From d19a011c84949c323194fe389f1e84d0dcc61c70 Mon Sep 17 00:00:00 2001

From: Nathaniel McCallum <npmccallum@redhat.com>

Date: Mon, 10 Nov 2014 22:46:44 -0500

Subject: [PATCH] Move authentication configuration cache into libotp

This enables plugins to share authentication configuration cache code.

Additionally, update the caching mechanism to be declarative and faster.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>

---

 .../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am    |   1 -

 daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c  | 280 ---------------------

 daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h  |  82 ------

 .../ipa-pwd-extop/ipa_pwd_extop.c                  |  21 +-

 daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c  |  50 ++--

 daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c  |   4 +-

 daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h  |   4 +-

 daemons/ipa-slapi-plugins/libotp/Makefile.am       |   2 +-

 daemons/ipa-slapi-plugins/libotp/otp_config.c      | 274 ++++++++++++++++++++

 daemons/ipa-slapi-plugins/libotp/otp_config.h      |  65 +++++

 daemons/ipa-slapi-plugins/libotp/otp_token.c       |  58 ++---

 daemons/ipa-slapi-plugins/libotp/otp_token.h       |  11 +-

 12 files changed, 395 insertions(+), 457 deletions(-)

 delete mode 100644 daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c

 delete mode 100644 daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h

 create mode 100644 daemons/ipa-slapi-plugins/libotp/otp_config.c

 create mode 100644 daemons/ipa-slapi-plugins/libotp/otp_config.h

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am

index eeb352611e5b67a2f6803b59414fb31c37f39f33..1ab6c6704e401810772a5ababc7cc5eec19d2c83 100644

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am

@@ -44,7 +44,6 @@ libipa_pwd_extop_la_LIBADD  = \

 	$(ASN1_UTIL_DIR)/libipaasn1.la  \

 	$(NULL)

 libipa_pwd_extop_la_SOURCES = 		\

-	authcfg.c			\

 	common.c			\

 	encoding.c			\

 	prepost.c			\

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c

deleted file mode 100644

index 3ab5668edd7edcb9eaf247c18b964f6584c9d439..0000000000000000000000000000000000000000

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c

+++ /dev/null

@@ -1,280 +0,0 @@

-/** BEGIN COPYRIGHT BLOCK

- * This program is free software; you can redistribute it and/or modify

- * it under the terms of the GNU General Public License as published by

- * the Free Software Foundation, either version 3 of the License, or

- * (at your option) any later version.

- *

- * This program is distributed in the hope that it will be useful,

- * but WITHOUT ANY WARRANTY; without even the implied warranty of

- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

- * GNU General Public License for more details.

- *

- * You should have received a copy of the GNU General Public License

- * along with this program.  If not, see <http://www.gnu.org/licenses/>.

- *

- * Additional permission under GPLv3 section 7:

- *

- * In the following paragraph, "GPL" means the GNU General Public

- * License, version 3 or any later version, and "Non-GPL Code" means

- * code that is governed neither by the GPL nor a license

- * compatible with the GPL.

- *

- * You may link the code of this Program with Non-GPL Code and convey

- * linked combinations including the two, provided that such Non-GPL

- * Code only links to the code of this Program through those well

- * defined interfaces identified in the file named EXCEPTION found in

- * the source code files (the "Approved Interfaces"). The files of

- * Non-GPL Code may instantiate templates or use macros or inline

- * functions from the Approved Interfaces without causing the resulting

- * work to be covered by the GPL. Only the copyright holders of this

- * Program may make changes or additions to the list of Approved

- * Interfaces.

- *

- * Authors:

- * Nathaniel McCallum <npmccallum@redhat.com>

- *

- * Copyright (C) 2014 Red Hat, Inc.

- * All rights reserved.

