From 81954ad4a4f7275224bea45c5cb12636c5f4e8e1 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Tue, 2 Dec 2014 14:10:46 -0500 Subject: [PATCH 281/305] Ticket 47970 - Account lockout attributes incorrectly updated after failed SASL Bind Bug Description: When a SASL bind fails, the target DN is not set. If password policy account lockout is configured, it attempts to update the password retry count on the dn ("") - which is the Root DSE entry, not a user entry. This also confuses the COS plugin, and it incorrectly triggers a COS cache rebuild after the failed login. Fix Description: Do not update the password retry counters if it is a failed SASL bind. https://fedorahosted.org/389/ticket/47970 Reviewed by: nhosoi(Thanks!) (cherry picked from commit 17e79688e05908f7fff319bdeb5167cbeaaf922c) (cherry picked from commit 90ab84c6240dff835210dfff7d2804cac77a27b3) --- ldap/servers/slapd/result.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c index 993dc9e..caf3014 100644 --- a/ldap/servers/slapd/result.c +++ b/ldap/servers/slapd/result.c @@ -285,16 +285,18 @@ send_ldap_result_ext( BerElement *ber ) { - Connection *conn = pb->pb_conn; - int i, rc, logit = 0; - ber_tag_t tag; - int flush_ber_element = 1; Slapi_Operation *operation; - const char *dn = NULL; + passwdPolicy *pwpolicy = NULL; + Connection *conn = pb->pb_conn; Slapi_DN *sdn = NULL; + const char *dn = NULL; + ber_tag_t tag; + int flush_ber_element = 1; + int bind_method = 0; int internal_op; - passwdPolicy *pwpolicy = NULL; - + int i, rc, logit = 0; + + slapi_pblock_get (pb, SLAPI_BIND_METHOD, &bind_method); slapi_pblock_get (pb, SLAPI_OPERATION, &operation); if (operation->o_status == SLAPI_OP_STATUS_RESULT_SENT) { @@ -372,7 +374,7 @@ send_ldap_result_ext( /* invalid password. Update the password retry here */ /* put this here for now. It could be a send_result pre-op plugin. */ - if (err == LDAP_INVALID_CREDENTIALS) { + if (err == LDAP_INVALID_CREDENTIALS && bind_method != LDAP_AUTH_SASL ) { slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn ); dn = slapi_sdn_get_dn(sdn); pwpolicy = new_passwdPolicy(pb, dn); -- 1.9.3