diff options
| author | Simo Sorce <ssorce@redhat.com> | 2011-09-16 14:18:38 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-09-21 18:10:34 -0400 |
| commit | c981627016e0d3c0002214c1d2cc0812a480339a (patch) | |
| tree | 0f5ff61258f79b97ccc29866277176146b5393ee /daemons | |
| parent | 45aa80195204329c1fb6f0fd1c8e8142618da604 (diff) | |
| download | freeipa-c981627016e0d3c0002214c1d2cc0812a480339a.tar.gz freeipa-c981627016e0d3c0002214c1d2cc0812a480339a.tar.xz freeipa-c981627016e0d3c0002214c1d2cc0812a480339a.zip | |
ipa-pwd-extop: Enforce old password checks
If a user is changing his own password, then require the old password to be
sent for validation purposes.
https://fedorahosted.org/freeipa/ticket/1814
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 65 |
1 files changed, 64 insertions, 1 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 9fdf1771..95ac68e9 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -283,7 +283,7 @@ parse_req_done: dn = slapi_ch_strdup(bindDN); LOG_TRACE("Missing userIdentity in request, " "using the bind DN instead.\n"); - } + } if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { LOG_FATAL("slapi_pblock_set failed!\n"); @@ -301,6 +301,69 @@ parse_req_done: goto free_and_return; } + if (dn) { + Slapi_DN *bind_sdn; + Slapi_DN *target_sdn; + + /* if the user changing the password is self, we must request the + * old password and verify it matches the current one before + * proceeding with the password change */ + bind_sdn = slapi_sdn_new_dn_byref(bindDN); + target_sdn = slapi_sdn_new_dn_byref(dn); + if (!bind_sdn || !target_sdn) { + LOG_OOM(); + rc = LDAP_OPERATIONS_ERROR; + goto free_and_return; + } + /* this one will normalize and compare, so difference in case will be + * correctly handled */ + ret = slapi_sdn_compare(bind_sdn, target_sdn); + if (ret == 0) { + Slapi_Value *cpw[2] = { NULL, NULL }; + Slapi_Value *pw; + char *cur_pw; + + if (oldPasswd == NULL || *oldPasswd == '\0') { + LOG_FATAL("Old password was not provided!\n"); + rc = LDAP_INVALID_CREDENTIALS; + goto free_and_return; + } + + /* if the user is changing his own password we need to check that + * oldPasswd matches the current password */ + cur_pw = slapi_entry_attr_get_charptr(targetEntry, + "userPassword"); + if (!cur_pw) { + LOG_FATAL("User has no current password?\n"); + rc = LDAP_UNWILLING_TO_PERFORM; + goto free_and_return; + } + + cpw[0] = slapi_value_new_string(cur_pw); + pw = slapi_value_new_string(oldPasswd); + if (!cpw[0] || !pw) { + LOG_OOM(); + rc = LDAP_OPERATIONS_ERROR; + goto free_and_return; + } + + ret = slapi_pw_find_sv(cpw, pw); + + slapi_value_free(&cpw[0]); + slapi_value_free(&pw); + + if (ret != 0) { + LOG_TRACE("Invalid password!\n"); + rc = LDAP_INVALID_CREDENTIALS; + goto free_and_return; + } + } + } else { + LOG_TRACE("Undefined target DN!\n"); + rc = LDAP_OPERATIONS_ERROR; + goto free_and_return; + } + rc = ipapwd_entry_checks(pb, targetEntry, &is_root, &is_krb, &is_smb, SLAPI_USERPWD_ATTR, SLAPI_ACL_WRITE); |