From 1ce8d32fd6c09b0bfcb1593e2e5ad8e47eef3670 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: ipapwd_extop should use TARGET_DN defined by a pre-extop plugin ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955) https://fedorahosted.org/freeipa/ticket/5946 Reviewed-By: Alexander Bokovoy --- .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +++++++++++++++++----- 1 file changed, 28 insertions(+), 8 deletions(-) (limited to 'daemons/ipa-slapi-plugins') diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 440e22117..3c2c44f61 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; int is_krb, is_smb, is_ipant; - char *principal = NULL; + char *principal = NULL; Slapi_PBlock *chpwop_pb = NULL; + Slapi_DN *target_sdn = NULL; + char *target_dn = NULL; /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); @@ -327,14 +329,32 @@ parse_req_done: } } - /* Determine the target DN for this operation */ - /* Did they give us a DN ? */ - if (dn == NULL || *dn == '\0') { - /* Get the DN from the bind identity on this connection */ - dn = slapi_ch_strdup(bindDN); - LOG_TRACE("Missing userIdentity in request, " - "using the bind DN instead.\n"); + /* Determine the target DN for this operation */ + slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); + if (target_sdn != NULL) { + /* If there is a TARGET_DN we are consuming it */ + slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); + target_dn = slapi_sdn_get_ndn(target_sdn); } + if (target_dn == NULL || *target_dn == '\0') { + /* Did they give us a DN ? */ + if (dn == NULL || *dn == '\0') { + /* Get the DN from the bind identity on this connection */ + dn = slapi_ch_strdup(bindDN); + LOG_TRACE("Missing userIdentity in request, " + "using the bind DN instead.\n"); + } + LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); + } else { + /* At this point if SLAPI_TARGET_SDN was set that means + * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it + * So take this one rather that the raw one that is in the ber + */ + LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); + slapi_ch_free_string(&dn); + dn = slapi_ch_strdup(target_dn); + } + slapi_sdn_free(&target_sdn); if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { LOG_FATAL("slapi_pblock_set failed!\n"); -- cgit