From 1c4faa3c235c42abde1d7fe93cb43429772b65a6 Mon Sep 17 00:00:00 2001

From: Mark Reynolds <mreynolds@redhat.com>

Date: Fri, 26 Aug 2016 18:51:42 -0400

Subject: [PATCH 45/45] Ticket 48972 - remove old pwp code that adds/removes

 ACIs

Bug Description:  Old legacy code is still present in the DS that used

                  to enforce the password policy "user may change password"

                  using ACIs.  This old code would re-add the ACI for

                  selfwrite on userpassword at server startup.

Fix Description:  The current password policy does not depend on these access

                  access control rules to enforce if a user can change their

                  password or not.

https://fedorahosted.org/389/ticket/48972

Reviewed by: nhosoi(Thanks!)

(cherry picked from commit 32881be120f14b952de67a0d533ad94ba0956093)

---

 ldap/servers/slapd/add.c        | 15 --------

 ldap/servers/slapd/libglobs.c   | 14 -------

 ldap/servers/slapd/proto-slap.h |  3 --

 ldap/servers/slapd/pw.c         | 81 -----------------------------------------

 ldap/servers/slapd/pw_mgmt.c    |  9 +----

 5 files changed, 1 insertion(+), 121 deletions(-)

diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c

index 629017e..708d3e7 100644

--- a/ldap/servers/slapd/add.c

+++ b/ldap/servers/slapd/add.c

@@ -643,21 +643,6 @@ static void op_shared_add (Slapi_PBlock *pb)

     }

 	slapi_pblock_set(pb, SLAPI_BACKEND, be);

-	/* we set local password policy ACI for non-replicated operations only */

-	if (!repl_op &&

-		!operation_is_flag_set(operation, OP_FLAG_REPL_FIXUP) &&

-		!operation_is_flag_set(operation, OP_FLAG_LEGACY_REPLICATION_DN) &&

-		!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA) &&

-		!slapi_be_private(be) &&

-		slapi_be_issuffix (be, slapi_entry_get_sdn_const(e)))

-	{

-		/* this is a suffix. update the pw aci */

-		slapdFrontendConfig_t *slapdFrontendConfig;

-		slapdFrontendConfig = getFrontendConfig();

-		pw_add_allowchange_aci(e, !slapdFrontendConfig->pw_policy.pw_change &&

-							   !slapdFrontendConfig->pw_policy.pw_must_change);

-	}

-

 	if (!repl_op)

 	{

diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c

index a630c6c..faf521b 100644

--- a/ldap/servers/slapd/libglobs.c

+++ b/ldap/servers/slapd/libglobs.c

@@ -2601,13 +2601,6 @@ config_set_pw_change( const char *attrname, char *value, char *errorbuf, int app

 							  errorbuf,

 							  apply);

-  if (retVal == LDAP_SUCCESS) {

-	  /* LP: Update ACI to reflect the value ! */

-	  if (apply)

-		  pw_mod_allowchange_aci(!slapdFrontendConfig->pw_policy.pw_change &&

-								 !slapdFrontendConfig->pw_policy.pw_must_change);

-  }

-  

   return retVal;

 }

@@ -2638,13 +2631,6 @@ config_set_pw_must_change( const char *attrname, char *value, char *errorbuf, in

 							  errorbuf,

 							  apply);

-  if (retVal == LDAP_SUCCESS) {

-	  /* LP: Update ACI to reflect the value ! */

-	  if (apply)

-		  pw_mod_allowchange_aci(!slapdFrontendConfig->pw_policy.pw_change &&

-								 !slapdFrontendConfig->pw_policy.pw_must_change);

-  }

-  

   return retVal;

 }

diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h

index 1f37010..712642f 100644

--- a/ldap/servers/slapd/proto-slap.h

+++ b/ldap/servers/slapd/proto-slap.h

@@ -951,9 +951,6 @@ void get_old_pw( Slapi_PBlock *pb, const Slapi_DN *sdn, char **old_pw);

 int check_account_lock( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req, int account_inactivation_only /*no wire/no pw policy*/);

 int check_pw_minage( Slapi_PBlock *pb, const Slapi_DN *sdn, struct berval **vals) ;

 void add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e );

-void mod_allowchange_aci(char *val);

-void pw_mod_allowchange_aci(int pw_prohibit_change);

