diff options
author | Nathan Kinder <nkinder@redhat.com> | 2008-12-11 23:05:23 +0000 |
---|---|---|
committer | Nathan Kinder <nkinder@redhat.com> | 2008-12-11 23:05:23 +0000 |
commit | ea1286557f9aab2e3891f14fbbd103f1734662fb (patch) | |
tree | 04a5029eb87d8a0d7ab6607f4b0f5fdcd92e7dbe /ldap/servers | |
parent | 8eefcd5606a149ed3f4f19dbfab0f85e5aa0bf58 (diff) | |
download | ds-ea1286557f9aab2e3891f14fbbd103f1734662fb.tar.gz ds-ea1286557f9aab2e3891f14fbbd103f1734662fb.tar.xz ds-ea1286557f9aab2e3891f14fbbd103f1734662fb.zip |
Resolves: 201332
Summary: Allow password modify extop when password reset is needed.
Diffstat (limited to 'ldap/servers')
-rw-r--r-- | ldap/servers/slapd/connection.c | 2 | ||||
-rw-r--r-- | ldap/servers/slapd/extendop.c | 16 | ||||
-rw-r--r-- | ldap/servers/slapd/passwd_extop.c | 13 | ||||
-rw-r--r-- | ldap/servers/slapd/slap.h | 1 |
4 files changed, 23 insertions, 9 deletions
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c index 00571c1b..045e527c 100644 --- a/ldap/servers/slapd/connection.c +++ b/ldap/servers/slapd/connection.c @@ -449,7 +449,7 @@ connection_need_new_password(const Connection *conn, const Operation *op, Slapi_ if ( conn->c_needpw && op->o_tag != LDAP_REQ_MODIFY && op->o_tag != LDAP_REQ_BIND && op->o_tag != LDAP_REQ_UNBIND && - op->o_tag != LDAP_REQ_ABANDON ) + op->o_tag != LDAP_REQ_ABANDON && op->o_tag != LDAP_REQ_EXTENDED) { slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d %s\n", diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c index 366a7328..53947c6e 100644 --- a/ldap/servers/slapd/extendop.c +++ b/ldap/servers/slapd/extendop.c @@ -295,6 +295,22 @@ do_extended( Slapi_PBlock *pb ) goto free_and_return; } + /* If a password change is required, only allow the password + * modify extended operation */ + if (!pb->pb_conn->c_isreplication_session && + pb->pb_conn->c_needpw && (strcmp(extoid, EXTOP_PASSWD_OID) != 0)) + { + char *dn = NULL; + slapi_pblock_get(pb, SLAPI_CONN_DN, &dn); + + (void)slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); + op_shared_log_error_access (pb, "EXT", dn ? dn : "", "need new password"); + send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL ); + + slapi_ch_free_string(&dn); + goto free_and_return; + } + slapi_pblock_set( pb, SLAPI_EXT_OP_REQ_OID, extoid ); slapi_pblock_set( pb, SLAPI_EXT_OP_REQ_VALUE, &extval ); rc = plugin_call_exop_plugins( pb, extoid ); diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c index 93fdd3b1..8b1185a5 100644 --- a/ldap/servers/slapd/passwd_extop.c +++ b/ldap/servers/slapd/passwd_extop.c @@ -82,9 +82,6 @@ /* number of random bytes needed to generate password */ #define LDAP_EXTOP_PASSMOD_RANDOM_BYTES 6 -/* OID of the extended operation handled by this plug-in */ -#define EXOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1" - Slapi_PluginDesc passwdopdesc = { "passwd_modify_plugin", "Fedora", "0.1", "Password Modify extended operation plugin" }; @@ -450,7 +447,7 @@ passwd_modify_extop( Slapi_PBlock *pb ) /* Before going any further, we'll make sure that the right extended operation plugin * has been called: i.e., the OID shipped whithin the extended operation request must - * match this very plugin's OID: EXOP_PASSWD_OID. */ + * match this very plugin's OID: EXTOP_PASSWD_OID. */ if ( slapi_pblock_get( pb, SLAPI_EXT_OP_REQ_OID, &oid ) != 0 ) { errMesg = "Could not get OID value from request.\n"; rc = LDAP_OPERATIONS_ERROR; @@ -462,7 +459,7 @@ passwd_modify_extop( Slapi_PBlock *pb ) "Received extended operation request with OID %s\n", oid ); } - if ( strcasecmp( oid, EXOP_PASSWD_OID ) != 0) { + if ( strcasecmp( oid, EXTOP_PASSWD_OID ) != 0) { errMesg = "Request OID does not match Passwd OID.\n"; rc = LDAP_OPERATIONS_ERROR; goto free_and_return; @@ -783,7 +780,7 @@ parse_req_done: static char *passwd_oid_list[] = { - EXOP_PASSWD_OID, + EXTOP_PASSWD_OID, NULL }; @@ -812,9 +809,9 @@ int passwd_modify_init( Slapi_PBlock *pb ) /* Compare the OID specified in the configuration file against the Passwd OID. */ - if ( argv == NULL || strcmp( argv[0], EXOP_PASSWD_OID ) != 0 ) { + if ( argv == NULL || strcmp( argv[0], EXTOP_PASSWD_OID ) != 0 ) { slapi_log_error( SLAPI_LOG_PLUGIN, "passwd_modify_init", - "OID is missing or is not %s\n", EXOP_PASSWD_OID ); + "OID is missing or is not %s\n", EXTOP_PASSWD_OID ); return( -1 ); } else { oid = slapi_ch_strdup( argv[0] ); diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 62a13f96..ceeb11e9 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -540,6 +540,7 @@ typedef int (*SyntaxEnumFunc)(char **names, Slapi_PluginDesc *plugindesc, /* extended operations supported by the server */ #define EXTOP_BULK_IMPORT_START_OID "2.16.840.1.113730.3.5.7" #define EXTOP_BULK_IMPORT_DONE_OID "2.16.840.1.113730.3.5.8" +#define EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1" /* * Represents a Distinguished Name of an entry |