mirror of
https://git.openldap.org/openldap/openldap.git
synced 2026-01-09 16:34:45 -05:00
fix ACL value checking for bind (ITS#3446)
This commit is contained in:
Pierangelo Masarati
parent
60a1ae56e4
commit
6f2ffa30ed
5 changed files with 42 additions and 60 deletions
|
|
@ -130,25 +130,20 @@ dn2entry_retry:
|
|||
|
||||
switch ( op->oq_bind.rb_method ) {
|
||||
case LDAP_AUTH_SIMPLE:
|
||||
rs->sr_err = access_allowed( op, e,
|
||||
password, NULL, ACL_AUTH, NULL );
|
||||
if ( ! rs->sr_err ) {
|
||||
a = attr_find( e->e_attrs, password );
|
||||
if ( a == NULL ) {
|
||||
rs->sr_err = LDAP_INVALID_CREDENTIALS;
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
|
||||
rs->sr_err = LDAP_INVALID_CREDENTIALS;
|
||||
goto done;
|
||||
}
|
||||
|
||||
if ( slap_passwd_check( op->o_conn,
|
||||
a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 )
|
||||
if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred,
|
||||
&rs->sr_text ) != 0 )
|
||||
{
|
||||
/* failure; stop front end from sending result */
|
||||
rs->sr_err = LDAP_INVALID_CREDENTIALS;
|
||||
goto done;
|
||||
}
|
||||
|
||||
|
||||
rs->sr_err = 0;
|
||||
break;
|
||||
|
||||
|
|
|
|||
|
|
@ -105,31 +105,16 @@ ldbm_back_bind(
|
|||
|
||||
switch ( op->oq_bind.rb_method ) {
|
||||
case LDAP_AUTH_SIMPLE:
|
||||
if ( ! access_allowed( op, e,
|
||||
password, NULL, ACL_AUTH, NULL ) )
|
||||
{
|
||||
#if 1
|
||||
rc = LDAP_INVALID_CREDENTIALS;
|
||||
#else
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
#endif
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
if ( (a = attr_find( e->e_attrs, password )) == NULL ) {
|
||||
/* stop front end from sending result */
|
||||
#if 1
|
||||
rc = LDAP_INVALID_CREDENTIALS;
|
||||
#else
|
||||
rc = LDAP_INAPPROPRIATE_AUTH;
|
||||
#endif
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
if ( slap_passwd_check( op->o_conn,
|
||||
a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 )
|
||||
if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred,
|
||||
&rs->sr_text ) != 0 )
|
||||
{
|
||||
/* stop front end from sending result */
|
||||
/* failure; stop front end from sending result */
|
||||
rc = LDAP_INVALID_CREDENTIALS;
|
||||
goto return_results;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -100,26 +100,15 @@ backsql_bind( Operation *op, SlapReply *rs )
|
|||
}
|
||||
e = &user_entry;
|
||||
|
||||
if ( ! access_allowed( op, e, password, NULL, ACL_AUTH, NULL ) ) {
|
||||
#if 1
|
||||
rs->sr_err = LDAP_INVALID_CREDENTIALS;
|
||||
#else
|
||||
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
|
||||
#endif
|
||||
goto error_return;
|
||||
}
|
||||
|
||||
a = attr_find( e->e_attrs, password );
|
||||
if ( a == NULL ) {
|
||||
#if 1
|
||||
rs->sr_err = LDAP_INVALID_CREDENTIALS;
|
||||
#else
|
||||
rs->sr_err = LDAP_INAPPROPRIATE_AUTH;
|
||||
#endif
|
||||
goto error_return;
|
||||
}
|
||||
|
||||
if ( slap_passwd_check( op->o_conn, a, &op->oq_bind.rb_cred, &rs->sr_text ) != 0 ) {
|
||||
if ( slap_passwd_check( op, e, a, &op->oq_bind.rb_cred,
|
||||
&rs->sr_text ) != 0 )
|
||||
{
|
||||
rs->sr_err = LDAP_INVALID_CREDENTIALS;
|
||||
goto error_return;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -384,25 +384,37 @@ struct berval * slap_passwd_return(
|
|||
return bv;
|
||||
}
|
||||
|
||||
/*
|
||||
* if "e" is provided, access to each value of the password is checked first
|
||||
*/
|
||||
int
|
||||
slap_passwd_check(
|
||||
Connection *conn,
|
||||
Attribute *a,
|
||||
struct berval *cred,
|
||||
const char **text )
|
||||
Operation *op,
|
||||
Entry *e,
|
||||
Attribute *a,
|
||||
struct berval *cred,
|
||||
const char **text )
|
||||
{
|
||||
int result = 1;
|
||||
struct berval *bv;
|
||||
int result = 1;
|
||||
struct berval *bv;
|
||||
AccessControlState acl_state = ACL_STATE_INIT;
|
||||
|
||||
#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
|
||||
ldap_pvt_thread_mutex_lock( &passwd_mutex );
|
||||
#ifdef SLAPD_SPASSWD
|
||||
lutil_passwd_sasl_conn = conn->c_sasl_authctx;
|
||||
lutil_passwd_sasl_conn = op->o_conn->c_sasl_authctx;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
|
||||
if( !lutil_passwd( bv, cred, NULL, text ) ) {
|
||||
/* if e is provided, check access */
|
||||
if ( e && access_allowed( op, e, a->a_desc, bv,
|
||||
ACL_AUTH, &acl_state ) == 0 )
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
if ( !lutil_passwd( bv, cred, NULL, text ) ) {
|
||||
result = 0;
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1000,10 +1000,11 @@ LDAP_SLAPD_F (int) overlay_init( void );
|
|||
LDAP_SLAPD_F (SLAP_EXTOP_MAIN_FN) passwd_extop;
|
||||
|
||||
LDAP_SLAPD_F (int) slap_passwd_check(
|
||||
Connection *conn,
|
||||
Attribute *attr,
|
||||
Operation *op,
|
||||
Entry *e,
|
||||
Attribute *a,
|
||||
struct berval *cred,
|
||||
const char **text );
|
||||
const char **text );
|
||||
|
||||
LDAP_SLAPD_F (void) slap_passwd_generate( struct berval * );
|
||||
|
||||
|
|
@ -1015,18 +1016,18 @@ LDAP_SLAPD_F (void) slap_passwd_hash(
|
|||
LDAP_SLAPD_F (void) slap_passwd_hash_type(
|
||||
struct berval *cred,
|
||||
struct berval *hash,
|
||||
char *htype,
|
||||
char *htype,
|
||||
const char **text );
|
||||
|
||||
LDAP_SLAPD_F (struct berval *) slap_passwd_return(
|
||||
struct berval *cred );
|
||||
|
||||
LDAP_SLAPD_F (int) slap_passwd_parse(
|
||||
struct berval *reqdata,
|
||||
struct berval *id,
|
||||
struct berval *oldpass,
|
||||
struct berval *newpass,
|
||||
const char **text );
|
||||
struct berval *reqdata,
|
||||
struct berval *id,
|
||||
struct berval *oldpass,
|
||||
struct berval *newpass,
|
||||
const char **text );
|
||||
|
||||
/*
|
||||
* phonetic.c
|
||||
|
|
|
|||
Loading…
Reference in a new issue