diff options
author | Simo Sorce <ssorce@redhat.com> | 2008-02-21 09:36:35 -0500 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2008-02-21 09:36:35 -0500 |
commit | f87db10a0735778e5b0ea89ed121a8f12b23e833 (patch) | |
tree | 909bb01bc07238ae65d78f32a880da569bcb1514 /ipa-server/ipa-slapi-plugins | |
parent | 0996e55573fbada34ba78ef844daf20e397518e1 (diff) | |
download | freeipa-f87db10a0735778e5b0ea89ed121a8f12b23e833.tar.gz freeipa-f87db10a0735778e5b0ea89ed121a8f12b23e833.tar.xz freeipa-f87db10a0735778e5b0ea89ed121a8f12b23e833.zip |
Purely indentiation, trailing spaces, cosmetic fixes
Diffstat (limited to 'ipa-server/ipa-slapi-plugins')
-rw-r--r-- | ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 306 |
1 files changed, 173 insertions, 133 deletions
diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 113f0dd5c..10bf26f3d 100644 --- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -2,15 +2,15 @@ * This Program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; version 2 of the License. - * + * * This Program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - * + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details + * * You should have received a copy of the GNU General Public License along with * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple * Place, Suite 330, Boston, MA 02111-1307 USA. - * + * * In addition, as a special exception, Red Hat, Inc. gives You the additional * right to link the code of this Program with code not covered under the GNU * General Public License ("Non-GPL Code") and to distribute linked combinations @@ -22,15 +22,15 @@ * the Approved Interfaces without causing the resulting work to be covered by * the GNU General Public License. Only Red Hat, Inc. may make changes or * additions to the list of Approved Interfaces. You must obey the GNU General - * Public License in all respects for all of the Program code and other code used - * in conjunction with the Program except the Non-GPL Code covered by this + * Public License in all respects for all of the Program code and other code + * used in conjunction with the Program except the Non-GPL Code covered by this * exception. If you modify this file, you may extend this exception to your - * version of the file, but you are not obligated to do so. If you do not wish to - * provide this exception without modification, you must delete this exception - * statement from your version and license this file solely under the GPL without - * exception. + * version of the file, but you are not obligated to do so. If you do not wish + * to provide this exception without modification, you must delete this + * exception statement from your version and license this file solely under the + * GPL without exception. * - * Authors: + * Authors: * Simo Sorce <ssorce@redhat.com> * * Copyright (C) 2005 Red Hat, Inc. @@ -46,7 +46,7 @@ * RFC 3062 * * - * This plugin implements the "Password Modify - LDAP3" + * This plugin implements the "Password Modify - LDAP3" * extended operation for LDAP. The plugin function is called by * the server if an LDAP client request contains the OID: * "1.3.6.1.4.1.4203.1.11.1". @@ -73,7 +73,8 @@ /* Type of connection for this operation;*/ #define LDAP_EXTOP_PASSMOD_CONN_SECURE -/* Uncomment the following line FOR TESTING: allows non-SSL connections to use the password change extended op */ +/* Uncomment the following #undef FOR TESTING: + * allows non-SSL connections to use the password change extended op */ /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */ /* ber tags for the PasswdModifyRequestValue sequence */ @@ -133,7 +134,7 @@ static const char *ipapwd_def_encsalts[] = { struct ipapwd_encsalt { krb5_int32 enc_type; - krb5_int32 salt_type; + krb5_int32 salt_type; }; struct ipapwd_config { @@ -228,7 +229,10 @@ static int filter_keys(struct ipapwd_keyset *kset) for (i = 0; i < kset->num_keys; i++) { for (j = 0; j < config->num_supp_encsalts; j++) { - if (kset->keys[i].ekey->type == config->supp_encsalts[j].enc_type) break; + if (kset->keys[i].ekey->type == + config->supp_encsalts[j].enc_type) { + break; + } } if (j == config->num_supp_encsalts) { /* not valid */ @@ -257,7 +261,7 @@ static int filter_keys(struct ipapwd_keyset *kset) } /* new key has been moved to this position, make sure - * we do not skip it, by neutralizing next i increment */ + * we do not skip it, by neutralizing next increment */ i--; } } @@ -340,7 +344,7 @@ static struct berval *encode_keys(struct ipapwd_keyset *kset) (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1), kset->keys[i].salt->value.bv_val, kset->keys[i].salt->value.bv_len); - } + } if (ret != -1) { ret = ber_printf(be, "}]"); } @@ -547,7 +551,7 @@ static Slapi_Value **encrypt_encode_key(krb5_context krbctx, struct ipapwd_data slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "Invalid principal name, no realm found!\n"); goto enc_error; - } + } p++; salt.data = strdup(p); if (!salt.data) { @@ -607,7 +611,7 @@ static Slapi_Value **encrypt_encode_key(krb5_context krbctx, struct ipapwd_data slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "Invalid principal name, no realm found!\n"); goto enc_error; - } + } p++; salt.data = strdup(p); if (!salt.data) { @@ -682,7 +686,7 @@ static Slapi_Value **encrypt_encode_key(krb5_context krbctx, struct ipapwd_data free(ptr); goto enc_error; } - + kset->keys[i].salt->type = config->pref_encsalts[i].salt_type; if (salt.length) { @@ -708,7 +712,7 @@ static Slapi_Value **encrypt_encode_key(krb5_context krbctx, struct ipapwd_data goto enc_error; } memcpy(kset->keys[i].ekey->value.bv_val, ptr, len+2); - + /* make sure we free the memory used now that we are done with it */ krb5int_c_free_keyblock_contents(krbctx, &key); free(ptr); @@ -837,7 +841,7 @@ static int encode_ntlm_keys(char *newPasswd, unsigned int flags, struct ntlm_key if (strlen(asciiPasswd) > 14) { asciiPasswd[14] = '\0'; } - + /* first half */ lm_shuffle(deskey, (uint8_t *)asciiPasswd); @@ -900,7 +904,7 @@ static int encode_ntlm_keys(char *newPasswd, unsigned int flags, struct ntlm_key if (sl > 28) { sl = 28; } - + ret = MD4_Init(&md4ctx); if (ret == 0) { ret = -1; @@ -975,7 +979,7 @@ static int ipapwd_getPolicy(const char *dn, Slapi_Entry *target, Slapi_Entry **e NULL, /* Controls */ NULL, /* UniqueID */ ipapwd_plugin_id, - 0); /* Flags */ + 0); /* Flags */ /* do search the tree */ ret = slapi_search_internal_pb(pb); @@ -1161,7 +1165,7 @@ static Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods, struct ipapwd_ /* add new history value */ pH[pc] = slapi_value_new_string(histr); - + free(histr); return pH; @@ -1211,7 +1215,7 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data) memset(&tm, 0, sizeof(struct tm)); ret = sscanf(krbPrincipalExpiration, "%04u%02u%02u%02u%02u%02u", - &tm.tm_year, &tm.tm_mon, &tm.tm_mday, + &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec); if (ret == 6) { @@ -1247,7 +1251,7 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data) memset(&tm, 0, sizeof(struct tm)); ret = sscanf(krbLastPwdChange, "%04u%02u%02u%02u%02u%02u", - &tm.tm_year, &tm.tm_mon, &tm.tm_mday, + &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec); if (ret == 6) { @@ -1257,7 +1261,8 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data) } /* FIXME: *else* report an error ? */ } else { - slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "Warning: Last Password Change Time is not available"); + slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", + "Warning: Last Password Change Time is not available"); } /* find the entry with the password policy */ @@ -1274,8 +1279,8 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data) /* check for reset cases */ if (strcmp(krbPasswordExpiration, krbLastPwdChange) == 0) { - /* Expiration and last change time are the same - * this happens only when a password is reset by an admin + /* Expiration and last change time are the same this + * happens only when a password is reset by an admin * or no expiration policy is set, PASS */ slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "ipapwd_checkPolicy: Ignore krbMinPwdLife Expiration and Last change dates match\n"); @@ -1283,7 +1288,7 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data) } else