From 7de99c74150ca5a4c6e128595f38b3862b8a7591 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Tue, 15 Dec 2015 13:37:27 -0800
Subject: [PATCH 1/2] Ticket #142 - [RFE] Default password syntax settings
 don't work with fine-grained policies

Description: When a fine-grained password syntax is not set, there is no
syntax restriction for the passwords to be added or modified even though
the global password syntax is configured.

This patch introducing a config parameter:
  cn=config.
  nsslapd-pwpolicy-inherit-global: on | off
If on, the fine-grained password syntax inherits the global password
syntax if the global one is configured.
If off, the inheritance does not occur.  This is the current behaviour.
By default, it is off.
---
 ldap/servers/plugins/cos/cos_cache.c |  2 +-
 ldap/servers/slapd/libglobs.c        | 34 +++++++++++++++++++++++++++++++++-
 ldap/servers/slapd/proto-slap.h      |  2 ++
 ldap/servers/slapd/pw.c              | 27 ++++++++++++++++++++++++---
 ldap/servers/slapd/slap.h            |  3 +++
 5 files changed, 63 insertions(+), 5 deletions(-)

diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index e0b841d..db90ffa 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -2329,7 +2329,7 @@ static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context,
 		/* now for the tests */
 
 		/* would we be allowed to supply this attribute if we had one? */
-		if(entry_has_value && pAttr->attr_override == 0 && pAttr->attr_operational == 0)
+		if (entry_has_value && !pAttr->attr_override && !pAttr->attr_operational && !pAttr->attr_operational_default)
 		{
 			/* answer: no, move on to the next attribute */
 			attr_index++;
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 4661964..d108bf3 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -186,6 +186,7 @@ slapi_onoff_t init_csnlogging;
 slapi_onoff_t init_pw_unlock;
 slapi_onoff_t init_pw_must_change;
 slapi_onoff_t init_pwpolicy_local;
+slapi_onoff_t init_pwpolicy_inherit_global;
 slapi_onoff_t init_pw_lockout;
 slapi_onoff_t init_pw_history;
 slapi_onoff_t init_pw_is_global_policy;
@@ -406,6 +407,10 @@ static struct config_get_and_set {
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.pwpolicy_local,
 		CONFIG_ON_OFF, NULL, &init_pwpolicy_local},
+	{CONFIG_PWPOLICY_INHERIT_GLOBAL_ATTRIBUTE, config_set_pwpolicy_inherit_global,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.pwpolicy_inherit_global,
+		CONFIG_ON_OFF, NULL, &init_pwpolicy_inherit_global},
 	{CONFIG_AUDITLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,
 		log_set_maxdiskspace, SLAPD_AUDIT_LOG,
 		(void**)&global_slapdFrontendConfig.auditlog_maxdiskspace,
@@ -1506,6 +1511,7 @@ FrontendConfig_init () {
 
   init_readonly = cfg->readonly = LDAP_OFF;
   init_pwpolicy_local = cfg->pwpolicy_local = LDAP_OFF;
+  init_pwpolicy_inherit_global = cfg->pwpolicy_inherit_global = LDAP_OFF;
   init_pw_change = cfg->pw_policy.pw_change = LDAP_ON;
   init_pw_must_change = cfg->pw_policy.pw_must_change = LDAP_OFF;
   init_allow_hashed_pw = cfg->allow_hashed_pw = LDAP_OFF;
@@ -2581,7 +2587,6 @@ config_set_pw_history( const char *attrname, char *value, char *errorbuf, int ap
 }
 
 
-
 int
 config_set_pw_must_change( const char *attrname, char *value, char *errorbuf, int apply ) {
   int retVal = LDAP_SUCCESS;
@@ -2618,6 +2623,23 @@ config_set_pwpolicy_local( const char *attrname, char *value, char *errorbuf, in
   return retVal;
 }
 
+
+int
+config_set_pwpolicy_inherit_global(const char *attrname, char *value, char *errorbuf, int apply)
+{
+  int retVal = LDAP_SUCCESS;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  retVal = config_set_onoff (attrname,
+                             value,
+                             &(slapdFrontendConfig->pwpolicy_inherit_global),
+                             errorbuf,
+                             apply);
+
+  return retVal;
+}
+
+
 int
 config_set_allow_hashed_pw( const char *attrname, char *value, char *errorbuf, int apply ) {
   int retVal = LDAP_SUCCESS;
@@ -5712,6 +5734,16 @@ config_get_pw_warning() {
 }
 
