d3466099fa3417a4086.tar.xz freeipa-3fb40170cb70a87515ec9d3466099fa3417a4086.zip | |
ipa-pwd-extop: allow password change on all connections with SSF>1
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.
https://fedorahosted.org/freeipa/ticket/1877
Diffstat (limited to 'daemons/ipa-slapi-plugins/ipa-pwd-extop')
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c | 19 |
1 files changed, 6 insertions, 13 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index c5da14178..9e203be27 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -544,7 +544,7 @@ done: int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, struct ipapwd_krbcfg **config, int check_flags) { - int ret, sasl_ssf, is_ssl; + int ret, ssf; int rc = LDAP_SUCCESS; Slapi_Backend *be; const Slapi_DN *psdn; @@ -555,23 +555,16 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, #ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE if (check_flags & IPAPWD_CHECK_CONN_SECURE) { - /* Allow password modify only for SSL/TLS established connections and - * connections using SASL privacy layers */ - if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { - LOG("Could not get SASL SSF from connection\n"); + /* Allow password modify on all connections with a Security Strength + * Factor (SSF) higher than 1 */ + if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) { + LOG("Could not get SSF from connection\n"); *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_OPERATIONS_ERROR; goto done; } - if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) { - LOG("Could not get IS SSL from connection\n"); - *errMesg = "Operation requires a secure connection.\n"; - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - - if ((0 == is_ssl) && (sasl_ssf <= 1)) { + if (ssf <= 1) { *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; goto done; |