summaryrefslogtreecommitdiffstats
path: root/daemons
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2011-09-27 10:06:50 +0200
committerMartin Kosek <mkosek@redhat.com>2011-10-05 17:20:13 +0200
commit3fb40170cb70a87515ec9d3466099fa3417a4086 (patch)
treed5d5313bdbdf96f435716cdd267a5bea4d6e91eb /daemons
parente9c8581ffcd4a43c4e812037a076967e0d968261 (diff)
downloadfreeipa-3fb40170cb70a87515ec9d3466099fa3417a4086.tar.gz
freeipa-3fb40170cb70a87515ec9d3466099fa3417a4086.tar.xz
freeipa-3fb40170cb70a87515ec9d3466099fa3417a4086.zip
ipa-pwd-extop: allow password change on all connections with SSF>1
Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection the global SSF is checked for password changes and enrollments. https://fedorahosted.org/freeipa/ticket/1877
Diffstat (limited to 'daemons')
-rw-r--r--daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c19
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c19
2 files changed, 12 insertions, 26 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index bc9fd0848..1f5ce9b47 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -80,22 +80,15 @@ static const char *ipa_realm_dn;
static int
ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
{
- int sasl_ssf, is_ssl;
+ int ssf;
int rc = LDAP_SUCCESS;
LOG_TRACE("=> ipaenrollment_secure\n");
- /* Allow enrollment only for SSL/TLS established connections and
- * connections using SASL privacy layers */
- if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
- LOG_TRACE("Could not get SASL SSF from connection\n");
- *errMesg = "Operation requires a secure connection.\n";
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
- if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
- LOG_TRACE("Could not get IS SSL from connection\n");
+ /* Allow enrollment on all connections with a Security Strength
+ * Factor (SSF) higher than 1 */
+ if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+ LOG_TRACE("Could not get SSF from connection\n");
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_OPERATIONS_ERROR;
goto done;
@@ -108,7 +101,7 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
goto done;
}
- if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+ if (ssf <= 1) {
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_CONFIDENTIALITY_REQUIRED;
goto done;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index c5da14178..9e203be27 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -544,7 +544,7 @@ done:
int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
struct ipapwd_krbcfg **config, int check_flags)
{
- int ret, sasl_ssf, is_ssl;
+ int ret, ssf;
int rc = LDAP_SUCCESS;
Slapi_Backend *be;
const Slapi_DN *psdn;
@@ -555,23 +555,16 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
#ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
if (check_flags & IPAPWD_CHECK_CONN_SECURE) {
- /* Allow password modify only for SSL/TLS established connections and
- * connections using SASL privacy layers */
- if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
- LOG("Could not get SASL SSF from connection\n");
+ /* Allow password modify on all connections with a Security Strength
+ * Factor (SSF) higher than 1 */
+ if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+ LOG("Could not get SSF from connection\n");
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
- if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
- LOG("Could not get IS SSL from connection\n");
- *errMesg = "Operation requires a secure connection.\n";
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
- if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+ if (ssf <= 1) {
*errMesg = "Operation requires a secure connection.\n";
rc = LDAP_CONFIDENTIALITY_REQUIRED;
goto done;