diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2006-08-17 15:33:03 +0000 |
|---|---|---|
| committer | Nathan Kinder <nkinder@redhat.com> | 2006-08-17 15:33:03 +0000 |
| commit | 52ba2c0aceed9611e14ab9677e6e61f16b3acc11 (patch) | |
| tree | edf2a84d476310bc05982408aa4312e9c3c016fb | |
| parent | a0b50187e70cb3a60a1ae70578dcaa53780d38ac (diff) | |
| download | ds-52ba2c0aceed9611e14ab9677e6e61f16b3acc11.tar.gz ds-52ba2c0aceed9611e14ab9677e6e61f16b3acc11.tar.xz ds-52ba2c0aceed9611e14ab9677e6e61f16b3acc11.zip | |
202872 - Allow password modify extended operation when using SASL privacy layer
| -rw-r--r-- | ldap/servers/slapd/passwd_extop.c | 18 | ||||
| -rw-r--r-- | ldap/servers/slapd/pblock.c | 10 | ||||
| -rw-r--r-- | ldap/servers/slapd/sasl_io.c | 1 | ||||
| -rw-r--r-- | ldap/servers/slapd/saslbind.c | 3 | ||||
| -rw-r--r-- | ldap/servers/slapd/slap.h | 1 | ||||
| -rw-r--r-- | ldap/servers/slapd/slapi-plugin.h | 1 |
6 files changed, 30 insertions, 4 deletions
diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c index 2ee477a0..40eb1626 100644 --- a/ldap/servers/slapd/passwd_extop.c +++ b/ldap/servers/slapd/passwd_extop.c @@ -197,12 +197,12 @@ passwd_modify_extop( Slapi_PBlock *pb ) { char *oid = NULL; char *bindDN = NULL; - char *authmethod = NULL; + char *authmethod = NULL; char *dn = NULL; char *oldPasswd = NULL; char *newPasswd = NULL; char *errMesg = NULL; - int ret=0, rc=0; + int ret=0, rc=0, sasl_ssf=0; unsigned long tag=0, len=-1; struct berval *extop_value = NULL; BerElement *ber = NULL; @@ -248,9 +248,19 @@ passwd_modify_extop( Slapi_PBlock *pb ) /* Now , at least we know that the request was indeed a Password Modify one. */ #ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE - /* Allow password modify only for SSL/TLS established connections */ + /* Allow password modify only for SSL/TLS established connections and + * connections using SASL privacy layers */ conn = pb->pb_conn; - if ( (conn->c_flags & CONN_FLAG_SSL) != CONN_FLAG_SSL) { + if ( slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { + errMesg = "Could not get SASL SSF from connection\n"; + rc = LDAP_OPERATIONS_ERROR; + slapi_log_error( SLAPI_LOG_PLUGIN, "passwd_modify_extop", + errMesg ); + goto free_and_return; + } + + if ( ((conn->c_flags & CONN_FLAG_SSL) != CONN_FLAG_SSL) && + (sasl_ssf <= 1) ) { errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; goto free_and_return; diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c index d08a04f1..4a6bbca6 100644 --- a/ldap/servers/slapd/pblock.c +++ b/ldap/servers/slapd/pblock.c @@ -323,6 +323,16 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value ) (*(int *)value) = pblock->pb_conn->c_flags & CONN_FLAG_SSL; PR_Unlock( pblock->pb_conn->c_mutex ); break; + case SLAPI_CONN_SASL_SSF: + if (pblock->pb_conn == NULL) { + LDAPDebug( LDAP_DEBUG_ANY, + "Connection is NULL and hence cannot access SLAPI_CONN_SASL_SSF \n", 0, 0, 0 ); + return (-1); + } + PR_Lock( pblock->pb_conn->c_mutex ); + (*(int *)value) = pblock->pb_conn->c_sasl_ssf; + PR_Unlock( pblock->pb_conn->c_mutex ); + break; case SLAPI_CONN_CERT: if (pblock->pb_conn == NULL) { LDAPDebug( LDAP_DEBUG_ANY, diff --git a/ldap/servers/slapd/sasl_io.c b/ldap/servers/slapd/sasl_io.c index 70d1b98e..e346b88e 100644 --- a/ldap/servers/slapd/sasl_io.c +++ b/ldap/servers/slapd/sasl_io.c @@ -149,6 +149,7 @@ sasl_io_cleanup(Connection *c) c->c_sasl_io_private = NULL; c->c_enable_sasl_io = 0; c->c_sasl_io = 0; + c->c_sasl_ssf = 0; } return ret; } diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c index 6d2f3ba1..e521c49e 100644 --- a/ldap/servers/slapd/saslbind.c +++ b/ldap/servers/slapd/saslbind.c @@ -705,6 +705,7 @@ void ids_sasl_server_new(Connection *conn) } conn->c_sasl_conn = sasl_conn; + conn->c_sasl_ssf = 0; LDAPDebug( LDAP_DEBUG_TRACE, "<= ids_sasl_server_new\n", 0, 0, 0 ); @@ -986,6 +987,8 @@ void ids_sasl_check_bind(Slapi_PBlock *pb) "failed to enable sasl i/o", 0, NULL); } + /* Set the SSF in the connection */ + pb->pb_conn->c_sasl_ssf = (unsigned)*ssfp; } } diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 2fc89acb..55c53ba3 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -1252,6 +1252,7 @@ typedef struct conn { sasl_io_private *c_sasl_io_private; /* Private data for SASL I/O Layer */ int c_enable_sasl_io; /* Flag to tell us to enable SASL I/O on the next read */ int c_sasl_io; /* Flag to tell us to enable SASL I/O on the next read */ + int c_sasl_ssf; /* flag to tell us the SASL SSF */ } Connection; #define CONN_FLAG_SSL 1 /* Is this connection an SSL connection or not ? * Used to direct I/O code when SSL is handled differently diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h index 15ef187a..c8a7456a 100644 --- a/ldap/servers/slapd/slapi-plugin.h +++ b/ldap/servers/slapd/slapi-plugin.h @@ -1294,6 +1294,7 @@ int slapi_reslimit_get_integer_limit( Slapi_Connection *conn, int handle, #define SLAPI_CONN_IS_SSL_SESSION 747 #define SLAPI_CONN_CERT 743 #define SLAPI_CONN_AUTHMETHOD 746 +#define SLAPI_CONN_SASL_SSF 748 /* * Types of authentication for SLAPI_CONN_AUTHMETHOD |