Harmonize policy discovery to kdb driver

The KDB driver does not walk the tree back like the original password plugin. Also we do not store the default policy in the base DN as we used to do in the past anymore. So doing a full subtree search and walking back the tree is just a waste of time. Instead hardcode the default policy like we do in the kdb driver. Fixes: https://fedorahosted.org/freeipa/ticket/4085
author: Simo Sorce <simo@redhat.com> 2014-01-14 10:09:37 -0500
committer: Martin Kosek <mkosek@redhat.com> 2014-01-16 09:00:35 +0100
commit: d0ed25c8cbff54528133f6b78133ee8307b3faff (patch)
tree: 15687e193aa1a14cd252e1d27bf587cd49a017ee /daemons
parent: 7ce3320996e9666581a2b4495b5063b5d99aa937 (diff)
download: freeipa-d0ed25c8cbff54528133f6b78133ee8307b3faff.tar.gz
freeipa-d0ed25c8cbff54528133f6b78133ee8307b3faff.tar.xz
freeipa-d0ed25c8cbff54528133f6b78133ee8307b3faff.zip
1 files changed, 17 insertions, 89 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 2538a4094..ef20c4c61 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -436,75 +436,44 @@ static void pwd_values_free(Slapi_ValueSet** results,
     slapi_vattr_values_free(results, actual_type_name, buffer_flags);
 }
 
-static int ipapwd_rdn_count(const char *dn)
-{
-    int rdnc = 0;
-    LDAPDN ldn;
-    int ret;
-
-    ret = ldap_str2dn(dn, &ldn, LDAP_DN_FORMAT_LDAPV3);
-    if (ret != LDAP_SUCCESS) {
-        LOG_TRACE("ldap_str2dn(dn) failed ?!");
-        return -1;
-    }
-
-    for (rdnc = 0; ldn != NULL && ldn[rdnc]; rdnc++) /* count */ ;
-    ldap_dnfree(ldn);
-
-    return rdnc;
-}
-
 int ipapwd_getPolicy(const char *dn,
                      Slapi_Entry *target,
                      struct ipapwd_policy *policy)
 {
     const char *krbPwdPolicyReference;
-    const char *pdn;
-    const Slapi_DN *psdn;
-    Slapi_Backend *be;
+    char *pdn = NULL;
     Slapi_PBlock *pb = NULL;
     char *attrs[] = { "krbMaxPwdLife", "krbMinPwdLife",
                       "krbPwdMinDiffChars", "krbPwdMinLength",
                       "krbPwdHistoryLength", NULL};
     Slapi_Entry **es = NULL;
     Slapi_Entry *pe = NULL;
-    int ret, res, dist, rdnc, scope, i;
-    Slapi_DN *sdn = NULL;
+    int ret, res, scope, i;
     int buffer_flags=0;
     Slapi_ValueSet* results = NULL;
-    char* actual_type_name = NULL;
+    char *actual_type_name = NULL;
     int tmpint;
 
     LOG_TRACE("Searching policy for [%s]\n", dn);
 
-    sdn = slapi_sdn_new_dn_byref(dn);
-    if (sdn == NULL) {
-        LOG_OOM();
-        ret = -1;
-        goto done;
-    }
-
     pwd_get_values(target, "krbPwdPolicyReference",
                    &results, &actual_type_name, &buffer_flags);
     if (results) {
         Slapi_Value *sv;
         slapi_valueset_first_value(results, &sv);
         krbPwdPolicyReference = slapi_value_get_string(sv);
-        pdn = krbPwdPolicyReference;
-        scope = LDAP_SCOPE_BASE;
-        LOG_TRACE("using policy reference: %s\n", pdn);
+        pdn = slapi_ch_strdup(krbPwdPolicyReference);
     } else {
-        /* Find ancestor base DN */
-        be = slapi_be_select(sdn);
-        psdn = slapi_be_getsuffix(be, 0);
-        if (psdn == NULL) {
-            LOG_FATAL("Invalid DN [%s]\n", dn);
-            ret = -1;
-            goto done;
-        }
-        pdn = slapi_sdn_get_dn(psdn);
-        scope = LDAP_SCOPE_SUBTREE;
+        /* Fallback to hardcoded value */
+        pdn = slapi_ch_smprintf("cn=global_policy,%s", ipa_realm_dn);
+    }
+    if (pdn == NULL) {
+        LOG_OOM();
+        ret = -1;
+        goto done;
     }
+    LOG_TRACE("Using policy at [%s]\n", pdn);
+    scope = LDAP_SCOPE_BASE;
 
     pb = slapi_pblock_new();
     slapi_search_internal_set_pb(pb,
@@ -539,54 +508,13 @@ int ipapwd_getPolicy(const char *dn,
     /* if there is only one, return that */
     if (i == 1) {
         pe = es[0];
-        goto fill;
-    }
-
-    /* count number of RDNs in DN */
-    rdnc = ipapwd_rdn_count(dn);
-    if (rdnc == -1) {
-        LOG_TRACE("ipapwd_rdn_count(dn) failed");
-        ret = -1;
-        goto done;
-    }
-
-    pe = NULL;
-    dist = -1;
-
-    /* find closest entry */
-    for (i = 0; es[i]; i++) {
-        const Slapi_DN *esdn;
-
-        esdn = slapi_entry_get_sdn_const(es[i]);
-        if (esdn == NULL) continue;
-        if (0 == slapi_sdn_compare(esdn, sdn)) {
-            pe = es[i];
-            dist = 0;
-            break;
-        }
-        if (slapi_sdn_issuffix(sdn, esdn)) {
-            const char *dn1;
-            int c1;
-
-            dn1 = slapi_sdn_get_dn(esdn);
-            if (!dn1) continue;
-            c1 = ipapwd_rdn_count(dn1);
-            if (c1 == -1) continue;
-            if ((dist == -1) ||
-                ((rdnc - c1) < dist)) {
-                dist = rdnc - c1;
-                pe = es[i];
-            }
-        }
-        if (dist == 0) break; /* found closest */
-    }
-
-    if (pe == NULL) {
+    } else {
+        LOG_TRACE("Multiple entries from a base search ?!");
         ret = -1;
         goto done;
     }
 
-fill:
+    /* read data out of policy object */
     policy->min_pwd_life = slapi_entry_attr_get_int(pe, "krbMinPwdLife");
 
     tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife");
@@ -615,7 +543,7 @@ done:
         slapi_free_search_results_internal(pb);
         slapi_pblock_destroy(pb);
     }
-    if (sdn) slapi_sdn_free(&sdn);
+    slapi_ch_free_string(&pdn);
     return ret;
 }
author	Simo Sorce <simo@redhat.com>	2014-01-14 10:09:37 -0500
committer	Martin Kosek <mkosek@redhat.com>	2014-01-16 09:00:35 +0100
commit	d0ed25c8cbff54528133f6b78133ee8307b3faff (patch)
tree	15687e193aa1a14cd252e1d27bf587cd49a017ee /daemons
parent	7ce3320996e9666581a2b4495b5063b5d99aa937 (diff)
download	freeipa-d0ed25c8cbff54528133f6b78133ee8307b3faff.tar.gz freeipa-d0ed25c8cbff54528133f6b78133ee8307b3faff.tar.xz freeipa-d0ed25c8cbff54528133f6b78133ee8307b3faff.zip