|
 |
dc8c34 |
From 93ec3fe4e4ec04994bc471a8190978076b6b2954 Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Ludwig Krispenz <lkrispen@redhat.com>
|
|
|
dc8c34 |
Date: Thu, 20 Jun 2013 17:59:09 +0200
|
|
|
dc8c34 |
Subject: [PATCH 71/99] Ticket 47395 47397 v2 correct behaviour of account
|
|
|
dc8c34 |
policy if only stateattr is configured or no alternate attr is
|
|
|
dc8c34 |
configured
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Bug Description: The tickets relate to two specific configurations of
|
|
|
dc8c34 |
the account policy plugin
|
|
|
dc8c34 |
1] if createtimestamp is configured as stateattr it is treated like a
|
|
|
dc8c34 |
normal timstamp attribute and is updated, which should not happen.
|
|
|
dc8c34 |
As a side effect the account is not locked out based on the original
|
|
|
dc8c34 |
createtimestamp
|
|
|
dc8c34 |
2] if no altstateattr is configured, always createtimestamp is used, but
|
|
|
dc8c34 |
the intention was to base account inactivation only on lastlogintime
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Fix Description: 1] prevent update of createtimestamp, even if used as stateattr
|
|
|
dc8c34 |
2] if no altstateattr is configured still use the default, but
|
|
|
dc8c34 |
accept "1.1" as null value and check only stateattr
|
|
|
dc8c34 |
|
|
|
dc8c34 |
https://fedorahosted.org/389/ticket/47395
|
|
|
dc8c34 |
https://fedorahosted.org/389/ticket/47397
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Reviewed by: ?
|
|
|
dc8c34 |
(cherry picked from commit b4cc0f6b31d8221677950a703a78b02e0cbc7e30)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/plugins/acctpolicy/acct_config.c | 13 ++++++++++++-
|
|
|
dc8c34 |
ldap/servers/plugins/acctpolicy/acct_init.c | 2 +-
|
|
|
dc8c34 |
ldap/servers/plugins/acctpolicy/acct_plugin.c | 18 +++++++++++++-----
|
|
|
dc8c34 |
ldap/servers/plugins/acctpolicy/acct_util.c | 13 +++++++++++++
|
|
|
dc8c34 |
ldap/servers/plugins/acctpolicy/acctpolicy.h | 5 +++++
|
|
|
dc8c34 |
5 files changed, 44 insertions(+), 7 deletions(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/acctpolicy/acct_config.c b/ldap/servers/plugins/acctpolicy/acct_config.c
|
|
|
dc8c34 |
index 3da338a..8dfde0b 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/acctpolicy/acct_config.c
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/acctpolicy/acct_config.c
|
|
|
dc8c34 |
@@ -82,12 +82,23 @@ acct_policy_entry2config( Slapi_Entry *e, acctPluginCfg *newcfg ) {
|
|
|
dc8c34 |
newcfg->state_attr_name = get_attr_string_val( e, CFG_LASTLOGIN_STATE_ATTR );
|
|
|
dc8c34 |
if( newcfg->state_attr_name == NULL ) {
|
|
|
dc8c34 |
newcfg->state_attr_name = slapi_ch_strdup( DEFAULT_LASTLOGIN_STATE_ATTR );
|
|
|
dc8c34 |
+ } else if (!update_is_allowed_attr(newcfg->state_attr_name)) {
|
|
|
dc8c34 |
+ /* log a warning that this attribute cannot be updated */
|
|
|
dc8c34 |
+ slapi_log_error( SLAPI_LOG_FATAL, PLUGIN_NAME,
|
|
|
dc8c34 |
+ "The configured state attribute [%s] cannot be updated, accounts will always become inactive.\n",
|
|
|
dc8c34 |