if (data->timeNow < data->lastPwChange + krbMinPwdLife) { slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "ipapwd_checkPolicy: Too soon to change password\n"); - slapi_entry_free(policy); + slapi_entry_free(policy); return IPAPWD_POLICY_ERROR | LDAP_PWPOLICY_PWDTOOYOUNG; } } @@ -1385,7 +1390,7 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data) if (num_categories < krbPwdMinDiffChars) { slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "ipapwd_checkPassword: Password not complex enough\n"); - slapi_entry_free(policy); + slapi_entry_free(policy); return IPAPWD_POLICY_ERROR | LDAP_PWPOLICY_INVALIDPWDSYNTAX; } } @@ -1407,7 +1412,7 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data) if (!pH) { slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", "ipapwd_checkPassword: Out of Memory\n"); - slapi_entry_free(policy); + slapi_entry_free(policy); return LDAP_OPERATIONS_ERROR; } @@ -1439,7 +1444,7 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data) if (ret == 0) { slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "ipapwd_checkPassword: Password in history\n"); - slapi_entry_free(policy); + slapi_entry_free(policy); return IPAPWD_POLICY_ERROR | LDAP_PWPOLICY_PWDINHISTORY; } } @@ -1454,7 +1459,7 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data) /* Retrieve History Len */ data->pwHistoryLen = slapi_entry_attr_get_int(policy, "krbPwdHistoryLength"); - slapi_entry_free(policy); + slapi_entry_free(policy); no_policy: @@ -1475,7 +1480,7 @@ no_policy: } -/* Searches the dn in directory, +/* Searches the dn in directory, * If found : fills in slapi_entry structure and returns 0 * If NOT found : returns the search result as LDAP_NO_SUCH_OBJECT */ @@ -1501,10 +1506,10 @@ static int ipapwd_getEntry(const char *dn, Slapi_Entry **e2, char **attrlist) } -/* Construct Mods pblock and perform the modify operation - * Sets result of operation in SLAPI_PLUGIN_INTOP_RESULT +/* Construct Mods pblock and perform the modify operation + * Sets result of operation in SLAPI_PLUGIN_INTOP_RESULT */ -static int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods) +static int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods) { Slapi_PBlock *pb; int ret; @@ -1513,15 +1518,15 @@ static int ipapwd_apply_mods(const char *dn, Slapi_Mods *mods) if (!mods || (slapi_mods_get_num_mods(mods) == 0)) { return -1; - } + } pb = slapi_pblock_new(); - slapi_modify_internal_set_pb (pb, dn, + slapi_modify_internal_set_pb (pb, dn, slapi_mods_get_ldapmods_byref(mods), NULL, /* Controls */ NULL, /* UniqueID */ ipapwd_plugin_id, /* PluginID */ - 0); /* Flags */ + 0); /* Flags */ ret = slapi_modify_internal_pb (pb); if (ret) { @@ -1577,7 +1582,7 @@ static int ipapwd_SetPassword(struct ipapwd_data *data) int ntlm_flags = 0; Slapi_Value *sambaSamAccount; char *userpwd; - + krberr = krb5_init_context(&krbctx); if (krberr) { slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb5_init_context failed\n"); @@ -1669,21 +1674,21 @@ static int ipapwd_SetPassword(struct ipapwd_data *data) /* commit changes */ ret = ipapwd_apply_mods(data->dn, smods); - + slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "<= ipapwd_SetPassword: %d\n", ret); free_and_return: slapi_mods_free(&smods); if (svals) { - for (i = 0; svals[i]; i++) { + for (i = 0; svals[i]; i++) { slapi_value_free(&svals[i]); } free(svals); } if (pwvals) { - for (i = 0; pwvals[i]; i++) { + for (i = 0; pwvals[i]; i++) { slapi_value_free(&pwvals[i]); } free(pwvals); @@ -1715,7 +1720,7 @@ static int ipapwd_chpwop(Slapi_PBlock *pb) /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); - + if ((ber = ber_init(extop_value)) == NULL) { errMesg = "PasswdModify Request decode failed.\n"; @@ -1752,48 +1757,53 @@ static int ipapwd_chpwop(Slapi_PBlock *pb) { if (ber_scanf(ber, "a", &dn) == LBER_ERROR) { slapi_ch_free_string(&dn); - slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed :{\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", + "ber_scanf failed\n"); errMesg = "ber_scanf failed at userID parse.