|
|
dc8c34 |
From 81954ad4a4f7275224bea45c5cb12636c5f4e8e1 Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
dc8c34 |
Date: Tue, 2 Dec 2014 14:10:46 -0500
|
|
|
dc8c34 |
Subject: [PATCH 281/305] Ticket 47970 - Account lockout attributes incorrectly
|
|
|
dc8c34 |
updated after failed SASL Bind
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Bug Description: When a SASL bind fails, the target DN is not set. If password policy
|
|
|
dc8c34 |
account lockout is configured, it attempts to update the password retry
|
|
|
dc8c34 |
count on the dn ("") - which is the Root DSE entry, not a user entry.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
This also confuses the COS plugin, and it incorrectly triggers a COS
|
|
|
dc8c34 |
cache rebuild after the failed login.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Fix Description: Do not update the password retry counters if it is a failed SASL bind.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
https://fedorahosted.org/389/ticket/47970
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Reviewed by: nhosoi(Thanks!)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
(cherry picked from commit 17e79688e05908f7fff319bdeb5167cbeaaf922c)
|
|
|
dc8c34 |
(cherry picked from commit 90ab84c6240dff835210dfff7d2804cac77a27b3)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/slapd/result.c | 18 ++++++++++--------
|
|
|
dc8c34 |
1 file changed, 10 insertions(+), 8 deletions(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
|
|
|
dc8c34 |
index 993dc9e..caf3014 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/result.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/result.c
|
|
|
dc8c34 |
@@ -285,16 +285,18 @@ send_ldap_result_ext(
|
|
|
dc8c34 |
BerElement *ber
|
|
|
dc8c34 |
)
|
|
|
dc8c34 |
{
|
|
|
dc8c34 |
- Connection *conn = pb->pb_conn;
|
|
|
dc8c34 |
- int i, rc, logit = 0;
|
|
|
dc8c34 |
- ber_tag_t tag;
|
|
|
dc8c34 |
- int flush_ber_element = 1;
|
|
|
dc8c34 |
Slapi_Operation *operation;
|
|
|
dc8c34 |
- const char *dn = NULL;
|
|
|
dc8c34 |
+ passwdPolicy *pwpolicy = NULL;
|
|
|
dc8c34 |
+ Connection *conn = pb->pb_conn;
|
|
|
dc8c34 |
Slapi_DN *sdn = NULL;
|
|
|
dc8c34 |
+ const char *dn = NULL;
|
|
|
dc8c34 |
+ ber_tag_t tag;
|
|
|
dc8c34 |
+ int flush_ber_element = 1;
|
|
|
dc8c34 |
+ int bind_method = 0;
|
|
|
dc8c34 |
int internal_op;
|
|
|
dc8c34 |
- passwdPolicy *pwpolicy = NULL;
|
|
|
dc8c34 |
-
|
|
|
dc8c34 |
+ int i, rc, logit = 0;
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ slapi_pblock_get (pb, SLAPI_BIND_METHOD, &bind_method);
|
|
|
dc8c34 |
slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
|
|
|
dc8c34 |
|
|
|
dc8c34 |
if (operation->o_status == SLAPI_OP_STATUS_RESULT_SENT) {
|
|
|
dc8c34 |
@@ -372,7 +374,7 @@ send_ldap_result_ext(
|
|
|
dc8c34 |
|
|
|
dc8c34 |
/* invalid password. Update the password retry here */
|
|
|
dc8c34 |
/* put this here for now. It could be a send_result pre-op plugin. */
|
|
|
dc8c34 |
- if (err == LDAP_INVALID_CREDENTIALS) {
|
|
|
dc8c34 |
+ if (err == LDAP_INVALID_CREDENTIALS && bind_method != LDAP_AUTH_SASL ) {
|
|
|
dc8c34 |
slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
|
|
|
dc8c34 |
dn = slapi_sdn_get_dn(sdn);
|
|
|
dc8c34 |
pwpolicy = new_passwdPolicy(pb, dn);
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
1.9.3
|
|
|
dc8c34 |
|