- * END COPYRIGHT BLOCK **/

-

-#include "authcfg.h"

-#include "ipapwd.h"

-

-#include "pratom.h"

-

-static struct config {

-    struct config *next;

-    Slapi_DN *suffix;

-    uint32_t config;

-} *config;

-

-static uint32_t string_to_config(const char *str)

-{

-    static const struct {

-        const char *string;

-        uint32_t config;

-    } map[] = {

-        { "disabled", AUTHCFG_AUTH_TYPE_DISABLED },

-        { "password", AUTHCFG_AUTH_TYPE_PASSWORD },

-        { "otp",      AUTHCFG_AUTH_TYPE_OTP },

-        { "pkinit",   AUTHCFG_AUTH_TYPE_PKINIT },

-        { "radius",   AUTHCFG_AUTH_TYPE_RADIUS },

-        {}

-    };

-

-    for (uint32_t i = 0; map[i].string != NULL; i++) {

-        if (strcasecmp(map[i].string, str) == 0)

-            return map[i].config;

-    }

-

-    return AUTHCFG_AUTH_TYPE_NONE;

-}

-

-static uint32_t entry_to_config(Slapi_Entry *e)

-{

-    char **auth_types = NULL;

-

-    if (e == NULL)

-        return AUTHCFG_AUTH_TYPE_NONE;

-

-    /* Fetch the auth type values from the config entry. */

-    auth_types = slapi_entry_attr_get_charray(e, "ipaUserAuthType");

-    if (auth_types == NULL)

-        return AUTHCFG_AUTH_TYPE_NONE;

-

-    uint32_t types = AUTHCFG_AUTH_TYPE_NONE;

-    for (uint32_t i = 0; auth_types[i] != NULL; i++)

-        types |= string_to_config(auth_types[i]);

-

-    slapi_ch_array_free(auth_types);

-

-    return types;

-}

-

-static Slapi_DN *suffix_to_config_dn(Slapi_DN *suffix)

-{

-    Slapi_DN *sdn = NULL;

-    char *dn = NULL;

-

-    if (suffix == NULL)

-        return NULL;

-

-    dn = PR_smprintf("cn=ipaConfig,cn=etc,%s", slapi_sdn_get_dn(suffix));

-    if (dn == NULL)

-        return NULL;

-

-    sdn = slapi_sdn_new_dn_byval(dn);

-    PR_smprintf_free(dn);

-    return sdn;

-}

-

-static uint32_t suffix_to_config(Slapi_DN *suffix)

-{

-    static char *attrs[] = { "ipaUserAuthType", NULL };

-    Slapi_Entry *entry = NULL;

-    Slapi_DN *sdn = NULL;

-    uint32_t types;

-    int ret;

-

-    sdn = suffix_to_config_dn(suffix);

-    if (sdn == NULL)

-        return AUTHCFG_AUTH_TYPE_NONE;

-

-    ret = slapi_search_internal_get_entry(sdn, attrs, &entry,

-                                          ipapwd_get_plugin_id());

-    slapi_sdn_free(&sdn;;

-    if (ret != LDAP_SUCCESS)

-        return AUTHCFG_AUTH_TYPE_NONE;

-

-    types = entry_to_config(entry);

-    slapi_entry_free(entry);

-

-    return types;

-}

-

-static Slapi_DN *sdn_to_suffix(Slapi_DN *sdn)

-{

-    Slapi_DN *suffix = NULL;

-    void *node = NULL;

-

-    if (sdn == NULL)

-        return NULL;

-

-    for (suffix = slapi_get_first_suffix(&node, 0); suffix != NULL;

-         suffix = slapi_get_next_suffix(&node, 0)) {

-        if (slapi_sdn_issuffix(sdn, suffix))

-            return suffix;

-    }

-

-    return NULL;

-}

-

-static bool sdn_is_config(Slapi_DN *sdn)

-{

-    Slapi_DN *sfx = NULL;

-    Slapi_DN *cfg = NULL;

-    int cmp;

-

-    if (sdn == NULL)

-        return false;

-

-    sfx = sdn_to_suffix(sdn);

