|
|
61f723 |
From 5854fc41c6620567f0356e382baec4eda1e645b2 Mon Sep 17 00:00:00 2001
|
|
|
61f723 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
61f723 |
Date: Wed, 5 Apr 2017 11:05:28 -0400
|
|
|
61f723 |
Subject: [PATCH] Issue 49210 - Fix regression when checking is password min
|
|
|
61f723 |
age should be checked
|
|
|
61f723 |
|
|
|
61f723 |
Bug Description: If a plugin makes an internal modification of userpassword
|
|
|
61f723 |
the connection structure in the pblock is null, and it was
|
|
|
61f723 |
being dereferenced.
|
|
|
61f723 |
|
|
|
61f723 |
Fix Description: These internal operations do not need to have the password
|
|
|
61f723 |
policy checks done. They are intended to be unrestricted.
|
|
|
61f723 |
So we only need to check password policy on client connections.
|
|
|
61f723 |
The fix frist hecks if the connection structy is present,
|
|
|
61f723 |
only then it continues.
|
|
|
61f723 |
|
|
|
61f723 |
Revised test script to include the tool: ldappasswd
|
|
|
61f723 |
|
|
|
61f723 |
https://pagure.io/389-ds-base/issue/49210
|
|
|
61f723 |
|
|
|
61f723 |
Reviewed by: firstyear(Thanks!)
|
|
|
61f723 |
---
|
|
|
61f723 |
dirsrvtests/tests/tickets/ticket49039_test.py | 62 +++++++++++++++++++++++++++
|
|
|
61f723 |
ldap/servers/slapd/modify.c | 2 +-
|
|
|
61f723 |
2 files changed, 63 insertions(+), 1 deletion(-)
|
|
|
61f723 |
|
|
|
61f723 |
diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py
|
|
|
61f723 |
index e6d4c03..f0b224c 100644
|
|
|
61f723 |
--- a/dirsrvtests/tests/tickets/ticket49039_test.py
|
|
|
61f723 |
+++ b/dirsrvtests/tests/tickets/ticket49039_test.py
|
|
|
61f723 |
@@ -2,6 +2,7 @@ import time
|
|
|
61f723 |
import ldap
|
|
|
61f723 |
import logging
|
|
|
61f723 |
import pytest
|
|
|
61f723 |
+import os
|
|
|
61f723 |
from lib389 import Entry
|
|
|
61f723 |
from lib389._constants import *
|
|
|
61f723 |
from lib389.properties import *
|
|
|
61f723 |
@@ -9,6 +10,7 @@ from lib389.tasks import *
|
|
|
61f723 |
from lib389.utils import *
|
|
|
61f723 |
from lib389.topologies import topology_st as topo
|
|
|
61f723 |
|
|
|
61f723 |
+
|
|
|
61f723 |
DEBUGGING = os.getenv("DEBUGGING", default=False)
|
|
|
61f723 |
if DEBUGGING:
|
|
|
61f723 |
logging.getLogger(__name__).setLevel(logging.DEBUG)
|
|
|
61f723 |
@@ -19,11 +21,39 @@ log = logging.getLogger(__name__)
|
|
|
61f723 |
USER_DN = 'uid=user,dc=example,dc=com'
|
|
|
61f723 |
|
|
|
61f723 |
|
|
|
61f723 |
+def ssl_init(topo):
|
|
|
61f723 |
+ """ Setup TLS
|
|
|
61f723 |
+ """
|
|
|
61f723 |
+ topo.standalone.stop()
|
|
|
61f723 |
+ # Prepare SSL but don't enable it.
|
|
|
61f723 |
+ for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):
|
|
|
61f723 |
+ try:
|
|
|
61f723 |
+ os.remove("%s/%s" % (topo.standalone.confdir, f))
|
|
|
61f723 |
+ except:
|
|
|
61f723 |
+ pass
|
|
|
61f723 |
+ assert(topo.standalone.nss_ssl.reinit() is True)
|
|
|
61f723 |
+ assert(topo.standalone.nss_ssl.create_rsa_ca() is True)
|
|
|
61f723 |
+ assert(topo.standalone.nss_ssl.create_rsa_key_and_cert() is True)
|
|
|
61f723 |
+ # Start again
|
|
|
61f723 |
+ topo.standalone.start()
|
|
|
61f723 |
+ topo.standalone.rsa.create()
|
|
|
61f723 |
+ topo.standalone.config.set('nsslapd-ssl-check-hostname', 'off')
|
|
|
61f723 |
+ topo.standalone.config.set('nsslapd-secureport', '%s' %
|
|
|
61f723 |
+ SECUREPORT_STANDALONE1)
|
|
|
61f723 |
+ topo.standalone.config.set('nsslapd-security', 'on')
|
|
|
61f723 |
+ topo.standalone.restart()
|
|
|
61f723 |
+
|
|
|
61f723 |
+ log.info("SSL setup complete\n")
|
|
|
61f723 |
+
|
|
|
61f723 |
+
|
|
|
61f723 |
def test_ticket49039(topo):
|
|
|
61f723 |
"""Test "password must change" verses "password min age". Min age should not
|
|
|
61f723 |
block password update if the password was reset.
