pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 5 years ago
Clone

Blame SOURCES/0028-Harmonize-policy-discovery-to-kdb-driver.patch

9991ea
From 8ee0ea62d669f59246c8727d89a860bb6d6082f8 Mon Sep 17 00:00:00 2001
9991ea
From: Simo Sorce <simo@redhat.com>
9991ea
Date: Tue, 14 Jan 2014 10:09:37 -0500
9991ea
Subject: [PATCH 28/34] Harmonize policy discovery to kdb driver
9991ea
9991ea
The KDB driver does not walk the tree back like the original password plugin.
9991ea
Also we do not store the default policy in the base DN as we used to do in the
9991ea
past anymore.
9991ea
So doing a full subtree search and walking back the tree is just a waste of
9991ea
time.
9991ea
Instead hardcode the default policy like we do in the kdb driver.
9991ea
9991ea
Fixes: https://fedorahosted.org/freeipa/ticket/4085
9991ea
---
9991ea
 daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 106 ++++-------------------
9991ea
 1 file changed, 17 insertions(+), 89 deletions(-)
9991ea
9991ea
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
9991ea
index 2538a4094bd9a166e61b0911e5ea93426092d88a..ef20c4c61bd764bffc426208ff8b99f5d0b782ec 100644
9991ea
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
9991ea
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
9991ea
@@ -436,75 +436,44 @@ static void pwd_values_free(Slapi_ValueSet** results,
9991ea
     slapi_vattr_values_free(results, actual_type_name, buffer_flags);
9991ea
 }
9991ea
 
9991ea
-static int ipapwd_rdn_count(const char *dn)
9991ea
-{
9991ea
-    int rdnc = 0;
9991ea
-    LDAPDN ldn;
9991ea
-    int ret;
9991ea
-
9991ea
-    ret = ldap_str2dn(dn, &ldn, LDAP_DN_FORMAT_LDAPV3);
9991ea
-    if (ret != LDAP_SUCCESS) {
9991ea
-        LOG_TRACE("ldap_str2dn(dn) failed ?!");
9991ea
-        return -1;
9991ea
-    }
9991ea
-
9991ea
-    for (rdnc = 0; ldn != NULL && ldn[rdnc]; rdnc++) /* count */ ;
9991ea
-    ldap_dnfree(ldn);
9991ea
-
9991ea
-    return rdnc;
9991ea
-}
9991ea
-
9991ea
 int ipapwd_getPolicy(const char *dn,
9991ea
                      Slapi_Entry *target,
9991ea
                      struct ipapwd_policy *policy)
9991ea
 {
9991ea
     const char *krbPwdPolicyReference;
9991ea
-    const char *pdn;
9991ea
-    const Slapi_DN *psdn;
9991ea
-    Slapi_Backend *be;
9991ea
+    char *pdn = NULL;
9991ea
     Slapi_PBlock *pb = NULL;
9991ea
     char *attrs[] = { "krbMaxPwdLife", "krbMinPwdLife",
9991ea
                       "krbPwdMinDiffChars", "krbPwdMinLength",
9991ea
                       "krbPwdHistoryLength", NULL};
9991ea
     Slapi_Entry **es = NULL;
9991ea
     Slapi_Entry *pe = NULL;
9991ea
-    int ret, res, dist, rdnc, scope, i;
9991ea
-    Slapi_DN *sdn = NULL;
9991ea
+    int ret, res, scope, i;
9991ea
     int buffer_flags=0;
9991ea
     Slapi_ValueSet* results = NULL;
9991ea
-    char* actual_type_name = NULL;
9991ea
+    char *actual_type_name = NULL;
9991ea
     int tmpint;
9991ea
 
