From fd5742cc7910bfe4bf896d0e5742a54380366e5e Mon Sep 17 00:00:00 2001 From: root Date: Mon, 19 Oct 2009 14:53:40 +0200 Subject: Allow adding entries with pre-hashed passwords, but don't generate keys for them. Fix bug #528922. --- .../ipa-pwd-extop/ipa_pwd_extop.c | 23 ++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 863687581..3067fa90b 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -3296,17 +3296,24 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) slapi_ch_free_string(&userpw); userpw = tmp; } else if (slapi_is_encoded(userpw)) { + /* check if we have access to the unhashed user password */ + char *userpw_clear = + slapi_entry_attr_get_charptr(e, "unhashed#user#password"); + + /* unhashed#user#password doesn't always contain the clear text + * password, therefore we need to check if its value isn't the same + * as userPassword, to make sure */ + if (!userpw || (0 == strcmp(userpw, userpw_clear))) { + rc = LDAP_CONSTRAINT_VIOLATION; + } slapi_ch_free_string(&userpw); + slapi_ch_free_string(&userpw_clear); - /* check if we have access to the unhashed user password */ - userpw = slapi_entry_attr_get_charptr(e, "unhashed#user#password"); - if (!userpw) { - slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME, - "Pre-Encoded passwords are not valid\n"); - errMesg = "Pre-Encoded passwords are not valid\n"; - rc = LDAP_CONSTRAINT_VIOLATION; - goto done; + if (rc) { + /* we don't have access to the clear text password, + * let the operation continue, but don't generate keys */ + return 0; } } } -- cgit