-    if (sfx == NULL)

-        return false;

-

-    cfg = suffix_to_config_dn(sfx);

-    if (cfg == NULL)

-        return false;

-

-    cmp = slapi_sdn_compare(cfg, sdn);

-    slapi_sdn_free(&cfg;;

-    return cmp == 0;

-}

-

-void cache_free(struct config **cfg)

-{

-    if (cfg == NULL || *cfg == NULL)

-        return;

-

-    cache_free(&(*cfg)->next);

-    free(*cfg);

-    *cfg = NULL;

-}

-

-bool authcfg_init(void)

-{

-    struct config *cfg = NULL;

-    Slapi_DN *sfx = NULL;

-    void *node = NULL;

-

-    /* If we are already initialized, return true. */

-    if (config != NULL)

-        return true;

-

-    /* Look up the config for each suffix. */

-    for (sfx = slapi_get_first_suffix(&node, 0); sfx != NULL;

-         sfx = slapi_get_next_suffix(&node, 0)) {

-        cfg = calloc(1, sizeof(*cfg));

-        if (cfg == NULL) {

-            authcfg_fini();

-            return false;

-        }

-

-        cfg->suffix = sfx;

-        cfg->config = suffix_to_config(sfx);

-        cfg->next = config;

-        config = cfg;

-    }

-

-    return true;

-}

-

-void authcfg_fini(void)

-{

-    cache_free(&config);

-}

-

-uint32_t authcfg_get_auth_types(Slapi_Entry *user_entry)

-{

-    uint32_t glbl = AUTHCFG_AUTH_TYPE_NONE;

-    uint32_t user = AUTHCFG_AUTH_TYPE_NONE;

-    Slapi_DN *sfx = NULL;

-    Slapi_DN *sdn = NULL;

-

-    /* Find the root suffix. */

-    sdn = slapi_entry_get_sdn(user_entry);

-    sfx = sdn_to_suffix(sdn);

-

-    /* Find the global config. */

-    if (sfx != NULL) {

-        for (struct config *cfg = config; cfg && sfx; cfg = cfg->next) {

-            if (slapi_sdn_compare(sfx, cfg->suffix) == 0) {

-                glbl = PR_ATOMIC_ADD(&cfg->config, 0);

-                break;

-            }

-        }

-    }

-

-    /* Global disabled overrides user settings. */

-    if (glbl & AUTHCFG_AUTH_TYPE_DISABLED)

-        return AUTHCFG_AUTH_TYPE_DISABLED;

-

-    /* Get the user's config. */

-    user = entry_to_config(user_entry);

-

-    if (user == AUTHCFG_AUTH_TYPE_NONE) {

-        if (glbl == AUTHCFG_AUTH_TYPE_NONE)

-            return AUTHCFG_AUTH_TYPE_PASSWORD;

-        return glbl;

-    }

-

-    return user & ~AUTHCFG_AUTH_TYPE_DISABLED;

-}

-

-void authcfg_reload_global_config(Slapi_DN *sdn, Slapi_Entry *config_entry)

-{

-    uint32_t glbl = AUTHCFG_AUTH_TYPE_NONE;

-    Slapi_DN *sfx = NULL;

-    Slapi_DN *dest;

-

-    /* Get the destination DN. */

-    dest = config_entry == NULL ? NULL : slapi_entry_get_sdn(config_entry);

-

-    /* Added, modified, moved into place. */

-    if (sdn_is_config(dest)) {

-        sfx = sdn_to_suffix(dest);

-        glbl = entry_to_config(config_entry);

-

-    /* Deleted, moved out of place. */

-    } else if (sdn_is_config(sdn)) {

-        sfx = sdn_to_suffix(sdn);

-    }

-

-    /* Reload config. */

-    for (struct config *cfg = config; cfg && sfx; cfg = cfg->next) {

-        if (slapi_sdn_compare(sfx, cfg->suffix) == 0) {

-            PR_ATOMIC_SET(&cfg->config, glbl);

-            break;

-        }

-    }

-}

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h

deleted file mode 100644

index c2fc24605c0f915261a57967c43c35ab6e773263..0000000000000000000000000000000000000000

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h

+++ /dev/null

@@ -1,82 +0,0 @@

-/** BEGIN COPYRIGHT BLOCK

- * This program is free software; you can redistribute it and/or modify

- * it under the terms of the GNU General Public License as published by

- * the Free Software Foundation, either version 3 of the License, or

- * (at your option) any later version.