+ newcfg->state_attr_name );
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
newcfg->alt_state_attr_name = get_attr_string_val( e, CFG_ALT_LASTLOGIN_STATE_ATTR );
|
|
|
dc8c34 |
+ /* alt_state_attr_name should be optional, but for backward compatibility,
|
|
|
dc8c34 |
+ * if not specified use a default. If the attribute is "1.1", no fallback
|
|
|
dc8c34 |
+ * will be used
|
|
|
dc8c34 |
+ */
|
|
|
dc8c34 |
if( newcfg->alt_state_attr_name == NULL ) {
|
|
|
dc8c34 |
newcfg->alt_state_attr_name = slapi_ch_strdup( DEFAULT_ALT_LASTLOGIN_STATE_ATTR );
|
|
|
dc8c34 |
- }
|
|
|
dc8c34 |
+ } else if ( !strcmp( newcfg->alt_state_attr_name, "1.1" ) ) {
|
|
|
dc8c34 |
+ slapi_ch_free_string( &newcfg->alt_state_attr_name ); /*none - NULL */
|
|
|
dc8c34 |
+ } /* else use configured value */
|
|
|
dc8c34 |
|
|
|
dc8c34 |
newcfg->spec_attr_name = get_attr_string_val( e, CFG_SPEC_ATTR );
|
|
|
dc8c34 |
if( newcfg->spec_attr_name == NULL ) {
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/acctpolicy/acct_init.c b/ldap/servers/plugins/acctpolicy/acct_init.c
|
|
|
dc8c34 |
index af29140..52e0cfa 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/acctpolicy/acct_init.c
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/acctpolicy/acct_init.c
|
|
|
dc8c34 |
@@ -132,7 +132,7 @@ acct_policy_start( Slapi_PBlock *pb ) {
|
|
|
dc8c34 |
slapi_log_error( SLAPI_LOG_PLUGIN, PLUGIN_NAME, "acct_policy_start config: "
|
|
|
dc8c34 |
"stateAttrName=%s altStateAttrName=%s specAttrName=%s limitAttrName=%s "
|
|
|
dc8c34 |
"alwaysRecordLogin=%d\n",
|
|
|
dc8c34 |
- cfg->state_attr_name, cfg->alt_state_attr_name, cfg->spec_attr_name,
|
|
|
dc8c34 |
+ cfg->state_attr_name, cfg->alt_state_attr_name?cfg->alt_state_attr_name:"not configured", cfg->spec_attr_name,
|
|
|
dc8c34 |
cfg->limit_attr_name, cfg->always_record_login);
|
|
|
dc8c34 |
return( CALLBACK_OK );
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/acctpolicy/acct_plugin.c b/ldap/servers/plugins/acctpolicy/acct_plugin.c
|
|
|
dc8c34 |
index 508fb23..b4db811 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/acctpolicy/acct_plugin.c
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/acctpolicy/acct_plugin.c
|
|
|
dc8c34 |
@@ -44,14 +44,16 @@ acct_inact_limit( Slapi_PBlock *pb, const char *dn, Slapi_Entry *target_entry, a
|
|
|
dc8c34 |
cfg->state_attr_name ) ) != NULL ) {
|
|
|
dc8c34 |
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
|
|
|
dc8c34 |
"\"%s\" login timestamp is %s\n", dn, lasttimestr );
|
|
|
dc8c34 |
- } else if( ( lasttimestr = get_attr_string_val( target_entry,
|
|
|
dc8c34 |
- cfg->alt_state_attr_name ) ) != NULL ) {
|
|
|
dc8c34 |
+ } else if( cfg->alt_state_attr_name && (( lasttimestr = get_attr_string_val( target_entry,
|
|
|
dc8c34 |
+ cfg->alt_state_attr_name ) ) != NULL) ) {
|
|
|
dc8c34 |
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
|
|
|
dc8c34 |
"\"%s\" alternate timestamp is %s\n", dn, lasttimestr );
|
|
|
dc8c34 |
} else {
|
|
|
dc8c34 |
+ /* the primary or alternate attribute might not yet exist eg.
