Pushed the attached two patches to master. Both patches were
contributed by Ulf Weltman (thanks!).
Counting objects: 19, done.
Delta compression using 2 threads.
Compressing objects: 100% (13/13), done.
Writing objects: 100% (13/13), 2.05 KiB, done.
Total 13 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
bb8e9b5..5729040 master -> master
-NGK
>From 5a61fc79325fa562141dcaa43cc32c1348226a80 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Wed, 2 Dec 2009 10:47:46 -0800
Subject: [PATCH 1/2] Bug 193297 - Call bind pre-op and post-op plug-ins for SASL binds
This patch makes SASL binds call the pre-op and post-op plug-ins.
The previous code was not calling the plug-ins for SASL binds.
This fix was contributed by Ulf Weltman of Hewlett Packard.
---
ldap/servers/slapd/bind.c | 22 +++++++++++++++++++++-
ldap/servers/slapd/saslbind.c | 13 ++++++++++++-
2 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index c6b0092..abb027a 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -32,8 +32,14 @@
*
*
* Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
- * Copyright (C) 2005 Red Hat, Inc.
+ * Copyright (C) 2009 Red Hat, Inc.
+ * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
* All rights reserved.
+ *
+ * Contributors:
+ * Hewlett-Packard Development Company, L.P.
+ * Bugfix for bug #193297
+ *
* END COPYRIGHT BLOCK **/
#ifdef HAVE_CONFIG_H
@@ -370,7 +376,10 @@ do_bind( Slapi_PBlock *pb )
}
if (!pmech) {
/* now check the sasl library */
+ /* ids_sasl_check_bind takes care of calling bind
+ * pre-op plugins after it knows the target DN */
ids_sasl_check_bind(pb);
+ plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
goto free_and_return;
}
else {
@@ -378,6 +387,11 @@ do_bind( Slapi_PBlock *pb )
}
if (!strcasecmp (saslmech, LDAP_SASL_EXTERNAL)) {
+ /* call preop plugins */
+ if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) != 0){
+ goto free_and_return;
+ }
+
#if defined(ENABLE_AUTOBIND)
if (1 == auto_bind) {
/* Already AUTO-BOUND */
@@ -392,6 +406,8 @@ do_bind( Slapi_PBlock *pb )
send_ldap_result( pb, LDAP_INAPPROPRIATE_AUTH, NULL,
"SASL EXTERNAL bind requires an SSL connection",
0, NULL );
+ /* call postop plugins */
+ plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
goto free_and_return;
}
@@ -403,6 +419,8 @@ do_bind( Slapi_PBlock *pb )
NULL == pb->pb_conn->c_external_dn ) {
send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL,
"client certificate mapping failed", 0, NULL );
+ /* call postop plugins */
+ plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
goto free_and_return;
}
@@ -417,6 +435,8 @@ do_bind( Slapi_PBlock *pb )
slapi_add_auth_response_control( pb, pb->pb_conn->c_external_dn );
}
send_ldap_result( pb, LDAP_SUCCESS, NULL, NULL, 0, NULL );
+ /* call postop plugins */
+ plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
goto free_and_return;
}
break;
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 376bec1..0892c67 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -32,8 +32,14 @@
*
*
* Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
- * Copyright (C) 2005 Red Hat, Inc.
+ * Copyright (C) 2009 Red Hat, Inc.
+ * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
* All rights reserved.
+ *
+ * Contributors:
+ * Hewlett-Packard Development Company, L.P.
+ * Bugfix for bug #193297
+ *
* END COPYRIGHT BLOCK **/
#ifdef HAVE_CONFIG_H
@@ -890,6 +896,11 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
break;
}
+ slapi_pblock_set( pb, SLAPI_BIND_TARGET, slapi_ch_strdup( dn ) );
+ if (plugin_call_plugins( pb, SLAPI_PLUGIN_PRE_BIND_FN ) != 0){
+ break;
+ }
+
isroot = slapi_dn_isroot(dn);
if (!isroot )
--
1.6.2.5
>From 5729040f8032b537a00dfcc832282084d89460ea Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Wed, 2 Dec 2009 14:03:47 -0800
Subject: [PATCH 2/2] Bug 201275 - Make SASL EXTERNAL bind obey account lock
This patch makes SASL EXTERNAL binds obey the account lock. The
previous code was allowing the bind through even if the account
was locked.
This patch was contributed by Ulf Weltman of Hewlett Packard.
---
ldap/servers/slapd/bind.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index abb027a..79d8c5c 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -39,6 +39,7 @@
* Contributors:
* Hewlett-Packard Development Company, L.P.
* Bugfix for bug #193297
+ * Bugfix for bug #201275
*
* END COPYRIGHT BLOCK **/
@@ -424,6 +425,17 @@ do_bind( Slapi_PBlock *pb )
goto free_and_return;
}
+ if (!isroot ) {
+ /* check if the account is locked */
+ bind_target_entry = get_entry(pb, pb->pb_conn->c_external_dn);
+ if ( bind_target_entry != NULL && check_account_lock(pb, bind_target_entry,
+ pw_response_requested, 0 /*not account_inactivation_only*/ ) == 1) {
+ /* call postop plugins */
+ plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
+ goto free_and_return;
+ }
+ }
+
/*
* copy external credentials into connection structure
*/
--
1.6.2.5
--
389-devel mailing list
389-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
