summaryrefslogtreecommitdiffstats
path: root/daemons
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2013-03-08 13:01:45 +0100
committerRob Crittenden <rcritten@redhat.com>2013-03-13 14:06:38 -0400
commitdcc6f13a58a66b909bc298fe4b37c5f30fa1be4a (patch)
tree5b727867f9dd185e6620280a140b92c4a254a026 /daemons
parent99b62aa66ffbf7f1ffd566b44ebe41a0f6c1782c (diff)
downloadfreeipa-dcc6f13a58a66b909bc298fe4b37c5f30fa1be4a.tar.gz
freeipa-dcc6f13a58a66b909bc298fe4b37c5f30fa1be4a.tar.xz
freeipa-dcc6f13a58a66b909bc298fe4b37c5f30fa1be4a.zip
Use new 389-ds-base cleartext password API
The way how unhashed password is stored in the entry was changed in 389-ds-base-1.3.0, it is now stored in an entry extension rather than in a magic attribute unhashed#user#password. New API using an entry extension was introduced. ipa-pwd-extop should take advantage of the new API as the old one will be removed in 389-ds-base-1.3.1. https://fedorahosted.org/freeipa/ticket/3439
Diffstat (limited to 'daemons')
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c20
1 files changed, 12 insertions, 8 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 3b512a474..0318cecdc 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -211,13 +211,19 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
slapi_ch_free_string(&userpw);
userpw = tmp;
} else if (slapi_is_encoded(userpw)) {
- /* check if we have access to the unhashed user password */
- char *userpw_clear =
- slapi_entry_attr_get_charptr(e, "unhashed#user#password");
+ const char *userpw_clear = NULL;
+ Slapi_Value **pwvals = NULL;
+
+ /* Try to get clear password from an entry extension.
+ * This function does not return a copy of the values,
+ * no need to free them. */
+ rc = slapi_pw_get_entry_ext(e, &pwvals);
+ if (LDAP_SUCCESS == rc) {
+ userpw_clear = slapi_value_get_string(pwvals[0]);
+ }
- /* unhashed#user#password doesn't always contain the clear text
- * password, therefore we need to check if its value isn't the same
- * as userPassword to make sure */
+ /* Fail if we did not get a real clear text password from
+ * the extension. This will happen if the password is hashed. */
if (!userpw_clear || (0 == strcmp(userpw, userpw_clear))) {
rc = LDAP_CONSTRAINT_VIOLATION;
slapi_ch_free_string(&userpw);
@@ -225,8 +231,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
userpw = slapi_ch_strdup(userpw_clear);
}
- slapi_ch_free_string(&userpw_clear);
-
if (rc != LDAP_SUCCESS) {
/* we don't have access to the clear text password;
* let it slide if migration is enabled, but don't