|
|
|
dc8c34 |
+ * if only lastlogintime is specified and it id the first login
|
|
|
dc8c34 |
+ */
|
|
|
dc8c34 |
slapi_log_error( SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
|
|
|
dc8c34 |
- "\"%s\" has no login or creation timestamp\n", dn );
|
|
|
dc8c34 |
- rc = -1;
|
|
|
dc8c34 |
+ "\"%s\" has no value for stateattr or altstateattr \n", dn );
|
|
|
dc8c34 |
goto done;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
@@ -105,6 +107,13 @@ acct_record_login( const char *dn )
|
|
|
dc8c34 |
int skip_mod_attrs = 1; /* value doesn't matter as long as not NULL */
|
|
|
dc8c34 |
|
|
|
dc8c34 |
cfg = get_config();
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ /* if we are not allowed to modify the state attr we're done
|
|
|
dc8c34 |
+ * this could be intentional, so just return
|
|
|
dc8c34 |
+ */
|
|
|
dc8c34 |
+ if (! update_is_allowed_attr(cfg->state_attr_name) )
|
|
|
dc8c34 |
+ return rc;
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
plugin_id = get_identity();
|
|
|
dc8c34 |
|
|
|
dc8c34 |
timestr = epochtimeToGentime( time( (time_t*)0 ) );
|
|
|
dc8c34 |
@@ -283,7 +292,6 @@ acct_bind_postop( Slapi_PBlock *pb )
|
|
|
dc8c34 |
} else {
|
|
|
dc8c34 |
if( target_entry && has_attr( target_entry,
|
|
|
dc8c34 |
cfg->spec_attr_name, NULL ) ) {
|
|
|
dc8c34 |
- /* This account has a policy specifier */
|
|
|
dc8c34 |
tracklogin = 1;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/acctpolicy/acct_util.c b/ldap/servers/plugins/acctpolicy/acct_util.c
|
|
|
dc8c34 |
index 8e220c3..a02382f 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/acctpolicy/acct_util.c
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/acctpolicy/acct_util.c
|
|
|
dc8c34 |
@@ -255,3 +255,16 @@ epochtimeToGentime( time_t epochtime ) {
|
|
|
dc8c34 |
return( gentimestr );
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
+int update_is_allowed_attr (const char *attr)
|
|
|
dc8c34 |
+{
|
|
|
dc8c34 |
+ int i;
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ /* check list of attributes that cannot be used for login recording */
|
|
|
dc8c34 |
+ for (i = 0; protected_attrs_login_recording[i]; i ++) {
|
|
|
dc8c34 |
+ if (strcasecmp (attr, protected_attrs_login_recording[i]) == 0) {
|
|
|
dc8c34 |
+ /* this attribute is not allowed */
|
|
|
dc8c34 |
+ return 0;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+ return 1;
|
|
|
dc8c34 |
+}
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/acctpolicy/acctpolicy.h b/ldap/servers/plugins/acctpolicy/acctpolicy.h
|
|
|
dc8c34 |
index e6f1497..78412cd 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/acctpolicy/acctpolicy.h
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/acctpolicy/acctpolicy.h
|
|
|
dc8c34 |
@@ -35,6 +35,10 @@ Hewlett-Packard Development Company, L.P.
|
|
|
dc8c34 |
#define DEFAULT_INACT_LIMIT_ATTR "accountInactivityLimit"
|
|
|
dc8c34 |
#define DEFAULT_RECORD_LOGIN 1
|
|
|
dc8c34 |
|
|
|
dc8c34 |
+/* attributes that no clients are allowed to add or modify */
|
|
|
dc8c34 |
+static char *protected_attrs_login_recording [] = { "createTimestamp",
|
|
|
dc8c34 |
+ NULL };
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
#define PLUGIN_VENDOR "Hewlett-Packard Company"
|
|
|
dc8c34 |
#define PLUGIN_VERSION "1.0"
|
|
|
dc8c34 |
#define PLUGIN_CONFIG_DN "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config"
|
|
|
dc8c34 |
@@ -74,6 +78,7 @@ void* get_identity();
|
|
|
dc8c34 |
void set_identity(void*);
|
|
|
dc8c34 |
time_t gentimeToEpochtime( char *gentimestr );
|
|
|
dc8c34 |
char* epochtimeToGentime( time_t epochtime );
|
|
|
dc8c34 |
+int update_is_allowed_attr (const char *attr);
|
|
|
dc8c34 |
|
|
|
dc8c34 |
/* acct_config.c */
|
|
|
dc8c34 |
int acct_policy_load_config_startup( Slapi_PBlock* pb, void* plugin_id );
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
1.8.1.4
|
|
|
dc8c34 |
|