andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame 0326-Ticket-48183-bind-on-db-chained-to-AD-returns-err-32.patch

dc8c34
From d13b461fd160535b1a074651158c7dc95e2ae1ab Mon Sep 17 00:00:00 2001
dc8c34
From: Noriko Hosoi <nhosoi@redhat.com>
dc8c34
Date: Sat, 9 May 2015 18:55:39 -0700
dc8c34
Subject: [PATCH 326/327] Ticket #48183 - bind on db chained to AD returns
dc8c34
 err=32
dc8c34
dc8c34
Description by rmeggins@redhat.com: bind is doing a search for the entry
dc8c34
post bind, which fails because we don't enable password policy chaining
dc8c34
by default. I think in this case, we should not look up password policy,
dc8c34
because if the remote is AD or some other non-389 server, we can't use
dc8c34
the password policy information. We should instead rely on the remote
dc8c34
server to evaluate the password policy.
dc8c34
dc8c34
The commit 4fc53e1a63222d0ff67c30a59f2cff4b535f90a8 introduced the bug.
dc8c34
Ticket #47748 - Simultaneous adding a user and binding as the user could
dc8c34
                fail in the password policy check
dc8c34
dc8c34
https://fedorahosted.org/389/ticket/48183
dc8c34
dc8c34
Revewed by nhosoi@redhat.com.
dc8c34
dc8c34
(cherry picked from commit eb46e6f1975b19956bb38d5e070e6eb5159200b4)
dc8c34
(cherry picked from commit 03bee0a0d4dbe313bca88cfafc605f6cb01b9fdc)
dc8c34
(cherry picked from commit 46242d88b62716d99641eceac26476a9c842c149)
dc8c34
(cherry picked from commit 164cb2460538d63ee2b2cde3e28323e51dc9741c)
dc8c34
---
dc8c34
 ldap/servers/slapd/bind.c | 3 ++-
dc8c34
 1 file changed, 2 insertions(+), 1 deletion(-)
dc8c34
dc8c34
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
dc8c34
index edb36c4..11ec22e 100644
dc8c34
--- a/ldap/servers/slapd/bind.c
dc8c34
+++ b/ldap/servers/slapd/bind.c
dc8c34
@@ -777,7 +777,8 @@ do_bind( Slapi_PBlock *pb )
dc8c34
                          * was in be_bind.  Since be_bind returned SLAPI_BIND_SUCCESS,
dc8c34
                          * the entry is in the DS.  So, we need to retrieve it once more.
dc8c34
                          */
dc8c34
-                        if (!bind_target_entry) {
dc8c34
+                        if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA) && 
dc8c34
+                            !bind_target_entry) {
dc8c34
                             bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
dc8c34
                             if (bind_target_entry) {
dc8c34
                                 myrc = slapi_check_account_lock(pb, bind_target_entry,
dc8c34
-- 
dc8c34
1.9.3
dc8c34