summaryrefslogtreecommitdiffstats
path: root/daemons
diff options
context:
space:
mode:
Diffstat (limited to 'daemons')
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c130
1 files changed, 62 insertions, 68 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 181bd0ee7..deae64777 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -394,7 +394,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
struct ipapwd_krbcfg *krbcfg = NULL;
char *errMesg = NULL;
LDAPMod **mods;
- Slapi_Mod *smod, *tmod;
+ LDAPMod *lmod;
Slapi_Mods *smods = NULL;
char *userpw = NULL;
char *unhashedpw = NULL;
@@ -434,52 +434,43 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
/* In the first pass,
* only check there is anything we are interested in */
is_pwd_op = 0;
- tmod = slapi_mod_new();
- smod = slapi_mods_get_first_smod(smods, tmod);
- while (smod) {
+ lmod = slapi_mods_get_first_mod(smods);
+ while (lmod) {
struct berval *bv;
- const char *type;
- int mop;
- type = slapi_mod_get_type(smod);
- if (slapi_attr_types_equivalent(type, SLAPI_USERPWD_ATTR)) {
- mop = slapi_mod_get_operation(smod);
+ if (slapi_attr_types_equivalent(lmod->mod_type, SLAPI_USERPWD_ATTR)) {
/* check op filtering out LDAP_MOD_BVALUES */
- switch (mop & 0x0f) {
+ switch (lmod->mod_op & 0x0f) {
case LDAP_MOD_ADD:
case LDAP_MOD_REPLACE:
is_pwd_op = 1;
default:
break;
}
- }
-
- /* we check for unahsehd password here so that we are sure to catch them
- * early, before further checks go on, this helps checking
- * LDAP_MOD_DELETE operations in some corner cases later */
- /* we keep only the last one if multiple are provided for any absurd
- * reason */
- if (slapi_attr_types_equivalent(type, "unhashed#user#password")) {
- bv = slapi_mod_get_first_value(smod);
- if (!bv) {
- slapi_mod_free(&tmod);
+ } else if (slapi_attr_types_equivalent(lmod->mod_type,
+ "unhashed#user#password")) {
+ /* we check for unahsehd password here so that we are sure to
+ * catch them early, before further checks go on, this helps
+ * checking LDAP_MOD_DELETE operations in some corner cases later.
+ * We keep only the last one if multiple are provided for any
+ * reason */
+ if (!lmod->mod_bvalues ||
+ !lmod->mod_bvalues[0]) {
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
+ bv = lmod->mod_bvalues[0];
slapi_ch_free_string(&unhashedpw);
unhashedpw = slapi_ch_malloc(bv->bv_len+1);
if (!unhashedpw) {
- slapi_mod_free(&tmod);
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
memcpy(unhashedpw, bv->bv_val, bv->bv_len);
unhashedpw[bv->bv_len] = '\0';
}
- slapi_mod_done(tmod);
- smod = slapi_mods_get_next_smod(smods, tmod);
+ lmod = slapi_mods_get_next_mod(smods);
}
- slapi_mod_free(&tmod);
/* If userPassword is not modified we are done here */
if (! is_pwd_op) {
@@ -487,7 +478,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
goto done;
}
- /* OK swe have something interesting here, start checking for
+ /* OK we have something interesting here, start checking for
* pre-requisites */
/* Get target DN */
@@ -532,33 +523,27 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
}
/* run through the mods again and adjust flags if operations affect them */
- tmod = slapi_mod_new();
- smod = slapi_mods_get_first_smod(smods, tmod);
- while (smod) {
+ lmod = slapi_mods_get_first_mod(smods);
+ while (lmod) {
struct berval *bv;
- const char *type;
- int mop;
- type = slapi_mod_get_type(smod);
- if (slapi_attr_types_equivalent(type, SLAPI_USERPWD_ATTR)) {
- mop = slapi_mod_get_operation(smod);
+ if (slapi_attr_types_equivalent(lmod->mod_type, SLAPI_USERPWD_ATTR)) {
/* check op filtering out LDAP_MOD_BVALUES */
- switch (mop & 0x0f) {
+ switch (lmod->mod_op & 0x0f) {
case LDAP_MOD_ADD:
/* FIXME: should we try to track cases where we would end up
* with multiple userPassword entries ?? */
case LDAP_MOD_REPLACE:
is_pwd_op = 1;
- bv = slapi_mod_get_first_value(smod);
- if (!bv) {
