diff options
author | Nathan Kinder <nkinder@redhat.com> | 2007-08-27 17:16:48 +0000 |
---|---|---|
committer | Nathan Kinder <nkinder@redhat.com> | 2007-08-27 17:16:48 +0000 |
commit | 20a4d4d200c26b2be6db9f468693628e29793ba1 (patch) | |
tree | d10a97aadb299a521b0496bc7dbb39744a994eb1 /ldap/servers/plugins/replication/windows_protocol_util.c | |
parent | d48891ad98082bce4358fa0b143b85ec6ff06ac6 (diff) | |
download | ds-20a4d4d200c26b2be6db9f468693628e29793ba1.tar.gz ds-20a4d4d200c26b2be6db9f468693628e29793ba1.tar.xz ds-20a4d4d200c26b2be6db9f468693628e29793ba1.zip |
Resolves: 207893
Summary: Check if passwords are already hashed before sync'ing with AD.
Diffstat (limited to 'ldap/servers/plugins/replication/windows_protocol_util.c')
-rw-r--r-- | ldap/servers/plugins/replication/windows_protocol_util.c | 64 |
1 files changed, 62 insertions, 2 deletions
diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c index e1c402da..e1b3d669 100644 --- a/ldap/servers/plugins/replication/windows_protocol_util.c +++ b/ldap/servers/plugins/replication/windows_protocol_util.c @@ -1375,7 +1375,37 @@ windows_create_remote_entry(Private_Repl_Protocol *prp,Slapi_Entry *original_ent slapi_valueset_first_value(vs,&value); password_value = slapi_value_get_string(value); - *password = slapi_ch_strdup(password_value); + /* We need to check if the first character of password_value is an + * opening brace since strstr will simply return it's first argument + * if it is an empty string. */ + if (password_value && (*password_value == '{')) { + if (strchr( password_value, '}' )) { + /* A storage scheme is present. Check if it's the + * clear storage scheme. */ + if ((strlen(password_value) >= PASSWD_CLEAR_PREFIX_LEN + 1) && + (strncasecmp(password_value, PASSWD_CLEAR_PREFIX, PASSWD_CLEAR_PREFIX_LEN) == 0)) { + /* This password is in clear text. Strip off the clear prefix + * and sync it. */ + *password = slapi_ch_strdup(password_value + PASSWD_CLEAR_PREFIX_LEN); + } else { + /* This password is stored in a non-cleartext format. + * We can only sync cleartext passwords. */ + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, + "%s: windows_create_remote_entry: " + "Password is already hashed. Not syncing.\n", + agmt_get_long_name(prp->agmt)); + } + } else { + /* This password doesn't have a storage prefix but + * just happens to start with the '{' character. We'll + * assume that it's just a cleartext password without + * the proper storage prefix. */ + *password = slapi_ch_strdup(password_value); + } + } else { + /* This password has no storage prefix, or the password is empty */ + *password = slapi_ch_strdup(password_value); + } } } @@ -1554,7 +1584,37 @@ windows_map_mods_for_replay(Private_Repl_Protocol *prp,LDAPMod **original_mods, { char *password_value = NULL; password_value = mod->mod_bvalues[0]->bv_val; - *password = slapi_ch_strdup(password_value); + /* We need to check if the first character of password_value is an + * opening brace since strstr will simply return it's first argument + * if it is an empty string. */ + if (password_value && (*password_value == '{')) { + if (strchr( password_value, '}' )) { + /* A storage scheme is present. Check if it's the + * clear storage scheme. */ + if ((strlen(password_value) >= PASSWD_CLEAR_PREFIX_LEN + 1) && + (strncasecmp(password_value, PASSWD_CLEAR_PREFIX, PASSWD_CLEAR_PREFIX_LEN) == 0)) { + /* This password is in clear text. Strip off the clear prefix + * and sync it. */ + *password = slapi_ch_strdup(password_value + PASSWD_CLEAR_PREFIX_LEN); + } else { + /* This password is stored in a non-cleartext format. + * We can only sync cleartext passwords. */ + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, + "%s: windows_create_remote_entry: " + "Password is already hashed. Not syncing.\n", + agmt_get_long_name(prp->agmt)); + } + } else { + /* This password doesn't have a storage prefix but + * just happens to start with the '{' character. We'll + * assume that it's just a cleartext password without + * the proper storage prefix. */ + *password = slapi_ch_strdup(password_value); + } + } else { + /* This password has no storage prefix, or the password is empty */ + *password = slapi_ch_strdup(password_value); + } } } } |