diff options
Diffstat (limited to 'ldap/servers/slapd/passwd_extop.c')
-rw-r--r-- | ldap/servers/slapd/passwd_extop.c | 35 |
1 files changed, 32 insertions, 3 deletions
diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c index 14341f94..ff2e19f3 100644 --- a/ldap/servers/slapd/passwd_extop.c +++ b/ldap/servers/slapd/passwd_extop.c @@ -455,7 +455,9 @@ passwd_modify_extop( Slapi_PBlock *pb ) char *oid = NULL; char *bindDN = NULL; char *authmethod = NULL; + char *rawdn = NULL; char *dn = NULL; + size_t dnlen = 0; char *otdn = NULL; char *oldPasswd = NULL; char *newPasswd = NULL; @@ -561,16 +563,43 @@ passwd_modify_extop( Slapi_PBlock *pb ) /* identify userID field by tags */ if (tag == LDAP_EXTOP_PASSMOD_TAG_USERID ) { - if ( ber_scanf( ber, "a", &dn) == LBER_ERROR ) + int rc = 0; + if ( ber_scanf( ber, "a", &rawdn) == LBER_ERROR ) { - slapi_ch_free_string(&dn); + slapi_ch_free_string(&rawdn); LDAPDebug( LDAP_DEBUG_ANY, "ber_scanf failed :{\n", 0, 0, 0 ); errMesg = "ber_scanf failed at userID parse.\n"; rc = LDAP_PROTOCOL_ERROR; goto free_and_return; } - + + /* Check if we should be performing strict validation. */ + if (config_get_dn_validate_strict()) { + /* check that the dn is formatted correctly */ + rc = slapi_dn_syntax_check(pb, rawdn, 1); + if (rc) { /* syntax check failed */ + op_shared_log_error_access(pb, "EXT", rawdn?rawdn:"", + "strict: invalid target dn"); + errMesg = "invalid target dn.\n"; + slapi_ch_free_string(&rawdn); + rc = LDAP_INVALID_SYNTAX; + goto free_and_return; + } + } + rc = slapi_dn_normalize_ext(rawdn, 0, &dn, &dnlen); + if (rc < 0) { + op_shared_log_error_access(pb, "EXT", rawdn?rawdn:"", + "invalid target dn"); + slapi_ch_free_string(&rawdn); + errMesg = "invalid target dn.\n"; + rc = LDAP_INVALID_SYNTAX; + goto free_and_return; + } else if (rc == 0) { /* rawdn is passed in, not terminated */ + *(dn + dnlen) = '\0'; + } else { + slapi_ch_free_string(&rawdn); + } tag = ber_peek_tag( ber, &len); } |