andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0042-Ticket-47970-Account-lockout-attributes-incorrectly-.patch

f92ce9
From 42d118ae0f727026745d7846ffab878585bb529a Mon Sep 17 00:00:00 2001
f92ce9
From: Mark Reynolds <mreynolds@redhat.com>
f92ce9
Date: Tue, 2 Dec 2014 14:10:46 -0500
f92ce9
Subject: [PATCH 42/53] Ticket 47970 - Account lockout attributes incorrectly
f92ce9
 updated after failed SASL Bind
f92ce9
f92ce9
Bug Description:   When a SASL bind fails, the target DN is not set. If password policy
f92ce9
                   account lockout is configured, it attempts to update the password retry
f92ce9
                   count on the dn ("") - which is the Root DSE entry, not a user entry.
f92ce9
f92ce9
                   This also confuses the COS plugin, and it incorrectly triggers a COS
f92ce9
                   cache rebuild after the failed login.
f92ce9
f92ce9
Fix Description:  Do not update the password retry counters if it is a failed SASL bind.
f92ce9
f92ce9
https://fedorahosted.org/389/ticket/47970
f92ce9
f92ce9
Reviewed by: nhosoi(Thanks!)
f92ce9
f92ce9
(cherry picked from commit 17e79688e05908f7fff319bdeb5167cbeaaf922c)
f92ce9
(cherry picked from commit 36f0d05b15a8e984c64631fb7ed070358dd8c68f)
f92ce9
---
f92ce9
 ldap/servers/slapd/result.c | 18 ++++++++++--------
f92ce9
 1 file changed, 10 insertions(+), 8 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
f92ce9
index ca2fa43..2198337 100644
f92ce9
--- a/ldap/servers/slapd/result.c
f92ce9
+++ b/ldap/servers/slapd/result.c
f92ce9
@@ -364,16 +364,18 @@ send_ldap_result_ext(
f92ce9
     BerElement          *ber
f92ce9
 )
f92ce9
 {
f92ce9
-	Connection	*conn = pb->pb_conn;
f92ce9
-	int		i, rc, logit = 0;
f92ce9
-	ber_tag_t	tag;
f92ce9
-	int             flush_ber_element = 1;
f92ce9
 	Slapi_Operation *operation;
f92ce9
-	const char *dn = NULL;
f92ce9
+	passwdPolicy *pwpolicy = NULL;
f92ce9
+	Connection *conn = pb->pb_conn;
f92ce9
 	Slapi_DN *sdn = NULL;
f92ce9
+	const char *dn = NULL;
f92ce9
+	ber_tag_t	tag;
f92ce9
+	int flush_ber_element = 1;
f92ce9
+	int bind_method = 0;
f92ce9
 	int internal_op;
f92ce9
-	passwdPolicy *pwpolicy = NULL;
f92ce9
-	
f92ce9
+	int i, rc, logit = 0;
f92ce9
+
f92ce9
+	slapi_pblock_get (pb, SLAPI_BIND_METHOD, &bind_method);
f92ce9
 	slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
f92ce9
 
f92ce9
 	if (operation->o_status == SLAPI_OP_STATUS_RESULT_SENT) {
f92ce9
@@ -451,7 +453,7 @@ send_ldap_result_ext(
f92ce9
 
f92ce9
 	/* invalid password.  Update the password retry here */
f92ce9
 	/* put this here for now.  It could be a send_result pre-op plugin. */
f92ce9
-	if (err == LDAP_INVALID_CREDENTIALS) {
f92ce9
+	if (err == LDAP_INVALID_CREDENTIALS && bind_method != LDAP_AUTH_SASL ) {
f92ce9
 		slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
f92ce9
 		dn = slapi_sdn_get_dn(sdn);
f92ce9
 		pwpolicy = new_passwdPolicy(pb, dn);
f92ce9
-- 
f92ce9
1.9.3
f92ce9