- slapi_mod_free(&tmod);
+ if (!lmod->mod_bvalues ||
+ !lmod->mod_bvalues[0]) {
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
+ bv = lmod->mod_bvalues[0];
slapi_ch_free_string(&userpw);
userpw = slapi_ch_malloc(bv->bv_len+1);
if (!userpw) {
- slapi_mod_free(&tmod);
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
@@ -569,23 +554,27 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
/* reset only if we are deleting all values, or the exact
* same value previously set, otherwise we are just trying to
* add a new value and delete an existing one */
- bv = slapi_mod_get_first_value(smod);
- if (!bv) {
+ if (!lmod->mod_bvalues ||
+ !lmod->mod_bvalues[0]) {
is_pwd_op = 0;
} else {
- if ((userpw && 0 == strncmp(userpw, bv->bv_val, bv->bv_len)) ||
- (unhashedpw && 0 == strncmp(unhashedpw, bv->bv_val, bv->bv_len)))
+ bv = lmod->mod_bvalues[0];
+ if ((userpw &&
+ strncmp(userpw, bv->bv_val, bv->bv_len) == 0) ||
+ (unhashedpw &&
+ strncmp(unhashedpw, bv->bv_val, bv->bv_len) == 0)) {
is_pwd_op = 0;
+ }
}
default:
break;
}
- }
- if (slapi_attr_types_equivalent(type, SLAPI_ATTR_OBJECTCLASS)) {
- mop = slapi_mod_get_operation(smod);
+ } else if (slapi_attr_types_equivalent(lmod->mod_type,
+ SLAPI_ATTR_OBJECTCLASS)) {
+ int i;
/* check op filtering out LDAP_MOD_BVALUES */
- switch (mop & 0x0f) {
+ switch (lmod->mod_op & 0x0f) {
case LDAP_MOD_REPLACE:
/* if objectclasses are replaced we need to start clean with
* flags, so we sero them out and see if they get set again */
@@ -594,20 +583,23 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
is_ipant = 0;
case LDAP_MOD_ADD:
- bv = slapi_mod_get_first_value(smod);
- if (!bv) {
- slapi_mod_free(&tmod);
+ if (!lmod->mod_bvalues ||
+ !lmod->mod_bvalues[0]) {
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
- do {
- if (0 == strncasecmp("krbPrincipalAux", bv->bv_val, bv->bv_len))
+ for (i = 0; (bv = lmod->mod_bvalues[i]) != NULL; i++) {
+ if (strncasecmp("krbPrincipalAux",
+ bv->bv_val, bv->bv_len) == 0) {
is_krb = 1;
- if (0 == strncasecmp("sambaSamAccount", bv->bv_val, bv->bv_len))
+ } else if (strncasecmp("sambaSamAccount",
+ bv->bv_val, bv->bv_len) == 0) {
is_smb = 1;
- if (0 == strncasecmp("ipaNTUserAttrs", bv->bv_val, bv->bv_len))
+ } else if (strncasecmp("ipaNTUserAttrs",
+ bv->bv_val, bv->bv_len) == 0) {
is_ipant = 1;
- } while ((bv = slapi_mod_get_next_value(smod)) != NULL);
+ }
+ }
break;
@@ -620,32 +612,34 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
default:
break;
}
- }
- /* if we are getting a krbPrincipalKey, also avoid regenerating the keys,
- * it means kadmin has alredy done the job and is simply keeping
- * userPassword and sambaXXPAssword in sync */
- if (slapi_attr_types_equivalent(type, "krbPrincipalKey")) {
+ } else if (slapi_attr_types_equivalent(lmod->mod_type,
+ "krbPrincipalKey")) {
+
+ /* if we are getting a krbPrincipalKey, also avoid regenerating
+ * the keys, it means kadmin has alredy done the job and is simply
+ * keeping userPassword and sambaXXPAssword in sync */
+
/* we also check we have enough authority */
if (is_root) {
has_krb_keys = 1;
}
- }
- /* if we are getting a passwordHistory, also avoid regenerating the hashes,
- * it means kadmin has alredy done the job and is simply keeping
- * userPassword and sambaXXPAssword in sync */
- if (slapi_attr_types_equivalent(type, "passwordHistory")) {
+ } else if (slapi_attr_types_equivalent(lmod->mod_type,
+ "passwordHistory")) {
+
+ /* if we are getting a passwordHistory, also avoid regenerating
+ * the hashes, it means kadmin has alredy done the job and is
+ * simply keeping userPassword and sambaXXPAssword in sync */
+
/* we also check we have enough authority */
if (is_root) {
has_history = 1;
}
}
- slapi_mod_done(tmod);
- smod = slapi_mods_get_next_smod(smods, tmod);
+ lmod = slapi_mods_get_next_mod(smods);
}
- slapi_mod_free(&tmod);
if (is_krb) {
if (has_krb_keys) {