[SSSD] [sssd PR#621][opened] sdap: respect passwordGracelimit

Fri, 20 Jul 2018 03:24:17 -0700 

   URL: https://github.com/SSSD/sssd/pull/621
Author: fidencio
 Title: #621: sdap: respect passwordGracelimit
Action: opened

PR body:
"""
Since recent changes in 389-ds two response controls are end when
passwordGracelimit is set and about to expire:
- [1.3.6.1.4.1.42.2.27.8.5.1] for the GraceLimit itself
- [2.16.840.1.113730.3.4.4] for the PasswordExpired

Whenever the former is returned and the GraceLimit is still valid, we
shouldn't report the latter to the users.

Resolves:
https://pagure.io/SSSD/sssd/issue/3597

Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/621/head:pr621
git checkout pr621

From 002b9e93bb51a918cc2e13a7e04517286becb7b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com>
Date: Fri, 20 Jul 2018 12:15:18 +0200
Subject: [PATCH] sdap: respect passwordGracelimit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since recent changes in 389-ds two response controls are end when
passwordGracelimit is set and about to expire:
- [1.3.6.1.4.1.42.2.27.8.5.1] for the GraceLimit itself
- [2.16.840.1.113730.3.4.4] for the PasswordExpired

Whenever the former is returned and the GraceLimit is still valid, we
shouldn't report the latter to the users.

Resolves:
https://pagure.io/SSSD/sssd/issue/3597

Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com>
---
 src/providers/ldap/sdap_async_connection.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index a8d4262b5..d76a3b6c0 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -734,6 +734,7 @@ static void simple_bind_done(struct sdap_op *op,
     ber_int_t pp_expire;
     LDAPPasswordPolicyError pp_error;
     int result = LDAP_OTHER;
+    bool on_grace_login_limit;
 
     if (error) {
         tevent_req_error(req, error);
@@ -768,10 +769,23 @@ static void simple_bind_done(struct sdap_op *op,
         DEBUG(SSSDBG_TRACE_LIBS, "Server returned no controls.\n");
         state->ppolicy = NULL;
     } else {
+        /* We have to set the on_grace_login_limit to false before going
+         * through the response controls as recent changes on 389-ds are
+         * now returning two errors for the GraceLimit:
+         * - [1.3.6.1.4.1.42.2.27.8.5.1] for the GraceLimit itself
+         * - [2.16.840.1.113730.3.4.4] for the PasswordExpired
+         *
+         * So, in order to avoid going through both cases and end up bulldozing
+         * the GraceLimit one, we'll have to mark when we're still on a valid
+         * GraceLimit and just take the PasswordExpired path when its the
+         * GraceLimit is not valid anymore ...
+         */
+        on_grace_login_limit = false;
         for (c = 0; response_controls[c] != NULL; c++) {
             DEBUG(SSSDBG_TRACE_INTERNAL,
                   "Server returned control [%s].\n",
                    response_controls[c]->ldctl_oid);
+
             if (strcmp(response_controls[c]->ldctl_oid,
                        LDAP_CONTROL_PASSWORDPOLICYRESPONSE) == 0) {
                 lret = ldap_parse_passwordpolicy_control(state->sh->ldap,
@@ -799,7 +813,10 @@ static void simple_bind_done(struct sdap_op *op,
                 state->ppolicy->grace = pp_grace;
                 state->ppolicy->expire = pp_expire;
                 if (result == LDAP_SUCCESS) {
-
+                    /* ... and that's the reason why we have to set
+                     * on_grace_login_limit to true here! ...
+                     */
+                    on_grace_login_limit = pp_grace >= 0;
                     if (pp_error == PP_changeAfterReset) {
                         DEBUG(SSSDBG_TRACE_LIBS,
                               "Password was reset. "
@@ -822,7 +839,11 @@ static void simple_bind_done(struct sdap_op *op,
                     ret = ERR_PASSWORD_EXPIRED;
                 }
             } else if (strcmp(response_controls[c]->ldctl_oid,
-                              LDAP_CONTROL_PWEXPIRED) == 0) {
+                              LDAP_CONTROL_PWEXPIRED) == 0 &&
+                       !on_grace_login_limit) {
+                /* ... and do not take this branch when GraceLimit is still
+                 * valid.
+                 */
                 DEBUG(SSSDBG_TRACE_LIBS,
                       "Password expired user must set a new password.\n");
                 ret = ERR_PASSWORD_EXPIRED;

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/HJMS72CTRWL4R57TLCW75ZSCE6656NDU/

Reply via email to