\n"; rc = LDAP_PROTOCOL_ERROR; goto free_and_return; } - + tag = ber_peek_tag(ber, &len); - } - + } + /* identify oldPasswd field by tags */ if (tag == LDAP_EXTOP_PASSMOD_TAG_OLDPWD ) { if (ber_scanf(ber, "a", &oldPasswd) == LBER_ERROR) { - slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed :{\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", + "ber_scanf failed\n"); errMesg = "ber_scanf failed at oldPasswd parse.\n"; rc = LDAP_PROTOCOL_ERROR; goto free_and_return; } tag = ber_peek_tag(ber, &len); } - + /* identify newPasswd field by tags */ if (tag == LDAP_EXTOP_PASSMOD_TAG_NEWPWD ) { if (ber_scanf(ber, "a", &newPasswd) == LBER_ERROR) { - slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed :{\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", + "ber_scanf failed\n"); errMesg = "ber_scanf failed at newPasswd parse.\n"; rc = LDAP_PROTOCOL_ERROR; goto free_and_return; } } -parse_req_done: - /* Uncomment for debugging, otherwise we don't want to leak the password values into the log... */ - /* LDAPDebug( LDAP_DEBUG_ARGS, "passwd: dn (%s), oldPasswd (%s) ,newPasswd (%s)\n", - dn, oldPasswd, newPasswd); */ +parse_req_done: + /* Uncomment for debugging, otherwise we don't want to leak the + * password values into the log... */ + /* LDAPDebug( LDAP_DEBUG_ARGS, "passwd: dn (%s), oldPasswd (%s), + * newPasswd (%s)\n", dn, oldPasswd, newPasswd); */ + - /* Get Bind DN */ slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN); - /* If the connection is bound anonymously, we must refuse to process this operation. */ + /* If the connection is bound anonymously, we must refuse + * to process this operation. */ if (bindDN == NULL || *bindDN == '\0') { /* Refuse the operation because they're bound anonymously */ errMesg = "Anonymous Binds are not allowed.\n"; @@ -1809,7 +1819,7 @@ parse_req_done: rc = LDAP_UNWILLING_TO_PERFORM; goto free_and_return; } - + if (oldPasswd == NULL || *oldPasswd == '\0') { /* If user is authenticated, they already gave their password during the bind operation (or used sasl or client cert auth or OS creds) */ @@ -1820,7 +1830,7 @@ parse_req_done: goto free_and_return; } } - + /* Determine the target DN for this operation */ /* Did they give us a DN ? */ if (dn == NULL || *dn == '\0') { @@ -1829,8 +1839,8 @@ parse_req_done: slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "Missing userIdentity in request, using the bind DN instead.\n"); } - - slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn ); + + slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn ); /* Now we have the DN, look for the entry */ ret = ipapwd_getEntry(dn, &targetEntry, attrlist); @@ -1841,19 +1851,19 @@ parse_req_done: rc = LDAP_NO_SUCH_OBJECT; goto free_and_return; } - + /* First thing to do is to ask access control if the bound identity has - rights to modify the userpassword attribute on this entry. If not, then - we fail immediately with insufficient access. This means that we don't - leak any useful information to the client such as current password - wrong, etc. + * rights to modify the userpassword attribute on this entry. If not, + * then we fail immediately with insufficient access. This means that + * we don't leak any useful information to the client such as current + * password wrong, etc. */ is_root = slapi_dn_isroot(bindDN); slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &is_root); - /* In order to perform the access control check , we need to select a backend (even though - * we don't actually need it otherwise). + /* In order to perform the access control check, we need to select a + * backend (even though we don't actually need it otherwise). */ { Slapi_Backend *be = NULL; @@ -1867,21 +1877,23 @@ parse_req_done: slapi_pblock_set(pb, SLAPI_BACKEND, be); } - ret = slapi_access_allowed ( pb, targetEntry, "krbPrincipalKey", NULL, SLAPI_ACL_WRITE ); + ret = slapi_access_allowed( pb, targetEntry, "krbPrincipalKey", NULL, SLAPI_ACL_WRITE ); if ( ret != LDAP_SUCCESS ) { errMesg = "Insufficient access rights\n"; rc = LDAP_INSUFFICIENT_ACCESS; - goto free_and_return; + goto free_and_return; } - + /* Now we have the entry which we want to modify * They gave