From 5854fc41c6620567f0356e382baec4eda1e645b2 Mon Sep 17 00:00:00 2001

From: Mark Reynolds <mreynolds@redhat.com>

Date: Wed, 5 Apr 2017 11:05:28 -0400

Subject: [PATCH] Issue 49210 - Fix regression when checking is password min 

 age should be checked

Bug Description:  If a plugin makes an internal modification of userpassword

                  the connection structure in the pblock is null, and it was

                  being dereferenced.

Fix Description:  These internal operations do not need to have the password

                  policy checks done.  They are intended to be unrestricted.

                  So we only need to check password policy on client connections.

                  The fix frist hecks if the connection structy is present,

                  only then it continues.

                  Revised test script to include the tool: ldappasswd

https://pagure.io/389-ds-base/issue/49210

Reviewed by: firstyear(Thanks!)

---

 dirsrvtests/tests/tickets/ticket49039_test.py | 62 +++++++++++++++++++++++++++

 ldap/servers/slapd/modify.c                   |  2 +-

 2 files changed, 63 insertions(+), 1 deletion(-)

diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py

index e6d4c03..f0b224c 100644

--- a/dirsrvtests/tests/tickets/ticket49039_test.py

+++ b/dirsrvtests/tests/tickets/ticket49039_test.py

@@ -2,6 +2,7 @@ import time

 import ldap

 import logging

 import pytest

+import os

 from lib389 import Entry

 from lib389._constants import *

 from lib389.properties import *

@@ -9,6 +10,7 @@ from lib389.tasks import *

 from lib389.utils import *

 from lib389.topologies import topology_st as topo

+

 DEBUGGING = os.getenv("DEBUGGING", default=False)

 if DEBUGGING:

     logging.getLogger(__name__).setLevel(logging.DEBUG)

@@ -19,11 +21,39 @@ log = logging.getLogger(__name__)

 USER_DN = 'uid=user,dc=example,dc=com'

+def ssl_init(topo):

+    """ Setup TLS

+    """

+    topo.standalone.stop()

+    # Prepare SSL but don't enable it.

+    for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):

+        try:

+            os.remove("%s/%s" % (topo.standalone.confdir, f))

+        except:

+            pass

+    assert(topo.standalone.nss_ssl.reinit() is True)

+    assert(topo.standalone.nss_ssl.create_rsa_ca() is True)

+    assert(topo.standalone.nss_ssl.create_rsa_key_and_cert() is True)

+    # Start again

+    topo.standalone.start()

+    topo.standalone.rsa.create()

+    topo.standalone.config.set('nsslapd-ssl-check-hostname', 'off')

+    topo.standalone.config.set('nsslapd-secureport', '%s' %

+                               SECUREPORT_STANDALONE1)

+    topo.standalone.config.set('nsslapd-security', 'on')

+    topo.standalone.restart()

+

+    log.info("SSL setup complete\n")

+

+

 def test_ticket49039(topo):

     """Test "password must change" verses "password min age".  Min age should not

     block password update if the password was reset.

     """

+    # Setup SSL (for ldappasswd test)

+    ssl_init(topo)

+

     # Configure password policy

     try:

         topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'),

@@ -68,6 +98,38 @@ def test_ticket49039(topo):

         log.fatal('Failed to change password: error ' + e.message['desc'])

         assert False

+    ###################################

+    # Make sure ldappasswd also works

+    ###################################

+

+    # Reset password as RootDN

+    try:

+        topo.standalone.simple_bind_s(DN_DM, PASSWORD)

+    except ldap.LDAPError as e:

+        log.fatal('Failed to bind as rootdn: error ' + e.message['desc'])

+        assert False

+

+    try:

+        topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])

+    except ldap.LDAPError as e:

+        log.fatal('Failed to bind: error ' + e.message['desc'])

+        assert False

+

+    time.sleep(1)

+

+    # Run ldappasswd as the User.

+    cmd = ('LDAPTLS_REQCERT=never LDAPTLS_CACERTDIR=' + topo.standalone.get_cert_dir() +

+           ' ldappasswd' + ' -h ' + topo.standalone.host + ' -Z -p 38901 -D ' + USER_DN +

+           ' -w password -a password -s password2 ' + USER_DN)

+    os.system(cmd)

+    time.sleep(1)

+

+    try:

+        topo.standalone.simple_bind_s(USER_DN, "password2")

+    except ldap.LDAPError as e:

+        log.fatal('Failed to bind: error ' + e.message['desc'])

+        assert False

+

     log.info('Test Passed')

diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c

index 32defae..e23fe67 100644

--- a/ldap/servers/slapd/modify.c

+++ b/ldap/servers/slapd/modify.c

@@ -1326,7 +1326,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old

 	/* check if password is within password minimum age;

 	   error result is sent directly from check_pw_minage */	

-	if (!pb->pb_conn->c_needpw &&

+	if (pb->pb_conn && !pb->pb_conn->c_needpw &&

 	    check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)

 	{

 		if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))

-- 

2.9.3