andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 6 months ago
Clone

Blame SOURCES/0023-Issue-49210-Fix-regression-when-checking-is-password.patch

b69e47
From 5854fc41c6620567f0356e382baec4eda1e645b2 Mon Sep 17 00:00:00 2001
b69e47
From: Mark Reynolds <mreynolds@redhat.com>
b69e47
Date: Wed, 5 Apr 2017 11:05:28 -0400
b69e47
Subject: [PATCH] Issue 49210 - Fix regression when checking is password min 
b69e47
 age should be checked
b69e47
b69e47
Bug Description:  If a plugin makes an internal modification of userpassword
b69e47
                  the connection structure in the pblock is null, and it was
b69e47
                  being dereferenced.
b69e47
b69e47
Fix Description:  These internal operations do not need to have the password
b69e47
                  policy checks done.  They are intended to be unrestricted.
b69e47
                  So we only need to check password policy on client connections.
b69e47
                  The fix frist hecks if the connection structy is present,
b69e47
                  only then it continues.
b69e47
b69e47
                  Revised test script to include the tool: ldappasswd
b69e47
b69e47
https://pagure.io/389-ds-base/issue/49210
b69e47
b69e47
Reviewed by: firstyear(Thanks!)
b69e47
---
b69e47
 dirsrvtests/tests/tickets/ticket49039_test.py | 62 +++++++++++++++++++++++++++
b69e47
 ldap/servers/slapd/modify.c                   |  2 +-
b69e47
 2 files changed, 63 insertions(+), 1 deletion(-)
b69e47
b69e47
diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py
b69e47
index e6d4c03..f0b224c 100644
b69e47
--- a/dirsrvtests/tests/tickets/ticket49039_test.py
b69e47
+++ b/dirsrvtests/tests/tickets/ticket49039_test.py
b69e47
@@ -2,6 +2,7 @@ import time
b69e47
 import ldap
b69e47
 import logging
b69e47
 import pytest
b69e47
+import os
b69e47
 from lib389 import Entry
b69e47
 from lib389._constants import *
b69e47
 from lib389.properties import *
b69e47
@@ -9,6 +10,7 @@ from lib389.tasks import *
b69e47
 from lib389.utils import *
b69e47
 from lib389.topologies import topology_st as topo
b69e47
 
b69e47
+
b69e47
 DEBUGGING = os.getenv("DEBUGGING", default=False)
b69e47
 if DEBUGGING:
b69e47
     logging.getLogger(__name__).setLevel(logging.DEBUG)
b69e47
@@ -19,11 +21,39 @@ log = logging.getLogger(__name__)
b69e47
 USER_DN = 'uid=user,dc=example,dc=com'
b69e47
 
b69e47
 
b69e47
+def ssl_init(topo):
b69e47
+    """ Setup TLS
b69e47
+    """
b69e47
+    topo.standalone.stop()
b69e47
+    # Prepare SSL but don't enable it.
b69e47
+    for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):
b69e47
+        try:
b69e47
+            os.remove("%s/%s" % (topo.standalone.confdir, f))
b69e47
+        except:
b69e47
+            pass
b69e47
+    assert(topo.standalone.nss_ssl.reinit() is True)
b69e47
+    assert(topo.standalone.nss_ssl.create_rsa_ca() is True)
b69e47
+    assert(topo.standalone.nss_ssl.create_rsa_key_and_cert() is True)
b69e47
+    # Start again
b69e47
+    topo.standalone.start()
b69e47
+    topo.standalone.rsa.create()
b69e47
+    topo.standalone.config.set('nsslapd-ssl-check-hostname', 'off')
b69e47
+    topo.standalone.config.set('nsslapd-secureport', '%s' %
b69e47
+                               SECUREPORT_STANDALONE1)
b69e47
+    topo.standalone.config.set('nsslapd-security', 'on')
b69e47
+    topo.standalone.restart()
b69e47
+
b69e47
+    log.info("SSL setup complete\n")
b69e47
+
b69e47
+
b69e47
 def test_ticket49039(topo):
b69e47
     """Test "password must change" verses "password min age".  Min age should not
b69e47
     block password update if the password was reset.
b69e47
     """
b69e47
 
b69e47
+    # Setup SSL (for ldappasswd test)
b69e47
+    ssl_init(topo)
b69e47
+
b69e47
     # Configure password policy
b69e47
     try:
b69e47
         topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'),
b69e47
@@ -68,6 +98,38 @@ def test_ticket49039(topo):
b69e47
         log.fatal('Failed to change password: error ' + e.message['desc'])
b69e47
         assert False
b69e47
 
b69e47
+    ###################################
b69e47
+    # Make sure ldappasswd also works
b69e47
+    ###################################
b69e47
+
b69e47
+    # Reset password as RootDN
b69e47
+    try:
b69e47
+        topo.standalone.simple_bind_s(DN_DM, PASSWORD)
b69e47
+    except ldap.LDAPError as e:
b69e47
+        log.fatal('Failed to bind as rootdn: error ' + e.message['desc'])
b69e47
+        assert False
b69e47
+
b69e47
+    try:
b69e47
+        topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])
b69e47
+    except ldap.LDAPError as e:
b69e47
+        log.fatal('Failed to bind: error ' + e.message['desc'])
b69e47
+        assert False
b69e47
+
b69e47
+    time.sleep(1)
b69e47
+
b69e47
+    # Run ldappasswd as the User.
b69e47
+    cmd = ('LDAPTLS_REQCERT=never LDAPTLS_CACERTDIR=' + topo.standalone.get_cert_dir() +
b69e47
+           ' ldappasswd' + ' -h ' + topo.standalone.host + ' -Z -p 38901 -D ' + USER_DN +
b69e47
+           ' -w password -a password -s password2 ' + USER_DN)
b69e47
+    os.system(cmd)
b69e47
+    time.sleep(1)
b69e47
+
b69e47
+    try:
b69e47
+        topo.standalone.simple_bind_s(USER_DN, "password2")
b69e47
+    except ldap.LDAPError as e:
b69e47
+        log.fatal('Failed to bind: error ' + e.message['desc'])
b69e47
+        assert False
b69e47
+
b69e47
     log.info('Test Passed')
b69e47
 
b69e47
 
b69e47
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
b69e47
index 32defae..e23fe67 100644
b69e47
--- a/ldap/servers/slapd/modify.c
b69e47
+++ b/ldap/servers/slapd/modify.c
b69e47
@@ -1326,7 +1326,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old
b69e47
 	       
b69e47
 	/* check if password is within password minimum age;
b69e47
 	   error result is sent directly from check_pw_minage */	
b69e47
-	if (!pb->pb_conn->c_needpw &&
b69e47
+	if (pb->pb_conn && !pb->pb_conn->c_needpw &&
b69e47
 	    check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)
b69e47
 	{
b69e47
 		if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))
b69e47
-- 
b69e47
2.9.3
b69e47