- *

- * This program is distributed in the hope that it will be useful,

- * but WITHOUT ANY WARRANTY; without even the implied warranty of

- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

- * GNU General Public License for more details.

- *

- * You should have received a copy of the GNU General Public License

- * along with this program.  If not, see <http://www.gnu.org/licenses/>.

- *

- * Additional permission under GPLv3 section 7:

- *

- * In the following paragraph, "GPL" means the GNU General Public

- * License, version 3 or any later version, and "Non-GPL Code" means

- * code that is governed neither by the GPL nor a license

- * compatible with the GPL.

- *

- * You may link the code of this Program with Non-GPL Code and convey

- * linked combinations including the two, provided that such Non-GPL

- * Code only links to the code of this Program through those well

- * defined interfaces identified in the file named EXCEPTION found in

- * the source code files (the "Approved Interfaces"). The files of

- * Non-GPL Code may instantiate templates or use macros or inline

- * functions from the Approved Interfaces without causing the resulting

- * work to be covered by the GPL. Only the copyright holders of this

- * Program may make changes or additions to the list of Approved

- * Interfaces.

- *

- * Authors:

- * Nathaniel McCallum <npmccallum@redhat.com>

- *

- * Copyright (C) 2014 Red Hat, Inc.

- * All rights reserved.

- * END COPYRIGHT BLOCK **/

-

-

-#ifndef AUTHCFG_H_

-#define AUTHCFG_H_

-

-#include <dirsrv/slapi-plugin.h>

-#include <stdbool.h>

-

-#define AUTHCFG_AUTH_TYPE_NONE     0

-#define AUTHCFG_AUTH_TYPE_DISABLED 1

-#define AUTHCFG_AUTH_TYPE_PASSWORD 2

-#define AUTHCFG_AUTH_TYPE_OTP      4

-#define AUTHCFG_AUTH_TYPE_PKINIT   8

-#define AUTHCFG_AUTH_TYPE_RADIUS   16

-

-/* Initialize authentication configuration.

- *

- * Thread Safety: NO

- */

-bool authcfg_init(void);

-

-/* Free global authentication configuration resources.

- *

- * Thread Safety: NO

- */

-void authcfg_fini(void);

-

-/* Gets the permitted authentication types for the given user entry.

- *

- * The entry should be queried for the "ipaUserAuthType" attribute.

- *

- * Thread Safety: YES

- */

-uint32_t authcfg_get_auth_types(Slapi_Entry *user_entry);

-

-/* Reloads configuration from the specified global config entry.

- *

- * If the provided entry isn't a global config entry, this is a no-op.

- *

- * Thread Safety: YES

- */

-void authcfg_reload_global_config(Slapi_DN *sdn, Slapi_Entry *config_entry);

-

-#endif /* AUTHCFG_H_ */

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

index ceea49cab50b0836c882240f210339e60d26729b..09c877f7010d3cc252c9f38e827cd33b63dea3b6 100644

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

@@ -39,7 +39,7 @@

 #include "ipapwd.h"

 #include "util.h"

-#include "authcfg.h"

+#include "../libotp/otp_config.h"

 #include "ipa_asn1.h"

 /*

@@ -89,6 +89,8 @@ Slapi_PluginDesc ipapwd_plugin_desc = {

 void *ipapwd_plugin_id;

 static int usetxn = 0;

+extern struct otp_config *otp_config;

+

 void *ipapwd_get_plugin_id(void)

 {

     return ipapwd_plugin_id;

@@ -1792,16 +1794,6 @@ static int ipapwd_start( Slapi_PBlock *pb )

     Slapi_Entry *config_entry = NULL;

     int ret;

-    /* NOTE: We never call authcfg_fini() from a destructor. This is because

-     *       it may race with threaded requests at shutdown. This leak should

-     *       only occur when the DS is exiting, so it isn't a big deal.

