/** BEGIN COPYRIGHT BLOCK * Copyright 2001 Sun Microsystems, Inc. * Portions copyright 1999, 2001-2003 Netscape Communications Corporation. * All rights reserved. * END COPYRIGHT BLOCK **/ /* * Copyright (c) 1995 Regents of the University of Michigan. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and that due credit is given * to the University of Michigan at Ann Arbor. The name of the University * may not be used to endorse or promote products derived from this * software without specific prior written permission. This software * is provided ``as is'' without express or implied warranty. */ #include #include #include #include #include #ifndef _WIN32 #include #endif #include "slap.h" #include "pratom.h" #if defined(irix) || defined(aix) || defined(_WIN32) #include #endif /* Forward declarations */ static int modify_internal_pb (Slapi_PBlock *pb); static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw); static void remove_mod (Slapi_Mods *smods, const char *type, Slapi_Mods *smod_unhashed); static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old_pw); #ifdef LDAP_DEBUG static const char* mod_op_image (int op) { switch (op & ~LDAP_MOD_BVALUES) { case LDAP_MOD_ADD: return "add"; case LDAP_MOD_DELETE: return "delete"; case LDAP_MOD_REPLACE: return "replace"; default: break; } return "???"; } #endif /* an AttrCheckFunc function should return an LDAP result code (LDAP_SUCCESS if all goes well). */ typedef int (*AttrCheckFunc)(const char *attr_name, char *value, long minval, long maxval, char *errorbuf); static struct attr_value_check { const char *attr_name; /* the name of the attribute */ AttrCheckFunc checkfunc; long minval; long maxval; } AttrValueCheckList[] = { {CONFIG_PW_SYNTAX_ATTRIBUTE, attr_check_onoff, 0, 0}, {CONFIG_PW_CHANGE_ATTRIBUTE, attr_check_onoff, 0, 0}, {CONFIG_PW_LOCKOUT_ATTRIBUTE, attr_check_onoff, 0, 0}, {CONFIG_PW_MUSTCHANGE_ATTRIBUTE, attr_check_onoff, 0, 0}, {CONFIG_PW_EXP_ATTRIBUTE, attr_check_onoff, 0, 0}, {CONFIG_PW_UNLOCK_ATTRIBUTE, attr_check_onoff, 0, 0}, {CONFIG_PW_HISTORY_ATTRIBUTE, attr_check_onoff, 0, 0}, {CONFIG_PW_MINAGE_ATTRIBUTE, check_pw_minage_value, -1, -1}, {CONFIG_PW_WARNING_ATTRIBUTE, attr_check_minmax, 0, -1}, {CONFIG_PW_MINLENGTH_ATTRIBUTE, attr_check_minmax, 2, 512}, {CONFIG_PW_MAXFAILURE_ATTRIBUTE, attr_check_minmax, 1, 32767}, {CONFIG_PW_INHISTORY_ATTRIBUTE, attr_check_minmax, 2, 24}, {CONFIG_PW_LOCKDURATION_ATTRIBUTE, check_pw_lockduration_value, -1, -1}, {CONFIG_PW_RESETFAILURECOUNT_ATTRIBUTE, check_pw_resetfailurecount_value, -1, -1}, {CONFIG_PW_GRACELIMIT_ATTRIBUTE, attr_check_minmax, 0, -1}, {CONFIG_PW_STORAGESCHEME_ATTRIBUTE, check_pw_storagescheme_value, -1, -1} }; /* This function is called to process operation that come over external connections */ void do_modify( Slapi_PBlock *pb ) { Slapi_Operation *operation; BerElement *ber; char *last, *type; unsigned long tag, len; LDAPMod *mod; LDAPMod **mods; Slapi_Mods smods; int err; int pw_change = 0; /* 0= no password change */ int ignored_some_mods = 0; char *old_pw = NULL; /* remember the old password */ char *dn; LDAPControl **ctrlp = NULL; LDAPDebug( LDAP_DEBUG_TRACE, "do_modify\n", 0, 0, 0 ); slapi_pblock_get( pb, SLAPI_OPERATION, &operation); ber = operation->o_ber; slapi_pblock_get(pb, SLAPI_REQCONTROLS, &ctrlp); /* count the modify request */ PR_AtomicIncrement(g_get_global_snmp_vars()->ops_tbl.dsModifyEntryOps); /* * Parse the modify request. It looks like this: * * ModifyRequest := [APPLICATION 6] SEQUENCE { * name DistinguishedName, * mods SEQUENCE OF SEQUENCE { * operation ENUMERATED { * add (0), * delete (1), * replace (2) * }, * modification SEQUENCE { * type AttributeType, * values SET OF AttributeValue * } * } * } */ { if ( ber_scanf( ber, "{a", &dn ) == LBER_ERROR ) { LDAPDebug( LDAP_DEBUG_ANY, "ber_scanf failed (op=Modify; params=DN)\n", 0, 0, 0 ); op_shared_log_error_access (pb, "MOD", "???", "decoding error"); send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, NULL, 0, NULL ); return; } } LDAPDebug( LDAP_DEBUG_ARGS, "do_modify: dn (%s)\n", dn, 0, 0 ); slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &pb->pb_op->o_isroot); slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn ); /* collect modifications & save for later */ slapi_mods_init(&smods, 0); for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_ERROR && tag != LBER_END_OF_SEQORSET; tag = ber_next_element( ber, &len, last ) ) { long long_mod_op; mod = (LDAPMod *) slapi_ch_malloc( sizeof(LDAPMod) ); mod->mod_bvalues = NULL; if ( ber_scanf( ber, "{i{a[V]}}", &long_mod_op, &type, &mod->mod_bvalues ) == LBER_ERROR ) { op_shared_log_error_access (pb, "MOD", dn, "decoding error"); send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "decoding error", 0, NULL ); slapi_ch_free((void **)&mod); goto free_and_return; } mod->mod_op = long_mod_op; mod->mod_type = slapi_attr_syntax_normalize(type); if ( !mod->mod_type || !*mod->mod_type ) { char ebuf[BUFSIZ]; PR_snprintf (ebuf, BUFSIZ, "invalid type '%s'", type); ebuf[BUFSIZ-1] = '\0'; op_shared_log_error_access (pb, "MOD", dn, ebuf); send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, ebuf, 0, NULL ); slapi_ch_free((void **)&type); ber_bvecfree(mod->mod_bvalues); slapi_ch_free((void **)&mod); goto free_and_return; } slapi_ch_free((void **)&type); if ( mod->mod_op != LDAP_MOD_ADD && mod->mod_op != LDAP_MOD_DELETE && mod->mod_op != LDAP_MOD_REPLACE ) { op_shared_log_error_access (pb, "MOD", dn, "unrecognized modify operation"); send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "unrecognized modify operation", 0, NULL ); ber_bvecfree(mod->mod_bvalues); slapi_ch_free((void **)&(mod->mod_type)); slapi_ch_free((void **)&mod); goto free_and_return; } if ( mod->mod_bvalues == NULL && mod->mod_op != LDAP_MOD_DELETE && mod->mod_op != LDAP_MOD_REPLACE ) { op_shared_log_error_access (pb, "MOD", dn, "no values given"); send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "no values given", 0, NULL ); ber_bvecfree(mod->mod_bvalues); slapi_ch_free((void **)&(mod->mod_type)); slapi_ch_free((void **)&mod); goto free_and_return; } /* check if user is allowed to modify the specified attribute */ if (!op_shared_is_allowed_attr (mod->mod_type, pb->pb_conn->c_isreplication_session)) { /* for now we just ignore attributes that client is not allowed to modify so not to break existing clients */ ++ignored_some_mods; ber_bvecfree(mod->mod_bvalues); slapi_ch_free((void **)&(mod->mod_type)); slapi_ch_free((void **)&mod); continue; /* send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL ); goto free_and_return; */ } /* check for password change */ if ( mod->mod_bvalues != NULL && strcasecmp( mod->mod_type, SLAPI_USERPWD_ATTR ) == 0 ){ if ( (err = get_ldapmessage_controls( pb, ber, NULL )) != 0 ) { op_shared_log_error_access (pb, "MOD", dn, "failed to decode LDAP controls"); send_ldap_result( pb, err, NULL, NULL, 0, NULL ); goto free_and_return; } pw_change = op_shared_allow_pw_change (pb, mod, &old_pw); if (pw_change == -1) { ber_bvecfree(mod->mod_bvalues); slapi_ch_free((void **)&(mod->mod_type)); slapi_ch_free((void **)&mod); goto free_and_return; } } mod->mod_op |= LDAP_MOD_BVALUES; slapi_mods_add_ldapmod (&smods, mod); } if ( tag == LBER_ERROR && !ctrlp ) { op_shared_log_error_access (pb, "MOD", dn, "decoding error"); send_ldap_result( pb, LDAP_PROTOCOL_ERROR, NULL, "decoding error", 0, NULL ); goto free_and_return; } if ( slapi_mods_get_num_mods (&smods) == 0 ) { int lderr; char *emsg; if ( ignored_some_mods ) { lderr = LDAP_UNWILLING_TO_PERFORM; emsg = "no modifiable attributes specified"; } else { lderr = LDAP_PROTOCOL_ERROR; emsg = "no modifications specified"; } op_shared_log_error_access (pb, "MOD", dn, emsg); send_ldap_result( pb, lderr, NULL, emsg, 0, NULL ); goto free_and_return; } if (!pb->pb_conn->c_isreplication_session && pb->pb_conn->c_needpw && pw_change == 0 ) { (void)add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); op_shared_log_error_access (pb, "MOD", dn, "need new password"); send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL ); goto free_and_return; } /* * in LDAPv3 there can be optional control extensions on * the end of an LDAPMessage. we need to read them in and * pass them to the backend. */ if ( !ctrlp ) { if ( (err = get_ldapmessage_controls( pb, ber, NULL )) != 0 ) { op_shared_log_error_access (pb, "MOD", dn, "failed to decode LDAP controls"); send_ldap_result( pb, err, NULL, NULL, 0, NULL ); goto free_and_return; } } #ifdef LDAP_DEBUG LDAPDebug( LDAP_DEBUG_ARGS, "modifications:\n", 0, 0, 0 ); for (mod = slapi_mods_get_first_mod(&smods); mod != NULL; mod = slapi_mods_get_next_mod(&smods)) { LDAPDebug( LDAP_DEBUG_ARGS, "\t%s: %s\n", mod_op_image( mod->mod_op ), mod->mod_type, 0 ); } #endif mods = slapi_mods_get_ldapmods_passout (&smods); slapi_pblock_set( pb, SLAPI_MODIFY_MODS, mods); op_shared_modify ( pb, pw_change, old_pw ); slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods); ldap_mods_free (mods, 1 /* Free the Array and the Elements */); free_and_return:; slapi_ch_free ((void**)&dn); slapi_mods_done(&smods); } /* This function is used to issue internal modify operation This is an old style API. Its use is discoraged because it is not extendable and because it does not allow to check whether plugin has right to access part of the tree it is trying to modify. Use slapi_modify_internal_pb instead */ Slapi_PBlock* slapi_modify_internal(const char *idn, LDAPMod **mods, LDAPControl **controls, int dummy) { Slapi_PBlock pb; Slapi_PBlock *result_pb = NULL; int opresult; pblock_init(&pb); slapi_modify_internal_set_pb (&pb, idn, (LDAPMod**)mods, controls, NULL, (void *)plugin_get_default_component_id(), 0); modify_internal_pb (&pb); result_pb = slapi_pblock_new(); if (result_pb) { slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult); slapi_pblock_set(result_pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult); } pblock_done(&pb); return result_pb; } /* This is new style API to issue internal modify operation. pblock should contain the following data (can be set via call to slapi_modify_internal_set_pb): For uniqueid based operation: SLAPI_TARGET_DN set to dn that allows to select right backend, can be stale SLAPI_TARGET_UNIQUEID set to the uniqueid of the entry we are looking for SLAPI_MODIFY_MODS set to the mods SLAPI_CONTROLS_ARG set to request controls if present For dn based search: SLAPI_TARGET_DN set to the entry dn SLAPI_MODIFY_MODS set to the mods SLAPI_CONTROLS_ARG set to request controls if present */ int slapi_modify_internal_pb (Slapi_PBlock *pb) { if (pb == NULL) return -1; if (!allow_operation (pb)) { slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, "This plugin is not configured to access operation target data", 0, NULL ); return 0; } return modify_internal_pb (pb); } /* Initialize a pblock for a call to slapi_modify_internal_pb() */ void slapi_modify_internal_set_pb (Slapi_PBlock *pb, const char *dn, LDAPMod **mods, LDAPControl **controls, const char *uniqueid, Slapi_ComponentId *plugin_identity, int operation_flags) { Operation *op; PR_ASSERT (pb != NULL); if (pb == NULL || dn == NULL || mods == NULL) { slapi_log_error(SLAPI_LOG_FATAL, NULL, "slapi_modify_internal_set_pb: NULL