summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-slapi-plugins
diff options
context:
space:
mode:
authorroot <root@testbox.winry>2009-10-19 14:53:40 +0200
committerRob Crittenden <rcritten@redhat.com>2010-01-20 16:53:41 -0500
commitfd5742cc7910bfe4bf896d0e5742a54380366e5e (patch)
tree71e68dd6e45ff3eadcdd391b2e512eb71f4657ad /daemons/ipa-slapi-plugins
parentcfe47a35531d841a0a765943aac1296a2a3ac99b (diff)
downloadfreeipa-fd5742cc7910bfe4bf896d0e5742a54380366e5e.tar.gz
freeipa-fd5742cc7910bfe4bf896d0e5742a54380366e5e.tar.xz
freeipa-fd5742cc7910bfe4bf896d0e5742a54380366e5e.zip
Allow adding entries with pre-hashed passwords, but don't generate keys for them.
Fix bug #528922.
Diffstat (limited to 'daemons/ipa-slapi-plugins')
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c23
1 files changed, 15 insertions, 8 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 863687581..3067fa90b 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -3296,17 +3296,24 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
slapi_ch_free_string(&userpw);
userpw = tmp;
} else if (slapi_is_encoded(userpw)) {
+ /* check if we have access to the unhashed user password */
+ char *userpw_clear =
+ slapi_entry_attr_get_charptr(e, "unhashed#user#password");
+
+ /* unhashed#user#password doesn't always contain the clear text
+ * password, therefore we need to check if its value isn't the same
+ * as userPassword, to make sure */
+ if (!userpw || (0 == strcmp(userpw, userpw_clear))) {
+ rc = LDAP_CONSTRAINT_VIOLATION;
+ }
slapi_ch_free_string(&userpw);
+ slapi_ch_free_string(&userpw_clear);
- /* check if we have access to the unhashed user password */
- userpw = slapi_entry_attr_get_charptr(e, "unhashed#user#password");
- if (!userpw) {
- slapi_log_error(SLAPI_LOG_PLUGIN, IPAPWD_PLUGIN_NAME,
- "Pre-Encoded passwords are not valid\n");
- errMesg = "Pre-Encoded passwords are not valid\n";
- rc = LDAP_CONSTRAINT_VIOLATION;
- goto done;
+ if (rc) {
+ /* we don't have access to the clear text password,
+ * let the operation continue, but don't generate keys */
+ return 0;
}
}
}