-     */

-    if (!authcfg_init()) {

-        LOG_FATAL("AuthConf initialization failed!\n");

-        ret = LDAP_OPERATIONS_ERROR;

-        goto done;

-    }

-

     krberr = krb5_init_context(&krbctx);

     if (krberr) {

         LOG_FATAL("krb5_init_context failed\n");

@@ -1871,11 +1863,16 @@ static int ipapwd_start( Slapi_PBlock *pb )

     ret = LDAP_SUCCESS;

+    /* NOTE: We never call otp_config_fini() from a destructor. This is because

+     *       it may race with threaded requests at shutdown. This leak should

+     *       only occur when the DS is exiting, so it isn't a big deal.

+     */

+    otp_config = otp_config_init(ipapwd_plugin_id);

+

 done:

     free(realm);

     krb5_free_context(krbctx);

     if (config_entry) slapi_entry_free(config_entry);

-    if (ret != LDAP_SUCCESS) authcfg_fini();

     return ret;

 }

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c

index 1dff6db1a8cfcc295ba43d1c29d8887e3cf37fec..96c55f39ba2a9dc1e9fc80d5f7d46787803ece47 100644

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c

+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c

@@ -63,7 +63,6 @@

 #include "ipapwd.h"

 #include "util.h"

 #include "syncreq.h"

-#include "authcfg.h"

 #define IPAPWD_OP_NULL 0

 #define IPAPWD_OP_ADD 1

@@ -75,6 +74,8 @@ extern Slapi_PluginDesc ipapwd_plugin_desc;

 extern void *ipapwd_plugin_id;

 extern const char *ipa_realm_tree;

+struct otp_config *otp_config = NULL;

+

 /* structure with information for each extension */

 struct ipapwd_op_ext {

     char *object_name;   /* name of the object extended   */

@@ -967,23 +968,9 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,

     return ret;

 }

-static int ipapwd_post_authcfg(Slapi_PBlock *pb)

+static int ipapwd_post_updatecfg(Slapi_PBlock *pb)

 {

-    Slapi_Entry *config_entry = NULL;

-    Slapi_DN *sdn = NULL;

-    int oprc = 0;

-

-    /* Just bail if the operation failed. */

-    if (slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0 || oprc != 0)

-        return 0;

-

-    if (slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn) != 0)

-        return 0;

-

-    /* Ignore the error here (delete operations). */

-    slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &config_entry);

-

-    authcfg_reload_global_config(sdn, config_entry);

+    otp_config_update(otp_config, pb);

     return 0;

 }

@@ -1003,8 +990,7 @@ static int ipapwd_post_modadd(Slapi_PBlock *pb)

     LOG_TRACE("=>\n");

-    /* Ignore error when parsing configuration. */

-    ipapwd_post_authcfg(pb);

+    otp_config_update(otp_config, pb);

     /* time to get the operation handler */

     ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);

@@ -1144,7 +1130,7 @@ static bool ipapwd_do_otp_auth(const char *dn, Slapi_Entry *bind_entry,

     bool success = false;

     /* Find all of the user's active tokens. */

-    tokens = otp_token_find(ipapwd_plugin_id, dn, NULL, true, NULL);

+    tokens = otp_token_find(otp_config, dn, NULL, true, NULL);

     if (tokens == NULL) {

         slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,

                         "%s: can't find tokens for '%s'.\n", __func__, dn);

@@ -1190,11 +1176,7 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,

     uint32_t auth_types;

     /* Get the configured authentication types. */

-    auth_types = authcfg_get_auth_types(entry);

-

-    /* If global disabled flag is set, just punt. */

-    if (auth_types & AUTHCFG_AUTH_TYPE_DISABLED)

-        return true;

+    auth_types = otp_config_auth_types(otp_config, entry);

     /*

      * IMPORTANT SECTION!