parameter\n"); return; } op= internal_operation_new(SLAPI_OPERATION_MODIFY,operation_flags); slapi_pblock_set(pb, SLAPI_OPERATION, op); slapi_pblock_set(pb, SLAPI_ORIGINAL_TARGET, (void*)dn); slapi_pblock_set(pb, SLAPI_MODIFY_MODS, mods); slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls); if (uniqueid) { slapi_pblock_set(pb, SLAPI_TARGET_UNIQUEID, (void*)uniqueid); } slapi_pblock_set(pb, SLAPI_PLUGIN_IDENTITY, plugin_identity); } /* Helper functions */ static int modify_internal_pb (Slapi_PBlock *pb) { LDAPControl **controls; Operation *op; int opresult = 0; LDAPMod **normalized_mods = NULL; LDAPMod **mods; LDAPMod **mod; int pw_change = 0; char *old_pw = NULL; PR_ASSERT (pb != NULL); slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods); slapi_pblock_get(pb, SLAPI_CONTROLS_ARG, &controls); if(mods == NULL) { opresult = LDAP_PARAM_ERROR; slapi_pblock_set(pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult); return 0; } /* first normalize the mods so they are bvalue * Note: We don't add any special * attributes such as "creatorsname". * for CIR we don't want to change them, for other * plugins the writer should change these if it wants too by explicitly * adding them to the mods */ normalized_mods = normalize_mods2bvals((const LDAPMod**)mods); if (normalized_mods == NULL) { opresult = LDAP_PARAM_ERROR; slapi_pblock_set(pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult); return 0; } /* check for password change */ mod = normalized_mods; while (*mod) { if ((*mod)->mod_bvalues != NULL && strcasecmp((*mod)->mod_type, SLAPI_USERPWD_ATTR) == 0) { pw_change = op_shared_allow_pw_change (pb, *mod, &old_pw); if (pw_change == -1) { opresult = LDAP_PARAM_ERROR; slapi_pblock_set(pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult); return 0; } } mod ++; } slapi_pblock_get(pb, SLAPI_OPERATION, &op); op->o_handler_data = &opresult; op->o_result_handler = internal_getresult_callback; slapi_pblock_set(pb, SLAPI_MODIFY_MODS, normalized_mods); slapi_pblock_set(pb, SLAPI_REQCONTROLS, controls); /* set parameters common for all internal operations */ set_common_params (pb); /* set actions taken to process the operation */ set_config_params (pb); /* perform modify operation */ op_shared_modify (pb, pw_change, old_pw); /* free the normalized_mods don't forget to add this*/ slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &normalized_mods); if (normalized_mods != NULL) { ldap_mods_free(normalized_mods, 1); } /* return original mods here */ slapi_pblock_set(pb, SLAPI_MODIFY_MODS, mods); /* set result */ slapi_pblock_set(pb, SLAPI_PLUGIN_INTOP_RESULT, &opresult); return 0; } static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) { Slapi_Backend *be = NULL; Slapi_Entry *pse; Slapi_Entry *referral; Slapi_Entry *ecopy = NULL; Slapi_Entry *e = NULL; char ebuf[BUFSIZ]; char *dn; Slapi_DN sdn; LDAPMod **mods, *pw_mod, **tmpmods = NULL; Slapi_Mods smods; Slapi_Mods unhashed_pw_smod; int repl_op, internal_op, lastmod; char *unhashed_pw_attr = NULL; Slapi_Operation *operation; char errorbuf[BUFSIZ]; int err; LDAPMod *lc_mod = NULL; struct slapdplugin *p = NULL; int numattr, i; slapi_pblock_get (pb, SLAPI_ORIGINAL_TARGET, &dn); slapi_pblock_get (pb, SLAPI_MODIFY_MODS, &mods); slapi_pblock_get (pb, SLAPI_MODIFY_MODS, &tmpmods); slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op); slapi_pblock_get (pb, SLAPI_OPERATION, &operation); internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL); if (dn == NULL) { slapi_sdn_init_dn_byref (&sdn, ""); } else { slapi_sdn_init_dn_byref (&sdn, dn); } slapi_pblock_set(pb, SLAPI_MODIFY_TARGET, (void*)slapi_sdn_get_ndn (&sdn)); slapi_mods_init_passin (&smods, mods); slapi_mods_init(&unhashed_pw_smod, 0); /* target spec is used to decide which plugins are applicable for the operation */ operation_set_target_spec (pb->pb_op, &sdn); if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { if ( !internal_op ) { slapi_log_access(LDAP_DEBUG_STATS, "conn=%d op=%d MOD dn=\"%s\"\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, escape_string(slapi_sdn_get_dn(&sdn), ebuf)); } else { slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MOD dn=\"%s\"\n", LOG_INTERNAL_OP_CON_ID, LOG_INTERNAL_OP_OP_ID, escape_string(slapi_sdn_get_dn(&sdn), ebuf)); } } /* * We could be serving multiple database backends. Select the * appropriate one. */ if ((err = slapi_mapping_tree_select(pb, &be, &referral, errorbuf)) != LDAP_SUCCESS) { send_ldap_result(pb, err, NULL, errorbuf, 0, NULL); be = NULL; goto free_and_return; } if (referral) { int managedsait; slapi_pblock_get(pb, SLAPI_MANAGEDSAIT, &managedsait); if (managedsait) { send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "cannot update referral", 0, NULL); slapi_entry_free(referral); goto free_and_return; } send_referrals_from_entry(pb,referral); slapi_entry_free(referral); goto free_and_return; } slapi_pblock_set(pb, SLAPI_BACKEND, be); /* The following section checks the valid values of fine-grained * password policy attributes. * 1. First, it checks if the entry has "passwordpolicy" objectclass. * 2. If yes, then if the mods contain any passwdpolicy specific attributes. * 3. If yes, then it invokes corrosponding checking function. */ if ( !repl_op && !internal_op && dn && (e = get_entry(pb, slapi_dn_normalize(dn))) ) { Slapi_Value target; slapi_value_init(&target); slapi_value_set_string(&target,"passwordpolicy"); if ((slapi_entry_attr_has_syntax_value(e, "objectclass", &target)) == 1) { numattr = sizeof(AttrValueCheckList)/sizeof(AttrValueCheckList[0]); while ( tmpmods && *tmpmods ) { if ((*tmpmods)->mod_bvalues != NULL && (((*tmpmods)->mod_op & ~LDAP_MOD_BVALUES) != LDAP_MOD_DELETE)) { for (i=0; i < numattr; i++) { if (slapi_attr_type_cmp((*tmpmods)->mod_type, AttrValueCheckList[i].attr_name, SLAPI_TYPE_CMP_SUBTYPE) == 0) { /* The below function call is good for * single-valued attrs only */ if ( (err = AttrValueCheckList[i].checkfunc (AttrValueCheckList[i].attr_name, (*tmpmods)->mod_bvalues[0]->bv_val, AttrValueCheckList[i].minval, AttrValueCheckList[i].maxval, errorbuf)) != LDAP_SUCCESS) { /* return error */ send_ldap_result(pb, err, NULL, errorbuf, 0, NULL); goto free_and_return; } } } } tmpmods++; } /* end of (while */ } /* end of if (found */ value_done (&target); } /* end of if (!repl_op */ /* can get lastmod only after backend is selected */ slapi_pblock_get(pb, SLAPI_BE_LASTMOD, &lastmod); /* if this is replication session - leave mod attributes alone */ if (!repl_op && lastmod) { modify_update_last_modified_attr(pb, &smods); } /* * Add the unhashed password pseudo-attribute before * calling the preop plugins */ if (pw_change) { Slapi_Value **va= NULL; unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD); for ( pw_mod = slapi_mods_get_first_mod(&smods); pw_mod; pw_mod = slapi_mods_get_next_mod(&smods) ) { if (strcasecmp (pw_mod->mod_type, SLAPI_USERPWD_ATTR) != 0) continue; /* add pseudo password attribute */ valuearray_init_bervalarray(pw_mod->mod_bvalues, &va); slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va); valuearray_free(&va); /* Init new value array for hashed value */ valuearray_init_bervalarray(pw_mod->mod_bvalues, &va); /* encode password */ pw_encodevals(va); /* remove current clear value of userpassword */ ber_bvecfree(pw_mod->mod_bvalues); /* add the cipher in the structure */ valuearray_get_bervalarray(va, &pw_mod->mod_bvalues); valuearray_free(&va); } } for ( p = get_plugin_list(PLUGIN_LIST_REVER_PWD_STORAGE_SCHEME); p != NULL; p = p->plg_next ) { char *L_attr = NULL; int i = 0; /* Get the appropriate encoding function */ for ( L_attr = p->plg_argv[i]; iplg_argc; L_attr = p->plg_argv[++i]) { char *L_normalized = slapi_attr_syntax_normalize(L_attr); for ( lc_mod = slapi_mods_get_first_mod(&smods); lc_mod; lc_mod = slapi_mods_get_next_mod(&smods) ) { Slapi_Value **va= NULL; if (strcasecmp (lc_mod->mod_type, L_normalized) != 0) continue; switch (lc_mod->mod_op & ~LDAP_MOD_BVALUES) { case LDAP_MOD_ADD: case LDAP_MOD_REPLACE: /* Init new value array for hashed value */ valuearray_init_bervalarray(lc_mod->mod_bvalues, &va); if ( va ) { /* encode local credentials */ pw_rever_encode(va, L_normalized); /* remove current clear value of userpassword */ ber_bvecfree(lc_mod->mod_bvalues); /* add the cipher in the structure */ valuearray_get_bervalarray(va, &lc_mod->mod_bvalues); valuearray_free(&va); } break; default: /* for LDAP_MOD_DELETE, don't do anything */ /* for LDAP_MOD_BVALUES, don't do anything */ ; } } if (L_normalized) slapi_ch_free ((void**)&L_normalized); } } /* * call the pre-mod plugins. if they succeed, call * the backend mod function. then call the post-mod * plugins. */ slapi_pblock_set (pb, SLAPI_MODIFY_MODS, (void*)slapi_mods_get_ldapmods_passout (&smods)); if (plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_PRE_MODIFY_FN : SLAPI_PLUGIN_PRE_MODIFY_FN) == 0) { int rc; slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database); set_db_default_result_handlers(pb); /* Remove the unhashed password pseudo-attribute prior */ /* to db access */ if (pw_change) { slapi_pblock_get (pb, SLAPI_MODIFY_MODS, &mods); slapi_mods_init_passin (&smods, mods); remove_mod (&smods, unhashed_pw_attr, &unhashed_pw_smod); slapi_pblock_set (pb, SLAPI_MODIFY_MODS, (void*)slapi_mods_get_ldapmods_passout (&smods)); } if (be->be_modify != NULL) { if ((rc = (*be->be_modify)(pb)) == 0) { /* acl is not used for internal operations */ /* don't update aci store for remote acis */ if ((!internal_op) && (!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA))) { plugin_call_acl_mods_update (pb, SLAPI_OPERATION_MODIFY); } if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_AUDIT)) write_audit_log_entry(pb); /* Record the operation in the audit log */ if (pw_change && (!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA))) { /* update the password info */ update_pw_info (pb, old_pw); } slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &pse); do_ps_service(pse, NULL, LDAP_CHANGETYPE_MODIFY, 0); } else { if (rc == SLAPI_FAIL_DISKFULL) { operation_out_of_disk_space(); goto free_and_return; } } } else { send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Function not implemented", 0, NULL); } /* Add the pseudo-attribute prior to calling the postop plugins */ if (pw_change) { LDAPMod *lc_mod = NULL; slapi_pblock_get (pb, SLAPI_MODIFY_MODS, &mods); slapi_mods_init_passin (&smods, mods); for ( lc_mod = slapi_mods_get_first_mod(&unhashed_pw_smod); lc_mod; lc_mod = slapi_mods_get_next_mod(&unhashed_pw_smod) ) { Slapi_Mod lc_smod; slapi_mod_init_byval(&lc_smod, lc_mod); /* copies lc_mod */ /* this extracts the copy of lc_mod and finalizes lc_smod too */ slapi_mods_add_ldapmod(&smods, slapi_mod_get_ldapmod_passout(&lc_smod)); } slapi_pblock_set (pb, SLAPI_MODIFY_MODS, (void*)slapi_mods_get_ldapmods_passout (&smods)); slapi_mods_done(&unhashed_pw_smod); /* can finalize now */ } slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, &rc); plugin_call_plugins(pb, internal_op ? SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN : SLAPI_PLUGIN_POST_MODIFY_FN); } free_and_return: slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &ecopy); slapi_entry_free(ecopy); slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &ecopy); slapi_entry_free(ecopy); slapi_entry_free(e); if (be) slapi_be_Unlock(be); slapi_sdn_done(&sdn); if (unhashed_pw_attr) slapi_ch_free ((void**)&unhashed_pw_attr); } static void remove_mod (Slapi_Mods *smods, const char *type, Slapi_Mods *smod_unhashed) { LDAPMod *mod; Slapi_Mod smod; for (mod = slapi_mods_get_first_mod(smods); mod; mod = slapi_mods_get_next_mod(smods)) { if (strcasecmp (mod->mod_type, type) == 0) { slapi_mod_init_byval (&smod, mod); slapi_mods_add_smod(smod_unhashed, &smod); slapi_mods_remove (smods); } } } static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old_pw) { int isroot, internal_op, repl_op, pwresponse_req = 0; char *dn; Slapi_DN sdn; passwdPolicy *pwpolicy; int rc = 0; char ebuf[BUFSIZ]; Slapi_Value **values= NULL; Slapi_Operation *operation; slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op); if (repl_op) { /* Treat like there's no password */ return (0); } *old_pw = NULL; slapi_pblock_get (pb, SLAPI_ORIGINAL_TARGET, &dn); slapi_pblock_get (pb, SLAPI_REQUESTOR_ISROOT, &isroot); slapi_pblock_get (pb, SLAPI_OPERATION, &operation); slapi_pblock_get (pb, SLAPI_PWPOLICY, &pwresponse_req); internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL); slapi_sdn_init_dn_byref (&sdn, dn); pwpolicy = new_passwdPolicy(pb, (char *)slapi_sdn_get_ndn(&sdn)); /* internal operation has root permisions for subtrees it is allowed to access */ if (!internal_op) { /* Check first if password policy allows users to change their passwords.*/ if (!pb->pb_op->o_isroot && slapi_sdn_compare(&sdn, &pb->pb_op->o_sdn)==0 && !pb->pb_conn->c_needpw && !pwpolicy->pw_change) { if ( pwresponse_req == 1 ) { pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDMODNOTALLOWED ); } send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "user is not allowed to change password", 0, NULL); if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { slapi_log_access(LDAP_DEBUG_STATS, "conn=%d op=%d MOD dn=\"%s\", %s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, escape_string(slapi_sdn_get_dn(&sdn), ebuf), "user is not allowed to change password"); } rc = -1; goto done; } } /* check if password is within password minimum age; error result is sent directly from check_pw_minage */ if ((internal_op || !pb->pb_conn->c_needpw) && check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1) { if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { if ( !internal_op ) { slapi_log_access(LDAP_DEBUG_STATS, "conn=%d op=%d MOD dn=\"%s\", %s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, escape_string(slapi_sdn_get_dn(&sdn), ebuf), "within password minimum age"); } else { slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MOD dn=\"%s\", %s\n", LOG_INTERNAL_OP_CON_ID, LOG_INTERNAL_OP_OP_ID, escape_string(slapi_sdn_get_dn(&sdn), ebuf), "within password minimum age"); } } rc = -1; goto done; } /* check password syntax; remember the old password; error sent directly from check_pw_syntax function */ valuearray_init_bervalarray(mod->mod_bvalues, &values); switch (check_pw_syntax (pb, &sdn, values, old_pw, NULL, 1)) { case 0: /* success */ rc = 1; break; case 1: /* failed checking */ if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) { if ( !internal_op ) { slapi_log_access(LDAP_DEBUG_STATS, "conn=%d op=%d MOD dn=\"%s\", %s\n", pb->pb_conn->c_connid, pb->pb_op->o_opid, escape_string(slapi_sdn_get_dn(&sdn), ebuf), "invalid password syntax"); } else { slapi_log_access(LDAP_DEBUG_ARGS, "conn=%s op=%d MOD dn=\"%s\", %s\n", LOG_INTERNAL_OP_CON_ID, LOG_INTERNAL_OP_OP_ID, escape_string(slapi_sdn_get_dn(&sdn), ebuf), "invalid password syntax"); } } rc = -1; break; case -1: /* The entry is not found. No password checking is done. Countinue execution and it should get caught later and send "no such object back. */ rc = 0; break; default: break; } valuearray_free(&values); done: slapi_sdn_done (&sdn); delete_passwdPolicy(&pwpolicy); return rc; }