|
 |
ed6197 |
From e40a6ef764f13b6efcf573a6181b6747bb029b90 Mon Sep 17 00:00:00 2001
|
|
|
ed6197 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
ed6197 |
Date: Thu, 24 Mar 2016 09:46:11 -0400
|
|
|
ed6197 |
Subject: [PATCH] Ticket 47888 - DES to AES password conversion fails if a
|
|
|
ed6197 |
backend is empty
|
|
|
ed6197 |
|
|
|
ed6197 |
Bug Description: The process of converting DES passwords to AES can incorrectly
|
|
|
ed6197 |
disable the DES plugin if an error is encountered. In this case
|
|
|
ed6197 |
it was because a backend was defined but was missing the top entry
|
|
|
ed6197 |
which lead to an error 32 when searching for DES passwords. This
|
|
|
ed6197 |
causes the existing DES passwords to fail to decode.
|
|
|
ed6197 |
|
|
|
ed6197 |
Fix Description: There are two issues here. One, we should ignore errors when
|
|
|
ed6197 |
searching all the backends for passwords. Two, we should only
|
|
|
ed6197 |
disable the DES plugin if all the DES passwords were successfully
|
|
|
ed6197 |
converted.
|
|
|
ed6197 |
|
|
|
ed6197 |
https://fedorahosted.org/389/ticket/48777
|
|
|
ed6197 |
|
|
|
ed6197 |
Reviewed by: nhosoi(Thanks!)
|
|
|
ed6197 |
|
|
|
ed6197 |
(cherry picked from commit 6b7f980e80af3803bc395e50bd4228ded9bceb00)
|
|
|
ed6197 |
(cherry picked from commit c6eaf691c6ff3330dc1a3dcbf4dcc31af52c2919)
|
|
|
ed6197 |
---
|
|
|
ed6197 |
ldap/servers/slapd/daemon.c | 53 ++++++++++++++++++++++-----------------------
|
|
|
ed6197 |
1 file changed, 26 insertions(+), 27 deletions(-)
|
|
|
ed6197 |
|
|
|
ed6197 |
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
|
|
|
ed6197 |
index d25c44d..d702129 100644
|
|
|
ed6197 |
--- a/ldap/servers/slapd/daemon.c
|
|
|
ed6197 |
+++ b/ldap/servers/slapd/daemon.c
|
|
|
ed6197 |
@@ -694,7 +694,8 @@ convert_pbe_des_to_aes()
|
|
|
ed6197 |
char **attrs = NULL;
|
|
|
ed6197 |
char **backends = NULL;
|
|
|
ed6197 |
char *val = NULL;
|
|
|
ed6197 |
- int converted_des = 0;
|
|
|
ed6197 |
+ int converted_des_passwd = 0;
|
|
|
ed6197 |
+ int disable_des = 1;
|
|
|
ed6197 |
int result = -1;
|
|
|
ed6197 |
int have_aes = 0;
|
|
|
ed6197 |
int have_des = 0;
|
|
|
ed6197 |
@@ -739,7 +740,7 @@ convert_pbe_des_to_aes()
|
|
|
ed6197 |
char *cookie = NULL;
|
|
|
ed6197 |
|
|
|
ed6197 |
LDAPDebug(LDAP_DEBUG_ANY, "convert_pbe_des_to_aes: "
|
|
|
ed6197 |
- "Converting DES passwords to AES...\n",0,0,0);
|
|
|
ed6197 |
+ "Checking for DES passwords to convert to AES...\n",0,0,0);
|
|
|
ed6197 |
|
|
|
ed6197 |
be = slapi_get_first_backend(&cookie);
|
|
|
ed6197 |
while (be){
|
|
|
ed6197 |
@@ -777,10 +778,13 @@ convert_pbe_des_to_aes()
|
|
|
ed6197 |
slapi_search_internal_pb(pb);
|
|
|
ed6197 |
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
|
|
|
ed6197 |
if (LDAP_SUCCESS != result) {
|
|
|
ed6197 |
- LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
|
|
ed6197 |
- "failed to search for password on (%s) error (%d)\n",
|
|
|
ed6197 |
- backends[be_idx], result, 0);
|
|
|
ed6197 |
- goto done;
|
|
|
ed6197 |
+ slapi_log_error(SLAPI_LOG_TRACE, "convert_pbe_des_to_aes: ",
|
|
|
ed6197 |
+ "Failed to search for password attribute (%s) error (%d), skipping suffix (%s)\n",
|
|
|
ed6197 |
+ attrs[i], result, backends[be_idx]);
|
|
|
ed6197 |
+ slapi_free_search_results_internal(pb);
|
|
|
ed6197 |
+ slapi_pblock_destroy(pb);
|
|
|
ed6197 |
+ pb = NULL;
|
|
|
ed6197 |
+ continue;
|
|
|
ed6197 |
}
|
|
|
ed6197 |
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
|
|
|
ed6197 |
for (ii = 0; entries && entries[ii]; ii++){
|
|
|
ed6197 |
@@ -799,9 +803,9 @@ convert_pbe_des_to_aes()
|
|
|
ed6197 |
/* decode the DES password */
|
|
|
ed6197 |
if(pw_rever_decode(val, &passwd, attrs[i]) == -1){