-void pw_add_allowchange_aci(Slapi_Entry *e, int pw_prohibit_change);

 int add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e);

diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c

index 7469b9e..3f2cdb0 100644

--- a/ldap/servers/slapd/pw.c

+++ b/ldap/servers/slapd/pw.c

@@ -1337,69 +1337,6 @@ slapi_add_pwd_control ( Slapi_PBlock *pb, char *arg, long time) {

 }

 void

-pw_mod_allowchange_aci(int pw_prohibit_change)

-{

-	const Slapi_DN *base;

-	char		*values_mod[2];

-	LDAPMod		mod;

-	LDAPMod		*mods[2];

-	Slapi_Backend *be;

-	char *cookie = NULL;

-

-	mods[0] = &mod;

-	mods[1] = NULL;

-	mod.mod_type = "aci";

-	mod.mod_values = values_mod;

-

-	if (pw_prohibit_change) {

-		mod.mod_op = LDAP_MOD_ADD;

-	}

-	else

-	{

-		/* Allow change password by default  */

-		/* remove the aci if it is there.  it is ok to fail */

-		mod.mod_op = LDAP_MOD_DELETE;

-	}

-

-	be = slapi_get_first_backend (&cookie);

-	/* Foreach backend... */

-    while (be)

-    {

-		/* Don't add aci on a chaining backend holding remote entries */

-        if((!be->be_private) && (!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA)))

-        {

-			/* There's only One suffix per DB now. No need to loop */

-			base = slapi_be_getsuffix(be, 0);

-			if (base != NULL)

-			{

-				Slapi_PBlock pb;

-				int rc;

-				

-				pblock_init (&pb;;

-				values_mod[0] = DENY_PW_CHANGE_ACI;

-				values_mod[1] = NULL;

-				slapi_modify_internal_set_pb_ext(&pb, base, mods, NULL, NULL,

-				                                 pw_get_componentID(), 0);

-				slapi_modify_internal_pb(&pb;;

-				slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);

-				if (rc == LDAP_SUCCESS){

-					/* 

-					** Since we modified the acl 

-					** successfully, let's update the 

-					** in-memory acl list

-					*/

-					slapi_pblock_set(&pb, SLAPI_TARGET_SDN, (void *)base);

-					plugin_call_acl_mods_update (&pb, LDAP_REQ_MODIFY );

-				}

-				pblock_done(&pb;;

-			}

-        }

-		be = slapi_get_next_backend (cookie);

-    }

-	slapi_ch_free((void **) &cookie);

-}

-

-void

 add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e )

 {

 	struct berval   bv;

@@ -1583,24 +1520,6 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char

 	return ( 0 );

 }

-

-void

-pw_add_allowchange_aci(Slapi_Entry *e, int pw_prohibit_change) {

-	char		*aci_pw = NULL;

-	const char *aciattr = "aci";

-

-	aci_pw = slapi_ch_strdup(DENY_PW_CHANGE_ACI);

-

-	if (pw_prohibit_change) {

-		/* Add ACI */

-		slapi_entry_add_string(e, aciattr, aci_pw);

-	} else {

-		/* Remove ACI */

-		slapi_entry_delete_string(e, aciattr, aci_pw);

-	}

-	slapi_ch_free((void **) &aci_pw);

-}

-

 int

 pw_is_pwp_admin(Slapi_PBlock *pb, passwdPolicy *pwp){

 	Slapi_DN *bind_sdn = NULL;

diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c

index 5470556..7252c08 100644

--- a/ldap/servers/slapd/pw_mgmt.c

+++ b/ldap/servers/slapd/pw_mgmt.c

@@ -256,13 +256,8 @@ skip:

 void

 pw_init ( void )

 {

-	slapdFrontendConfig_t *slapdFrontendConfig;

-

 	pw_set_componentID(generate_componentid(NULL, COMPONENT_PWPOLICY));

-	

-	slapdFrontendConfig = getFrontendConfig();

-	pw_mod_allowchange_aci (!slapdFrontendConfig->pw_policy.pw_change && 

-                            !slapdFrontendConfig->pw_policy.pw_must_change);

+

 #if defined(USE_OLD_UNHASHED)

 	slapi_add_internal_attr_syntax( PSEUDO_ATTR_UNHASHEDUSERPASSWORD,

 	                                PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID,

@@ -273,5 +268,3 @@ pw_init ( void )

 	                                SLAPI_ATTR_FLAG_NOEXPOSE);

 #endif

 }

-

-

-- 

2.4.11