@@ -1206,14 +1188,14 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,

      * 2. If PWD is enabled or OTP succeeded, fall through to PWD validation.

      */

-    if (auth_types & AUTHCFG_AUTH_TYPE_OTP) {

+    if (auth_types & OTP_CONFIG_AUTH_TYPE_OTP) {

         LOG_PLUGIN_NAME(IPAPWD_PLUGIN_NAME,

                         "Attempting OTP authentication for '%s'.\n", bind_dn);

         if (ipapwd_do_otp_auth(bind_dn, entry, creds))

             return true;

     }

-    return auth_types & AUTHCFG_AUTH_TYPE_PASSWORD;

+    return auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD;

 }

 static int ipapwd_authenticate(const char *dn, Slapi_Entry *entry,

@@ -1461,7 +1443,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)

     }

     /* Attempt to handle a token synchronization request. */

-    if (syncreq && !sync_request_handle(ipapwd_get_plugin_id(), pb, dn))

+    if (syncreq && !sync_request_handle(otp_config, pb, dn))

         goto invalid_creds;

     /* Attempt to write out kerberos keys for the user. */

@@ -1513,9 +1495,9 @@ int ipapwd_post_init(Slapi_PBlock *pb)

     ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);

     if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipapwd_plugin_desc);

     if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN, (void *)ipapwd_post_modadd);

-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, (void *)ipapwd_post_authcfg);

+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, (void *)ipapwd_post_updatecfg);

     if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *)ipapwd_post_modadd);

-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, (void *)ipapwd_post_authcfg);

+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, (void *)ipapwd_post_updatecfg);

     return ret;

 }

@@ -1526,10 +1508,10 @@ int ipapwd_intpost_init(Slapi_PBlock *pb)

     ret = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_03);

     if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&ipapwd_plugin_desc);

-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN, (void *)ipapwd_post_authcfg);

-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *)ipapwd_post_authcfg);

-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *)ipapwd_post_authcfg);

-    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *)ipapwd_post_authcfg);

+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN, (void *)ipapwd_post_updatecfg);

+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *)ipapwd_post_updatecfg);

+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *)ipapwd_post_updatecfg);

+    if (!ret) ret = slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *)ipapwd_post_updatecfg);

     return ret;

 }

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c

index 10c49b724ee276d2b1fb89891a6eb4ee8eaa8fab..0aef438023e7f23d7219273e9f5efd5572e73c3f 100644

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c

+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c

@@ -52,7 +52,7 @@ bool sync_request_present(Slapi_PBlock *pb)

     return ldap_control_find(OTP_SYNC_REQUEST_OID, controls, NULL) != NULL;

 }

-bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,

+bool sync_request_handle(const struct otp_config *cfg, Slapi_PBlock *pb,

                          const char *user_dn)

 {

     struct otp_token **tokens = NULL;

@@ -90,7 +90,7 @@ bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,

         /* Process the synchronization. */

         success = false;

         if (ber_scanf(ber, "}") != LBER_ERROR) {

-            tokens = otp_token_find(plugin_id, user_dn, token_dn, true, NULL);

+            tokens = otp_token_find(cfg, user_dn, token_dn, true, NULL);

             if (tokens != NULL) {

                 success = otp_token_sync_berval(tokens, OTP_SYNC_MAX_STEPS, first, second);

                 otp_token_free_array(tokens);

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h

index 34235901b7b2e49cc6e79423a92e0e4930c0b8cb..98a97c4c9f6d2e6bf74f97fc93053b3aebbc7821 100644