|
|
|
ed6197 |
LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
|
|
ed6197 |
- "failed to decode existing DES password for (%s)\n",
|
|
|
ed6197 |
+ "Failed to decode existing DES password for (%s)\n",
|
|
|
ed6197 |
slapi_entry_get_dn(entries[ii]), 0, 0);
|
|
|
ed6197 |
- converted_des = 0;
|
|
|
ed6197 |
+ disable_des = 0;
|
|
|
ed6197 |
goto done;
|
|
|
ed6197 |
}
|
|
|
ed6197 |
|
|
|
ed6197 |
@@ -813,7 +817,7 @@ convert_pbe_des_to_aes()
|
|
|
ed6197 |
slapi_entry_get_dn(entries[ii]), 0, 0);
|
|
|
ed6197 |
slapi_ch_free_string(&passwd);
|
|
|
ed6197 |
slapi_value_free(&sval);
|
|
|
ed6197 |
- converted_des = 0;
|
|
|
ed6197 |
+ disable_des = 0;
|
|
|
ed6197 |
goto done;
|
|
|
ed6197 |
}
|
|
|
ed6197 |
|
|
|
ed6197 |
@@ -834,22 +838,18 @@ convert_pbe_des_to_aes()
|
|
|
ed6197 |
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
|
|
|
ed6197 |
if (LDAP_SUCCESS != result) {
|
|
|
ed6197 |
LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
|
|
ed6197 |
- "failed to convert password for (%s) error (%d)\n",
|
|
|
ed6197 |
+ "Failed to convert password for (%s) error (%d)\n",
|
|
|
ed6197 |
slapi_entry_get_dn(entries[ii]), result, 0);
|
|
|
ed6197 |
- converted_des = -1;
|
|
|
ed6197 |
+ disable_des = 0;
|
|
|
ed6197 |
} else {
|
|
|
ed6197 |
LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
|
|
ed6197 |
- "successfully converted password for (%s)\n",
|
|
|
ed6197 |
+ "Successfully converted password for (%s)\n",
|
|
|
ed6197 |
slapi_entry_get_dn(entries[ii]), result, 0);
|
|
|
ed6197 |
- converted_des = 1;
|
|
|
ed6197 |
-
|
|
|
ed6197 |
+ converted_des_passwd = 1;
|
|
|
ed6197 |
}
|
|
|
ed6197 |
slapi_ch_free_string(&passwd);
|
|
|
ed6197 |
slapi_value_free(&sval);
|
|
|
ed6197 |
slapi_pblock_destroy(mod_pb);
|
|
|
ed6197 |
- if(result){
|
|
|
ed6197 |
- goto done;
|
|
|
ed6197 |
- }
|
|
|
ed6197 |
}
|
|
|
ed6197 |
slapi_ch_free_string(&val;;
|
|
|
ed6197 |
}
|
|
|
ed6197 |
@@ -860,6 +860,10 @@ convert_pbe_des_to_aes()
|
|
|
ed6197 |
}
|
|
|
ed6197 |
slapi_ch_free_string(&filter);
|
|
|
ed6197 |
}
|
|
|
ed6197 |
+ if (!converted_des_passwd){
|
|
|
ed6197 |
+ slapi_log_error(SLAPI_LOG_FATAL, "convert_pbe_des_to_aes",
|
|
|
ed6197 |
+ "No DES passwords found to convert.\n");
|
|
|
ed6197 |
+ }
|
|
|
ed6197 |
}
|
|
|
ed6197 |
|
|
|
ed6197 |
done:
|
|
|
ed6197 |
@@ -870,9 +874,9 @@ done:
|
|
|
ed6197 |
|
|
|
ed6197 |
if (have_aes && have_des){
|
|
|
ed6197 |
/*
|
|
|
ed6197 |
- * If a conversion attempt did not fail, disable DES plugin
|
|
|
ed6197 |
+ * If a conversion attempt did not fail then we can disable the DES plugin
|
|
|
ed6197 |
*/
|
|
|
ed6197 |
- if(converted_des != -1){
|
|
|
ed6197 |
+ if(converted_des_passwd && disable_des){
|
|
|
ed6197 |
/*
|
|
|
ed6197 |
* Disable the DES plugin - this also prevents potentially expensive
|
|
|
ed6197 |
* searches at every server startup.
|
|
|
ed6197 |
@@ -905,14 +909,9 @@ done:
|
|
|
ed6197 |
des_dn, 0, 0);
|
|
|
ed6197 |
}
|
|
|
ed6197 |
slapi_pblock_destroy(pb);
|
|
|
ed6197 |
- }
|
|
|
ed6197 |
- if(converted_des == 1){
|
|
|
ed6197 |
- LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
|
|
ed6197 |
- "Finished - all DES passwords have been converted to AES.\n",
|
|
|
ed6197 |
- 0, 0, 0);
|
|
|
ed6197 |
- } else if (converted_des == 0){
|
|
|
ed6197 |
- LDAPDebug(LDAP_DEBUG_ANY, "convert_pbe_des_to_aes: "
|
|
|
ed6197 |
- "Finished - no DES passwords to convert.\n",0,0,0);
|
|
|
ed6197 |
+ LDAPDebug(LDAP_DEBUG_ANY,"convert_pbe_des_to_aes: "
|
|
|
ed6197 |
+ "All DES passwords have been converted to AES.\n",
|
|
|
ed6197 |
+ 0, 0, 0);
|
|
|
ed6197 |
}
|
|
|
ed6197 |
}
|
|
|
ed6197 |
}
|
|
|
ed6197 |
--
|
|
|
ed6197 |
2.4.3
|
|
|
ed6197 |
|