us a password (old), check it against the target entry * Is the old password valid ? */ if (oldPasswd && *oldPasswd) { - /* If user is authenticated, they already gave their password during - the bind operation (or used sasl or client cert auth or OS creds) */ - slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "oldPasswd provided, but we will ignore it"); + /* If user is authenticated, they already gave their password + * during the bind operation (or used sasl or client cert auth + * or OS creds) */ + slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", + "oldPasswd provided, but we will ignore it"); } memset(&pwdata, 0, sizeof(pwdata)); @@ -1896,7 +1908,7 @@ parse_req_done: char **bindexp; pwdata.changetype = IPA_CHANGETYPE_ADMIN; - + bindexp = ldap_explode_dn(bindDN, 0); if (bindexp) { /* special case kpasswd and Directory Manager */ @@ -1929,7 +1941,8 @@ parse_req_done: /* Now we're ready to set the kerberos key material */ ret = ipapwd_SetPassword(&pwdata); if (ret != LDAP_SUCCESS) { - /* Failed to modify the password, e.g. because insufficient access allowed */ + /* Failed to modify the password, + * e.g. because insufficient access allowed */ errMesg = "Failed to update password"; if (ret > 0) { rc = ret; @@ -1940,7 +1953,7 @@ parse_req_done: } slapi_log_error(SLAPI_LOG_TRACE, "ipa_pwd_extop", "<= ipapwd_extop: %d\n", rc); - + /* Free anything that we allocated above */ free_and_return: slapi_ch_free_string(&oldPasswd); @@ -1955,7 +1968,7 @@ free_and_return: if (targetEntry) slapi_entry_free(targetEntry); if (ber) ber_free(ber, 1); - + slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", errMesg ? errMesg : "success"); slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); @@ -2004,14 +2017,16 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) svals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *)); if (!svals) { - slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "memory allocation failed\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", + "memory allocation failed\n"); rc = LDAP_OPERATIONS_ERROR; goto free_and_return; } krberr = krb5_init_context(&krbctx); if (krberr) { - slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb5_init_context failed\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", + "krb5_init_context failed\n"); rc = LDAP_OPERATIONS_ERROR; goto free_and_return; } @@ -2019,7 +2034,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) /* Get Bind DN */ slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN); - /* If the connection is bound anonymously, we must refuse to process this operation. */ + /* If the connection is bound anonymously, we must refuse to process + * this operation. */ if (bindDN == NULL || *bindDN == '\0') { /* Refuse the operation because they're bound anonymously */ errMesg = "Anonymous Binds are not allowed.\n"; @@ -2029,7 +2045,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); - + if ((ber = ber_init(extop_value)) == NULL) { errMesg = "KeytabGet Request decode failed.\n"; @@ -2066,7 +2082,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) /* ber parse code */ rtag = ber_scanf(ber, "{a{", &serviceName); if (rtag == LBER_ERROR) { - slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "ber_scanf failed\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", + "ber_scanf failed\n"); errMesg = "Invalid payload, failed to decode.\n"; rc = LDAP_PROTOCOL_ERROR; goto free_and_return; @@ -2076,16 +2093,19 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) krberr = krb5_parse_name(krbctx, serviceName, &krbname); if (krberr) { slapi_ch_free_string(&serviceName); - slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb5_parse_name failed\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", + "krb5_parse_name failed\n"); rc = LDAP_OPERATIONS_ERROR; goto free_and_return; } else { - /* invert so that we get the canonical form (add REALM if not present for example) */ + /* invert so that we get the canonical form + * (add REALM if not present for example) */ char *canonname; krberr = krb5_unparse_name(krbctx, krbname, &canonname); if (krberr) { slapi_ch_free_string(&serviceName); - slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "krb5_unparse_name failed\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", + "krb5_unparse_name failed\n"); rc = LDAP_OPERATIONS_ERROR; goto free_and_return; } @@ -2112,7 +2132,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) NULL, /* Controls */ NULL, /* UniqueID */ ipapwd_plugin_id, - 0); /* Flags */ + 0); /* Flags */ /* do search the tree */ ret = slapi_search_internal_pb(pbte); @@ -2149,16 +2169,17 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) targetEntry = es[0]; /* First thing to do is to ask access control if the bound identity has - rights to modify the userpassword attribute on this entry. If not, then - we fail immediately with insufficient access. This means that we don't - leak any useful information to the client such as current password - wrong, etc. + * rights to modify the userpassword attribute on this entry. If not, + * then we fail immediately with insufficient access. This means that + * we don't leak any useful information to the client such as current + * password wrong, etc. */ is_root = slapi_dn_isroot(bindDN); slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &is_root); - /* In order to perform the access control check , we need to select a backend (even though + /* In order to perform the access control check, + * we need to select a backend (even though * we don't actually need it otherwise). */ slapi_pblock_set(pb, SLAPI_BACKEND, be); @@ -2171,7 +2192,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) if (ret != LDAP_SUCCESS) { errMesg = "Insufficient access rights\n"; rc = LDAP_INSUFFICIENT_ACCESS; - goto free_and_return; + goto free_and_return; } /* increment kvno (will be 1 if this is a new entry) */ @@ -2185,7 +2206,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) kset = malloc(sizeof(struct ipapwd_keyset)); if (!kset) { slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "malloc failed!\n"); - goto free_and_return; + goto free_and_return; } /* this encoding assumes all keys have the same kvno */ @@ -2300,7 +2321,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "malloc failed!\n"); goto free_and_return; } - + kset->keys[i].salt->type = tint; rtag = ber_peek_tag(ber, &tlen); @@ -2315,7 +2336,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) } kset->keys[i].salt->value = tval; - + rtag = ber_peek_tag(ber, &tlen); } } @@ -2360,7 +2381,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) /* change Last Password Change field with the current date */ if (!gmtime_r(&(time_now), &utctime)) { - slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "failed to retrieve current date (buggy gmtime_r ?)\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", + "failed to retrieve current date (buggy gmtime_r ?)\n"); slapi_mods_free(&smods); goto free_and_return; } @@ -2370,7 +2392,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) /* FIXME: set Password Expiration date ? */ #if 0 if (!gmtime_r(&(data->expireTime), &utctime)) { - slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", "failed to convert expiration date\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipa_pwd_extop", + "failed to convert expiration date\n"); slapi_ch_free_string(&randPasswd); slapi_mods_free(&smods); rc = LDAP_OPERATIONS_ERROR; @@ -2456,7 +2479,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb) new_ctrl.ldctl_oid = KEYTAB_RET_OID; new_ctrl.ldctl_value = *bvp; - new_ctrl.ldctl_iscritical = 0; + new_ctrl.ldctl_iscritical = 0; rc= slapi_pblock_set(pb, SLAPI_ADD_RESCONTROL, &new_ctrl); ber_bvfree(bvp); } @@ -2474,7 +2497,7 @@ free_and_return: slapi_pblock_destroy(pbte); } if (svals) { - for (i = 0; svals[i]; i++) { + for (i = 0; svals[i]; i++) { slapi_value_free(&svals[i]); } free(svals); @@ -2512,12 +2535,14 @@ static int new_ipapwd_encsalt(krb5_context krbctx, const char * const *encsalts, enc = strdup(encsalts[i]); if (!enc) { - slapi_log_error( SLAPI_LOG_PLUGIN, "ipapwd_start", "Allocation error\n"); + slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_start", + "Allocation