|
|
|
61f723 |
"""
|
|
|
61f723 |
|
|
|
61f723 |
+ # Setup SSL (for ldappasswd test)
|
|
|
61f723 |
+ ssl_init(topo)
|
|
|
61f723 |
+
|
|
|
61f723 |
# Configure password policy
|
|
|
61f723 |
try:
|
|
|
61f723 |
topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'),
|
|
|
61f723 |
@@ -68,6 +98,38 @@ def test_ticket49039(topo):
|
|
|
61f723 |
log.fatal('Failed to change password: error ' + e.message['desc'])
|
|
|
61f723 |
assert False
|
|
|
61f723 |
|
|
|
61f723 |
+ ###################################
|
|
|
61f723 |
+ # Make sure ldappasswd also works
|
|
|
61f723 |
+ ###################################
|
|
|
61f723 |
+
|
|
|
61f723 |
+ # Reset password as RootDN
|
|
|
61f723 |
+ try:
|
|
|
61f723 |
+ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
61f723 |
+ except ldap.LDAPError as e:
|
|
|
61f723 |
+ log.fatal('Failed to bind as rootdn: error ' + e.message['desc'])
|
|
|
61f723 |
+ assert False
|
|
|
61f723 |
+
|
|
|
61f723 |
+ try:
|
|
|
61f723 |
+ topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])
|
|
|
61f723 |
+ except ldap.LDAPError as e:
|
|
|
61f723 |
+ log.fatal('Failed to bind: error ' + e.message['desc'])
|
|
|
61f723 |
+ assert False
|
|
|
61f723 |
+
|
|
|
61f723 |
+ time.sleep(1)
|
|
|
61f723 |
+
|
|
|
61f723 |
+ # Run ldappasswd as the User.
|
|
|
61f723 |
+ cmd = ('LDAPTLS_REQCERT=never LDAPTLS_CACERTDIR=' + topo.standalone.get_cert_dir() +
|
|
|
61f723 |
+ ' ldappasswd' + ' -h ' + topo.standalone.host + ' -Z -p 38901 -D ' + USER_DN +
|
|
|
61f723 |
+ ' -w password -a password -s password2 ' + USER_DN)
|
|
|
61f723 |
+ os.system(cmd)
|
|
|
61f723 |
+ time.sleep(1)
|
|
|
61f723 |
+
|
|
|
61f723 |
+ try:
|
|
|
61f723 |
+ topo.standalone.simple_bind_s(USER_DN, "password2")
|
|
|
61f723 |
+ except ldap.LDAPError as e:
|
|
|
61f723 |
+ log.fatal('Failed to bind: error ' + e.message['desc'])
|
|
|
61f723 |
+ assert False
|
|
|
61f723 |
+
|
|
|
61f723 |
log.info('Test Passed')
|
|
|
61f723 |
|
|
|
61f723 |
|
|
|
61f723 |
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
|
|
|
61f723 |
index 32defae..e23fe67 100644
|
|
|
61f723 |
--- a/ldap/servers/slapd/modify.c
|
|
|
61f723 |
+++ b/ldap/servers/slapd/modify.c
|
|
|
61f723 |
@@ -1326,7 +1326,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old
|
|
|
61f723 |
|
|
|
61f723 |
/* check if password is within password minimum age;
|
|
|
61f723 |
error result is sent directly from check_pw_minage */
|
|
|
61f723 |
- if (!pb->pb_conn->c_needpw &&
|
|
|
61f723 |
+ if (pb->pb_conn && !pb->pb_conn->c_needpw &&
|
|
|
61f723 |
check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)
|
|
|
61f723 |
{
|
|
|
61f723 |
if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))
|
|
|
61f723 |
--
|
|
|
61f723 |
2.9.3
|
|
|
61f723 |
|