On Wed, Oct 05, 2011 at 03:06:19PM +0200, Jan Cholasta wrote: > On 5.10.2011 11:58, Sumit Bose wrote: > >On Tue, Oct 04, 2011 at 11:15:04AM +0200, Jan Cholasta wrote: > >>On 27.9.2011 10:15, Sumit Bose wrote: > >>>Hi, > >>> > >>>currently the change password plugin does not check if the connection is > >>>coming from a local LDAPI socket and denies password change requests via > >>>LDAPI. This patch changes the check to just look at the overall SSF of > >>>the connection which covers all types of connection. > >>> > >>>There is a similar check in ipa_enrollment.c. But I think enrollments via > >>>LDAPI does not make much sense so it does not need to be changed. > >> > >>IMHO it should be changed anyway, for the sake of consistency. > >> > >>> > >>>This patch should fix https://fedorahosted.org/freeipa/ticket/1877. > >>> > >>>bye, > >>>Sumit > >>> > >> > >>The patch has trailing whitespace on lines 20 and 32-35 and needs to > >>be rebased. > >> > >>Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as expected. > > > >Thank you for the review. I have changed ipa_enrollment.c accordingly > >and checked that the patch applies against master as well as against > >ipa-2-1 and that git does not complain about trailing whitespace. New > >version attached. > > > >bye, > >Sumit > > "git apply" still complains about the patch: > > $ git status -sb > ## ipa-2-1 > > $ git apply > freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch > > ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:23: > trailing whitespace. > int ssf; > ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:39: > trailing whitespace. > /* Allow password modify on all connections with a Security Strength > ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:40: > trailing whitespace. > * Factor (SSF) higher than 1 */ > ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:41: > trailing whitespace. > if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) { > ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:42: > trailing whitespace. > LOG_TRACE("Could not get SSF from connection\n"); > error: patch failed: > daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:80 > error: daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c: > patch does not apply > error: patch failed: > daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:615 > error: daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c: > patch does not apply > > > It can be applied with "patch", but it complains too: > > $ patch -p1 --no-backup-if-mismatch > <freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch > > (Stripping trailing CRs from patch.) > patching file daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c > (Stripping trailing CRs from patch.) > patching file daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c > > > The comment in ipa-enrollment.c should be changed from "Allow > password modify on ..." to "Allow enrollment on ...".
I changed the comment and send the patch not in base64. bye, Sumit > > Honza > > > > >> > >>Honza > >> > >>-- > >>Jan Cholasta > >> > >> > >>_______________________________________________ > >>Freeipa-devel mailing list > >>[email protected] > >>https://www.redhat.com/mailman/listinfo/freeipa-devel > > > -- > Jan Cholasta
>From d3dfd8c7a93ba7cd16a967fb8b6075830fed8c8a Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Tue, 27 Sep 2011 10:06:50 +0200 Subject: [PATCH] ipa-pwd-extop: allow password change on all connections with SSF>1 Instead of checking the individual SSFs for SASL, SSL/TLS and LDAPI connection the global SSF is checked for password changes and enrollments. --- .../ipa-enrollment/ipa_enrollment.c | 19 ++++++------------- .../ipa-pwd-extop/ipapwd_common.c | 19 ++++++------------- 2 files changed, 12 insertions(+), 26 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c index 51231231fd1a597e27ac283c855bbd5146db3e24..78fb359cdb91455a629836df317aa639f35a516e 100644 --- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c +++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c @@ -80,22 +80,15 @@ static const char *ipa_realm_dn; static int ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg) { - int sasl_ssf, is_ssl; + int ssf; int rc = LDAP_SUCCESS; LOG_TRACE("=> ipaenrollment_secure\n"); - /* Allow enrollment only for SSL/TLS established connections and - * connections using SASL privacy layers */ - if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { - LOG_TRACE("Could not get SASL SSF from connection\n"); - *errMesg = "Operation requires a secure connection.\n"; - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - - if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) { - LOG_TRACE("Could not get IS SSL from connection\n"); + /* Allow enrollment on all connections with a Security Strength + * Factor (SSF) higher than 1 */ + if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) { + LOG_TRACE("Could not get SSF from connection\n"); *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_OPERATIONS_ERROR; goto done; @@ -108,7 +101,7 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg) goto done; } - if ((0 == is_ssl) && (sasl_ssf <= 1)) { + if (ssf <= 1) { *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; goto done; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index 7bc2e7d54da095cf1db232d3d173270f585a76f6..3ee7fefd47dd8c06799bc2eb3b37f17bc2b10444 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -615,7 +615,7 @@ done: int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, struct ipapwd_krbcfg **config, int check_flags) { - int ret, sasl_ssf, is_ssl; + int ret, ssf; int rc = LDAP_SUCCESS; Slapi_Backend *be; const Slapi_DN *psdn; @@ -626,23 +626,16 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, #ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE if (check_flags & IPAPWD_CHECK_CONN_SECURE) { - /* Allow password modify only for SSL/TLS established connections and - * connections using SASL privacy layers */ - if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { - LOG("Could not get SASL SSF from connection\n"); + /* Allow password modify on all connections with a Security Strength + * Factor (SSF) higher than 1 */ + if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF, &ssf) != 0) { + LOG("Could not get SSF from connection\n"); *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_OPERATIONS_ERROR; goto done; } - if (slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl) != 0) { - LOG("Could not get IS SSL from connection\n"); - *errMesg = "Operation requires a secure connection.\n"; - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - - if ((0 == is_ssl) && (sasl_ssf <= 1)) { + if (ssf <= 1) { *errMesg = "Operation requires a secure connection.\n"; rc = LDAP_CONFIDENTIALITY_REQUIRED; goto done; -- 1.7.6
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
