Resolves: #484149

Summary: Clear directory manager password with password storage scheme other
than clear crashes the server
Description:
1) introducing a flag (_nss_initialized) and an API (slapd_nss_is_initialized)
to represent NSS_Initialize is called or not.
2) in config_set_rootpw, if the directory manager's password is given unhashed,
check if NSS is already initialized and the directory manager's password
storage scheme is clear or not.  If NSS is not initialized and if the storage
scheme is not CLEAR, report it and return an error LDAP_PARAM_ERROR.

1 files changed, 14 insertions, 6 deletions

diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index bd2529c0..ae476630 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -2501,12 +2501,20 @@ config_set_rootpw( const char *attrname, char *value, char *errorbuf, int apply
   is_hashed  = pw_val2scheme ( value, NULL, 0 );
   
   if ( is_hashed ) {
-	slapdFrontendConfig->rootpw = slapi_ch_strdup ( value );
-	free_pw_scheme(is_hashed);
-  }
-  else {
-	/* pwd enc func returns slapi_ch_malloc memory */
-	slapdFrontendConfig->rootpw = (slapdFrontendConfig->rootpwstoragescheme->pws_enc)(value); 
+    slapdFrontendConfig->rootpw = slapi_ch_strdup ( value );
+    free_pw_scheme(is_hashed);
+  } else if (slapd_nss_is_initialized() ||
+            (strcasecmp(slapdFrontendConfig->rootpwstoragescheme->pws_name,
+                       "clear") == 0)) {
+    /* to hash, security library should have been initialized, by now */
+    /* pwd enc func returns slapi_ch_malloc memory */
+    slapdFrontendConfig->rootpw = (slapdFrontendConfig->rootpwstoragescheme->pws_enc)(value); 
+  } else {
+    PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
+                  "%s: password scheme mismatch (passwd scheme is %s; "
+                  "password is clear text)", attrname,
+                  slapdFrontendConfig->rootpwstoragescheme->pws_name);
+    retVal = LDAP_PARAM_ERROR;
   }
   
   CFG_UNLOCK_WRITE(slapdFrontendConfig);