 int
+config_get_pwpolicy_inherit_global()
+{
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+  int retVal;
+
+  retVal = slapdFrontendConfig->pwpolicy_inherit_global;
+  return retVal;
+}
+
+int
 config_get_errorlog_level(){
   slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
   int retVal;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 0547bc7..7d965b0 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -301,6 +301,7 @@ int config_set_pw_change(const char *attrname,  char *value, char *errorbuf, int
 int config_set_pw_must_change(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_pwpolicy_local(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_allow_hashed_pw( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_pwpolicy_inherit_global(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_pw_syntax(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_pw_minlength(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_pw_mindigits(const char *attrname,  char *value, char *errorbuf, int apply );
@@ -444,6 +445,7 @@ int config_get_pw_exp();
 int config_get_pw_unlock();
 int config_get_pw_lockout();
 int config_get_pw_gracelimit();
+int config_get_pwpolicy_inherit_global();
 int config_get_lastmod();
 int config_get_nagle();
 int config_get_accesscontrol();
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 3985c2b..69756f3 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -853,7 +853,7 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
 		}
 	}
 
-	if ( pwpolicy->pw_syntax == 1 ) {
+	if ( pwpolicy->pw_syntax == LDAP_ON ) {
 		for ( i = 0; vals[ i ] != NULL; ++i ) {
 			int syntax_violation = 0;
 			int num_digits = 0;
@@ -1057,7 +1057,7 @@ retry:
 	}
 
 	/* check for trivial words if syntax checking is enabled */
-	if ( pwpolicy->pw_syntax == 1 ) {
+	if ( pwpolicy->pw_syntax == LDAP_ON ) {
 		/* e is null if this is an add operation*/
 		if ( check_trivial_words ( pb, e, vals, "uid", pwpolicy->pw_mintokenlength, smods ) == 1 ||
 			check_trivial_words ( pb, e, vals, "cn", pwpolicy->pw_mintokenlength, smods ) == 1 ||
@@ -1999,7 +1999,28 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
 			if (pw_entry) {
 				slapi_entry_free(pw_entry);
 			}
-			if(pb){
+			if (LDAP_ON != pwdpolicy->pw_syntax) {
+				passwdPolicy *g_pwdpolicy = &(slapdFrontendConfig->pw_policy);
+				/* 
+				 * When the fine-grained password policy does not set the
+				 * password syntax, get the syntax from the global
+				 * policy if nsslapd-pwpolicy-inherit-global is on.
+				 */
+				if ((LDAP_ON == g_pwdpolicy->pw_syntax) && config_get_pwpolicy_inherit_global()) {
+					pwdpolicy->pw_minlength = g_pwdpolicy->pw_minlength;
+					pwdpolicy->pw_mindigits = g_pwdpolicy->pw_mindigits;
+					pwdpolicy->pw_minalphas = g_pwdpolicy->pw_minalphas;
+					pwdpolicy->pw_minuppers = g_pwdpolicy->pw_minuppers;
+					pwdpolicy->pw_minlowers = g_pwdpolicy->pw_minlowers;
+					pwdpolicy->pw_minspecials = g_pwdpolicy->pw_minspecials;
+					pwdpolicy->pw_min8bit = g_pwdpolicy->pw_min8bit;
+					pwdpolicy->pw_maxrepeats = g_pwdpolicy->pw_maxrepeats;
+					pwdpolicy->pw_mincategories = g_pwdpolicy->pw_mincategories;
+					pwdpolicy->pw_mintokenlength = g_pwdpolicy->pw_mintokenlength;
+					pwdpolicy->pw_syntax = LDAP_ON; /* Need to enable it to apply the default values */
+				}
+			}
+			if (pb) {
 				pb->pwdpolicy = pwdpolicy;
 			}
 			return pwdpolicy;
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 0b867ab..0474e8e 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -2013,6 +2013,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_GROUPEVALNESTLEVEL_ATTRIBUTE "nsslapd-groupevalnestlevel"
 #define CONFIG_NAGLE_ATTRIBUTE "nsslapd-nagle"
 #define CONFIG_PWPOLICY_LOCAL_ATTRIBUTE "nsslapd-pwpolicy-local"
+#define CONFIG_PWPOLICY_INHERIT_GLOBAL_ATTRIBUTE "nsslapd-pwpolicy-inherit-global"
 #define CONFIG_ALLOW_HASHED_PW_ATTRIBUTE "nsslapd-allow-hashed-passwords"
 #define CONFIG_PW_CHANGE_ATTRIBUTE "passwordChange"
 #define CONFIG_PW_MUSTCHANGE_ATTRIBUTE "passwordMustChange"
@@ -2229,8 +2230,10 @@ typedef struct _slapdFrontendConfig {
 
   slapi_onoff_t pwpolicy_local;
   slapi_onoff_t pw_is_global_policy;
+  slapi_onoff_t pwpolicy_inherit_global;
   slapi_onoff_t allow_hashed_pw;
   passwdPolicy pw_policy;
+  slapi_onoff_t pw_policy_inherit_global;
 
   /* ACCESS LOG */
   slapi_onoff_t accesslog_logging_enabled;
-- 
2.4.3