ITS#9343 More policy selection criteria

2026-02-03 20:40:05 -05:00 · 2023-02-21 16:44:34 +00:00 · 2023-02-21 16:44:34 +00:00 · 7aaee92f0a
commit 7aaee92f0a
parent 34470dd86b
5 changed files with 1313 additions and 142 deletions
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@ -6595,7 +6595,7 @@ config_back_modrdn( Operation *op, SlapReply *rs )
 	} else {
 		CfEntryInfo *ce2, **cprev, **cbprev, *ceold;
 		req_modrdn_s modr = op->oq_modrdn;
-		int i;
+		int i, rc = LDAP_SUCCESS;

 		/* Advance to first of this type */
 		cprev = &ce->ce_parent->ce_kids;
@ -6652,21 +6652,19 @@ config_back_modrdn( Operation *op, SlapReply *rs )
 				rs->sr_text = "objectclass not found";
 				goto out2;
 			}
-			for ( i=0; !BER_BVISNULL(&oc_at->a_nvals[i]); i++ ) {
+			for ( i=0; !BER_BVISNULL( &oc_at->a_nvals[i] ); i++ ) {
 				co.co_name = &oc_at->a_nvals[i];
 				coptr = ldap_avl_find( CfOcTree, &co, CfOc_cmp );
 				if ( coptr == NULL || coptr->co_type != Cft_Misc ) {
 					continue;
 				}
-				if ( !coptr->co_ldmove ||
-						coptr->co_ldmove( ce, op, rs, ixold, ixnew ) ) {
+				if ( !coptr->co_ldmove ) {
 					rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
-					if ( ! coptr->co_ldmove ) {
-						rs->sr_text = "No rename handler found";
-					} else {
+					rs->sr_text = "No rename handler found";
+					goto out2;
+				} else if ( coptr->co_ldmove( ce, op, rs, ixold, ixnew ) ) {
+					if ( rs->sr_err == LDAP_SUCCESS ) {
 						rs->sr_err = LDAP_OTHER;
-						/* FIXME: We should return a helpful error message
-						 * here, hope the co_ldmove handler took care of it */
 					}
 					goto out2;
 				}
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
--- a/tests/data/ppolicy.ldif
+++ b/tests/data/ppolicy.ldif
@ -10,6 +10,21 @@ objectClass: top
 objectClass: organizationalUnit
 ou: People

+dn: ou=Groups, dc=example, dc=com
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=Policy Group, ou=Groups, dc=example, dc=com
+objectClass: groupOfNames
+cn: Policy Group
+member: uid=nd, ou=People, dc=example, dc=com
+owner: uid=ndadmin, ou=People, dc=example, dc=com
+
+dn: cn=Test Group, ou=Groups, dc=example, dc=com
+objectClass: groupOfNames
+cn: Policy Group
+member: uid=another, ou=People, dc=example, dc=com
+
 dn: ou=Policies, dc=example, dc=com
 objectClass: top
 objectClass: organizationalUnit
@ -77,6 +92,13 @@ pwdFailureCountInterval: 120
 pwdSafeModify: TRUE
 pwdLockout: TRUE

+dn: cn=Another Policy, ou=Policies, dc=example, dc=com
+objectClass: top
+objectClass: device
+objectClass: pwdPolicy
+cn: Test Policy
+pwdAttribute: 2.5.4.35
+
 dn: uid=nd, ou=People, dc=example, dc=com
 objectClass: top
 objectClass: person
@ -108,3 +130,13 @@ givenName:  Test
 userPassword: kfhgkjhfdgkfd
 pwdPolicySubEntry: cn=No Policy, ou=Policies, dc=example, dc=com

+dn: uid=another, ou=People, dc=example, dc=com
+objectClass: top
+objectClass: person
+objectClass: inetOrgPerson
+cn: Another Test
+uid: another
+sn: Test
+givenName:  Another
+userPassword: testing
+
--- a/tests/data/slapd-ppolicy.conf
+++ b/tests/data/slapd-ppolicy.conf
@ -38,8 +38,12 @@ rootpw		secret
 lastbind on

 overlay		ppolicy
-ppolicy_rules ldap:///uid=ndadmin,ou=People,dc=example,dc=com??base "cn=No Policy,ou=Policies,dc=example,dc=com"
-ppolicy_rules "ldap:///???(description=idle)" "cn=Idle Expiration Policy, ou=Policies, dc=example, dc=com"
+ppolicy_rules dn.regex="uid=([^,]*),ou=people,(dc=example,dc=com)"
+    group/groupOfNames/member.expand="cn=Test Group,ou=Groups,$2"
+    policy_dn.expand="cn=$1 policy,ou=Policies,dc=example,dc=com"
+ppolicy_rules dn.baseObject="uid=ndadmin,ou=People,dc=example,dc=com" no_policy
+ppolicy_rules filter="(description=idle)"
+    policy_dn="cn=Idle Expiration Policy, ou=Policies, dc=example, dc=com"
 ppolicy_default	"cn=Standard Policy,ou=Policies,dc=example,dc=com"
 ppolicy_use_lockout

--- a/tests/scripts/test022-ppolicy
+++ b/tests/scripts/test022-ppolicy
@ -87,6 +87,18 @@ if test $RC != 0 ; then
 	exit $RC
 fi

+echo "Testing group based matching..."
+$LDAPCOMPARE -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+	"uid=another, ou=People, dc=example, dc=com" \
+	"pwdPolicySubentry:cn=Another Policy, ou=Policies, dc=example, dc=com" \
+	>> $TESTOUT 2>&1
+RC=$?
+if test $RC != 6 ; then
+	echo "ldapcompare failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
 echo "Testing account lockout..."
 $LDAPSEARCH -H $URI1 -D "$USER" -w wrongpw >$SEARCHOUT 2>&1
 sleep 2
@ -734,11 +746,13 @@ fi
 echo "Reconfiguring policy to remove grace logins..."
 $LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \
 	$TESTOUT 2>&1 << EOMODS
-dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
-changetype: modify
-add: olcPPolicyRules
-olcPPolicyRules: {0}"ldap:///dc=example,dc=com???(!(description=grace))"
-  "cn=Stricter Policy, ou=Policies, dc=example, dc=com"
+dn: cn={0}Stricter Policy,olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
+changetype: add
+objectClass: olcPPolicyScopedRule
+olcPPolicyRuleObject: dc=example,dc=com
+olcPPolicyRuleScope: sub
+olcPPolicyRuleGroup: cn=Policy Group, ou=Groups, dc=example, dc=com
+olcPPolicyRulePolicy: cn=Stricter Policy, ou=Policies, dc=example, dc=com

 EOMODS
 RC=$?
@ -762,11 +776,13 @@ fi
 if test -n "$CONSUMERPID"; then
 $LDAPMODIFY -v -D cn=config -H $URI2 -y $CONFIGPWF >> \
 	$TESTOUT 2>&1 << EOMODS
-dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
-changetype: modify
-add: olcPPolicyRules
-olcPPolicyRules: {0}"ldap:///dc=example,dc=com???(!(description=grace))"
-  "cn=Stricter Policy, ou=Policies, dc=example, dc=com"
+dn: cn={0}Stricter Policy,olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
+changetype: add
+objectClass: olcPPolicyScopedRule
+olcPPolicyRuleObject: dc=example,dc=com
+olcPPolicyRuleScope: sub
+olcPPolicyRuleGroup: cn=Policy Group, ou=Groups, dc=example, dc=com
+olcPPolicyRulePolicy: cn=Stricter Policy, ou=Policies, dc=example, dc=com

 EOMODS
 RC=$?