9991ea
     LOG_TRACE("Searching policy for [%s]\n", dn);
9991ea
 
9991ea
-    sdn = slapi_sdn_new_dn_byref(dn);
9991ea
-    if (sdn == NULL) {
9991ea
-        LOG_OOM();
9991ea
-        ret = -1;
9991ea
-        goto done;
9991ea
-    }
9991ea
-
9991ea
     pwd_get_values(target, "krbPwdPolicyReference",
9991ea
                    &results, &actual_type_name, &buffer_flags);
9991ea
     if (results) {
9991ea
         Slapi_Value *sv;
9991ea
         slapi_valueset_first_value(results, &sv;;
9991ea
         krbPwdPolicyReference = slapi_value_get_string(sv);
9991ea
-        pdn = krbPwdPolicyReference;
9991ea
-        scope = LDAP_SCOPE_BASE;
9991ea
-        LOG_TRACE("using policy reference: %s\n", pdn);
9991ea
+        pdn = slapi_ch_strdup(krbPwdPolicyReference);
9991ea
     } else {
9991ea
-        /* Find ancestor base DN */
9991ea
-        be = slapi_be_select(sdn);
9991ea
-        psdn = slapi_be_getsuffix(be, 0);
9991ea
-        if (psdn == NULL) {
9991ea
-            LOG_FATAL("Invalid DN [%s]\n", dn);
9991ea
-            ret = -1;
9991ea
-            goto done;
9991ea
-        }
9991ea
-        pdn = slapi_sdn_get_dn(psdn);
9991ea
-        scope = LDAP_SCOPE_SUBTREE;
9991ea
+        /* Fallback to hardcoded value */
9991ea
+        pdn = slapi_ch_smprintf("cn=global_policy,%s", ipa_realm_dn);
9991ea
     }
9991ea
+    if (pdn == NULL) {
9991ea
+        LOG_OOM();
9991ea
+        ret = -1;
9991ea
+        goto done;
9991ea
+    }
9991ea
+    LOG_TRACE("Using policy at [%s]\n", pdn);
9991ea
+    scope = LDAP_SCOPE_BASE;
9991ea
 
9991ea
     pb = slapi_pblock_new();
9991ea
     slapi_search_internal_set_pb(pb,
9991ea
@@ -539,54 +508,13 @@ int ipapwd_getPolicy(const char *dn,
9991ea
     /* if there is only one, return that */
9991ea
     if (i == 1) {
9991ea
         pe = es[0];
9991ea
-        goto fill;
9991ea
-    }
9991ea
-
9991ea
-    /* count number of RDNs in DN */
9991ea
-    rdnc = ipapwd_rdn_count(dn);
9991ea
-    if (rdnc == -1) {
9991ea
-        LOG_TRACE("ipapwd_rdn_count(dn) failed");
9991ea
-        ret = -1;
9991ea
-        goto done;
9991ea
-    }
9991ea
-
9991ea
-    pe = NULL;
9991ea
-    dist = -1;
9991ea
-
9991ea
-    /* find closest entry */
9991ea
-    for (i = 0; es[i]; i++) {
9991ea
-        const Slapi_DN *esdn;
9991ea
-
9991ea
-        esdn = slapi_entry_get_sdn_const(es[i]);
9991ea
-        if (esdn == NULL) continue;
9991ea
-        if (0 == slapi_sdn_compare(esdn, sdn)) {
9991ea
-            pe = es[i];
9991ea
-            dist = 0;
9991ea
-            break;
9991ea
-        }
9991ea
-        if (slapi_sdn_issuffix(sdn, esdn)) {
9991ea
-            const char *dn1;
9991ea
-            int c1;
9991ea
-
9991ea
-            dn1 = slapi_sdn_get_dn(esdn);
9991ea
-            if (!dn1) continue;
9991ea
-            c1 = ipapwd_rdn_count(dn1);
9991ea
-            if (c1 == -1) continue;
9991ea
-            if ((dist == -1) ||
9991ea
-                ((rdnc - c1) < dist)) {
9991ea
-                dist = rdnc - c1;
9991ea
-                pe = es[i];
9991ea
-            }
9991ea
-        }
9991ea
-        if (dist == 0) break; /* found closest */
9991ea
-    }
9991ea
-
9991ea
-    if (pe == NULL) {
9991ea
+    } else {
9991ea
+        LOG_TRACE("Multiple entries from a base search ?!");
9991ea
         ret = -1;
9991ea
         goto done;
9991ea
     }
9991ea
 
9991ea
-fill:
9991ea
+    /* read data out of policy object */
9991ea
     policy->min_pwd_life = slapi_entry_attr_get_int(pe, "krbMinPwdLife");
9991ea
 
9991ea
     tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife");
9991ea
@@ -615,7 +543,7 @@ done:
9991ea
         slapi_free_search_results_internal(pb);
9991ea
         slapi_pblock_destroy(pb);
9991ea
     }
9991ea
-    if (sdn) slapi_sdn_free(&sdn;;
9991ea
+    slapi_ch_free_string(&pdn);
9991ea
     return ret;
9991ea
 }
9991ea
 
9991ea
-- 
9991ea
1.8.4.2
9991ea