error\n"); return LDAP_OPERATIONS_ERROR; } salt = strchr(enc, ':'); if (!salt) { - slapi_log_error( SLAPI_LOG_PLUGIN, "ipapwd_start", "Invalid krb5 enc string\n"); + slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_start", + "Invalid krb5 enc string\n"); free(enc); continue; } @@ -2526,7 +2551,8 @@ static int new_ipapwd_encsalt(krb5_context krbctx, const char * const *encsalts, krberr = krb5_string_to_enctype(enc, &tmpenc); if (krberr) { - slapi_log_error( SLAPI_LOG_PLUGIN, "ipapwd_start", "Invalid krb5 enctype\n"); + slapi_log_error(SLAPI_LOG_PLUGIN, "ipapwd_start", + "Invalid krb5 enctype\n"); free(enc); continue; } @@ -2572,19 +2598,22 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn) config = malloc(sizeof(struct ipapwd_config)); if (!config) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory!\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", + "Out of memory!\n"); goto free_and_error; } kmkey = malloc(sizeof(krb5_keyblock)); if (!kmkey) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory!\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", + "Out of memory!\n"); goto free_and_error; } config->kmkey = kmkey; ret = krb5_get_default_realm(krbctx, &config->realm); if (ret) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Failed to get default realm?!\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", + "Failed to get default realm?!\n"); goto free_and_error; } @@ -2592,7 +2621,8 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn) /* get the Realm Container entry */ ret = ipapwd_getEntry(realm_dn, &realm_entry, NULL); if (ret != LDAP_SUCCESS) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "No realm Entry?\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", + "No realm Entry?\n"); goto free_and_error; } @@ -2600,26 +2630,30 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn) ret = slapi_entry_attr_find(realm_entry, "krbMKey", &a); if (ret == -1) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "No master key??\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", + "No master key??\n"); goto free_and_error; } /* there should be only one value here */ ret = slapi_attr_first_value(a, &v); if (ret == -1) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "No master key values??\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", + "No master key values??\n"); goto free_and_error; } bval = slapi_value_get_berval(v); if (!bval) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Error retrieving master key berval\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", + "Error retrieving master key berval\n"); goto free_and_error; } be = ber_init(bval); if (!bval) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "ber_init() failed!\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", + "ber_init() failed!\n"); goto free_and_error; } @@ -2635,15 +2669,16 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn) kmkey->length = mkey->bv_len; kmkey->contents = malloc(mkey->bv_len); if (!kmkey->contents) { - slapi_log_error( SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory!\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", + "Out of memory!\n"); goto free_and_error; - } + } memcpy(kmkey->contents, mkey->bv_val, mkey->bv_len); ber_bvfree(mkey); ber_free(be, 1); /*** get the Supported Enc/Salt types ***/ - + encsalts = slapi_entry_attr_get_charray(realm_entry, "krbSupportedEncSaltTypes"); if (encsalts) { ret = new_ipapwd_encsalt(krbctx, (const char * const *)encsalts, @@ -2651,7 +2686,8 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn) &config->num_supp_encsalts); slapi_ch_array_free(encsalts); } else { - slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start", "No configured salt types use defaults\n"); + slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start", + "No configured salt types use defaults\n"); ret = new_ipapwd_encsalt(krbctx, ipapwd_def_encsalts, &config->supp_encsalts, &config->num_supp_encsalts); @@ -2663,7 +2699,7 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn) } /*** get the Preferred Enc/Salt types ***/ - + encsalts = slapi_entry_attr_get_charray(realm_entry, "krbDefaultEncSaltTypes"); if (encsalts) { ret = new_ipapwd_encsalt(krbctx, (const char * const *)encsalts, @@ -2671,7 +2707,8 @@ static int ipapwd_getConfig(krb5_context krbctx, const char *realm_dn) &config->num_pref_encsalts); slapi_ch_array_free(encsalts); } else { - slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start", "No configured salt types use defaults\n"); + slapi_log_error(SLAPI_LOG_TRACE, "ipapwd_start", + "No configured salt types use defaults\n"); ret = new_ipapwd_encsalt(krbctx, ipapwd_def_encsalts, &config->pref_encsalts, &config->num_pref_encsalts); @@ -2730,7 +2767,7 @@ static int ipapwd_extop(Slapi_PBlock *pb) errMesg ); goto free_and_return; } - + if ((is_ssl == 0) && (sasl_ssf <= 1)) { errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; @@ -2745,14 +2782,16 @@ static int ipapwd_extop(Slapi_PBlock *pb) krberr = krb5_init_context(&krbctx); if (krberr) { - slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "krb5_init_context failed\n"); + slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", + "krb5_init_context failed\n"); errMesg = "Fatal Internal Error"; rc = LDAP_OPERATIONS_ERROR; goto free_and_return; } ret = ipapwd_getConfig(krbctx, ipa_realm_dn); if (ret != LDAP_SUCCESS) { - slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", "Error Retrieving Master Key"); + slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", + "Error Retrieving Master Key"); errMesg = "Fatal Internal Error"; rc = LDAP_OPERATIONS_ERROR; goto free_and_return; @@ -2760,19 +2799,20 @@ static int ipapwd_extop(Slapi_PBlock *pb) krb5_free_context(krbctx); } - /* Before going any further, we'll make sure that the right extended operation plugin - * has been called: i.e., the OID shipped whithin the extended operation request must - * match this very plugin's OIDs: EXOP_PASSWD_OID or KEYTAB_SET_OID. */ + /* Before going any further, we'll make sure that the right extended + * operation plugin has been called: i.e., the OID shipped whithin the + * extended operation request must match this very plugin's OIDs: + * EXOP_PASSWD_OID or KEYTAB_SET_OID. */ if (slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_OID, &oid) != 0) { errMesg = "Could not get OID value from request.\n"; rc = LDAP_OPERATIONS_ERROR; slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", errMesg); goto free_and_return; } else { - slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", + slapi_log_error(SLAPI_LOG_PLUGIN, "ipa_pwd_extop", "Received extended operation request with OID %s\n", oid); } - + if (strcasecmp(oid, EXOP_PASSWD_OID) == 0) { return ipapwd_chpwop(pb); } @@ -2804,7 +2844,7 @@ static int ipapwd_start( Slapi_PBlock *pb ) int ret; ipa_globals = slapi_new_mutex(); - + krberr = krb5_init_context(&krbctx); if (krberr) { slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "krb5_init_context failed\n"); @@ -2882,7 +2922,7 @@ int ipapwd_init( Slapi_PBlock *pb ) /* Get the arguments appended to the plugin extendedop directive. The first argument * (after the standard arguments for the directive) should contain the OID of the * extended operation. - */ + */ if ((slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &ipapwd_plugin_id) != 0) || (ipapwd_plugin_id == NULL)) { slapi_log_error( SLAPI_LOG_PLUGIN, "ipapwd_init", "Could not get identity or identity was NULL\n"); @@ -2891,8 +2931,8 @@ int ipapwd_init( Slapi_PBlock *pb ) /* Register the plug-in function as an extended operation * plug-in function that handles the operation identified by - * OID 1.3.6.1.4.1.4203.1.11.1 . Also specify the version of the server - * plug-in */ + * OID 1.3.6.1.4.1.4203.1.11.1 . Also specify the version of the server + * plug-in */ if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01 ) != 0 || slapi_pblock_set( pb, SLAPI_PLUGIN_START_FN, (void *) ipapwd_start ) != 0 || slapi_pblock_set( pb, SLAPI_PLUGIN_EXT_OP_FN, (void *) ipapwd_extop ) != 0 || @@ -2903,6 +2943,6 @@ int ipapwd_init( Slapi_PBlock *pb ) "Failed to set plug-in version, function, and OID.\n" ); return( -1 ); } - + return( 0 ); } |