ipa-pwd-extop: allow password change on all connections with SSF>1

Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection
the global SSF is checked for password changes and enrollments.

https://fedorahosted.org/freeipa/ticket/1877

2 files changed, 12 insertions, 26 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index bc9fd0848..1f5ce9b47 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -80,22 +80,15 @@ static const char *ipa_realm_dn;
 static int
 ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
 {
-    int sasl_ssf, is_ssl;
+    int ssf;
     int rc = LDAP_SUCCESS;
 
     LOG_TRACE("=> ipaenrollment_secure\n");
 
-    /* Allow enrollment only for SSL/TLS established connections and
-     * connections using SASL privacy layers */
-    if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
-        LOG_TRACE("Could not get SASL SSF from connection\n");
-        *errMesg = "Operation requires a secure connection.\n";
-        rc = LDAP_OPERATIONS_ERROR;
-        goto done;
-    }
-
-    if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
-        LOG_TRACE("Could not get IS SSL from connection\n");
+    /* Allow enrollment on all connections with a Security Strength
+     * Factor (SSF) higher than 1 */
+    if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+        LOG_TRACE("Could not get SSF from connection\n");
         *errMesg = "Operation requires a secure connection.\n";
         rc = LDAP_OPERATIONS_ERROR;
         goto done;
@@ -108,7 +101,7 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
         goto done;
     }
 
-    if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+    if (ssf <= 1) {
         *errMesg = "Operation requires a secure connection.\n";
         rc = LDAP_CONFIDENTIALITY_REQUIRED;
         goto done;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index c5da14178..9e203be27 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -544,7 +544,7 @@ done:
 int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
                       struct ipapwd_krbcfg **config, int check_flags)
 {
-    int ret, sasl_ssf, is_ssl;
+    int ret, ssf;
     int rc = LDAP_SUCCESS;
     Slapi_Backend *be;
     const Slapi_DN *psdn;
@@ -555,23 +555,16 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
 
 #ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
     if (check_flags & IPAPWD_CHECK_CONN_SECURE) {
-        /* Allow password modify only for SSL/TLS established connections and
-         * connections using SASL privacy layers */
-        if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
-            LOG("Could not get SASL SSF from connection\n");
+       /* Allow password modify on all connections with a Security Strength
+        * Factor (SSF) higher than 1 */
+        if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) {
+            LOG("Could not get SSF from connection\n");
             *errMesg = "Operation requires a secure connection.\n";
             rc = LDAP_OPERATIONS_ERROR;
             goto done;
         }
 
-        if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) {
-            LOG("Could not get IS SSL from connection\n");
-            *errMesg = "Operation requires a secure connection.\n";
-            rc = LDAP_OPERATIONS_ERROR;
-            goto done;
-        }
-
-        if ((0 == is_ssl) && (sasl_ssf <= 1)) {
+        if (ssf <= 1) {
             *errMesg = "Operation requires a secure connection.\n";
             rc = LDAP_CONFIDENTIALITY_REQUIRED;
             goto done;