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h

+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.h

@@ -41,7 +41,7 @@

 #ifndef SYNCREQ_H_

 #define SYNCREQ_H_

-#include <dirsrv/slapi-plugin.h>

+#include "../libotp/otp_config.h"

 #include <stdbool.h>

 /*

@@ -57,7 +57,7 @@

 bool sync_request_present(Slapi_PBlock *pb);

-bool sync_request_handle(Slapi_ComponentId *plugin_id, Slapi_PBlock *pb,

+bool sync_request_handle(const struct otp_config *cfg, Slapi_PBlock *pb,

                          const char *user_dn);

 #endif /* SYNCREQ_H_ */

diff --git a/daemons/ipa-slapi-plugins/libotp/Makefile.am b/daemons/ipa-slapi-plugins/libotp/Makefile.am

index 012c8339199af5f63e6434b94109af2d93a38b45..4428f6bdc38a4e4ec224d1fa70744d8381f7e0b1 100644

--- a/daemons/ipa-slapi-plugins/libotp/Makefile.am

+++ b/daemons/ipa-slapi-plugins/libotp/Makefile.am

@@ -3,7 +3,7 @@ AM_CPPFLAGS = -I/usr/include/dirsrv

 noinst_LTLIBRARIES = libhotp.la libotp.la

 libhotp_la_SOURCES = hotp.c hotp.h

-libotp_la_SOURCES = otp_token.c otp_token.h

+libotp_la_SOURCES = otp_config.c otp_config.h otp_token.c otp_token.h

 libotp_la_LIBADD = libhotp.la

 check_PROGRAMS = t_hotp

diff --git a/daemons/ipa-slapi-plugins/libotp/otp_config.c b/daemons/ipa-slapi-plugins/libotp/otp_config.c

new file mode 100644

index 0000000000000000000000000000000000000000..1b7c1e658f126e3d1e8eabd129bb69dc5c4ce970

--- /dev/null

+++ b/daemons/ipa-slapi-plugins/libotp/otp_config.c

@@ -0,0 +1,274 @@

+/** BEGIN COPYRIGHT BLOCK

+ * This program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License as published by

+ * the Free Software Foundation, either version 3 of the License, or

+ * (at your option) any later version.

+ *

+ * This program is distributed in the hope that it will be useful,

+ * but WITHOUT ANY WARRANTY; without even the implied warranty of

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ * GNU General Public License for more details.

+ *

+ * You should have received a copy of the GNU General Public License

+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.

+ *

+ * Additional permission under GPLv3 section 7:

+ *

+ * In the following paragraph, "GPL" means the GNU General Public

+ * License, version 3 or any later version, and "Non-GPL Code" means

+ * code that is governed neither by the GPL nor a license

+ * compatible with the GPL.

+ *

+ * You may link the code of this Program with Non-GPL Code and convey

+ * linked combinations including the two, provided that such Non-GPL

+ * Code only links to the code of this Program through those well

+ * defined interfaces identified in the file named EXCEPTION found in

+ * the source code files (the "Approved Interfaces"). The files of

+ * Non-GPL Code may instantiate templates or use macros or inline

+ * functions from the Approved Interfaces without causing the resulting

+ * work to be covered by the GPL. Only the copyright holders of this

+ * Program may make changes or additions to the list of Approved

+ * Interfaces.

+ *

+ * Authors:

+ * Nathaniel McCallum <npmccallum@redhat.com>

+ *

+ * Copyright (C) 2014 Red Hat, Inc.

+ * All rights reserved.

+ * END COPYRIGHT BLOCK **/

+

+#include "otp_config.h"

+

+#include <pratom.h>

+#include <plstr.h>

+

+#define OTP_CONFIG_AUTH_TYPE_DISABLED (1 << 31)

+

+struct spec {

+    uint32_t (*func)(Slapi_Entry *, const char *attr);

+    const char *prefix;

+    const char *attr;

+    uint32_t dflt;

+};