Blame SOURCES/0023-Issue-49210-Fix-regression-when-checking-is-password.patch

61f723
From 5854fc41c6620567f0356e382baec4eda1e645b2 Mon Sep 17 00:00:00 2001
61f723
From: Mark Reynolds <mreynolds@redhat.com>
61f723
Date: Wed, 5 Apr 2017 11:05:28 -0400
61f723
Subject: [PATCH] Issue 49210 - Fix regression when checking is password min 
61f723
 age should be checked
61f723
61f723
Bug Description:  If a plugin makes an internal modification of userpassword
61f723
                  the connection structure in the pblock is null, and it was
61f723
                  being dereferenced.
61f723
61f723
Fix Description:  These internal operations do not need to have the password
61f723
                  policy checks done.  They are intended to be unrestricted.
61f723
                  So we only need to check password policy on client connections.
61f723
                  The fix frist hecks if the connection structy is present,
61f723
                  only then it continues.
61f723
61f723
                  Revised test script to include the tool: ldappasswd
61f723
61f723
https://pagure.io/389-ds-base/issue/49210
61f723
61f723
Reviewed by: firstyear(Thanks!)
61f723
---
61f723
 dirsrvtests/tests/tickets/ticket49039_test.py | 62 +++++++++++++++++++++++++++
61f723
 ldap/servers/slapd/modify.c                   |  2 +-
61f723
 2 files changed, 63 insertions(+), 1 deletion(-)
61f723
61f723
diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py
61f723
index e6d4c03..f0b224c 100644
61f723
--- a/dirsrvtests/tests/tickets/ticket49039_test.py
61f723
+++ b/dirsrvtests/tests/tickets/ticket49039_test.py
61f723
@@ -2,6 +2,7 @@ import time
61f723
 import ldap
61f723
 import logging
61f723
 import pytest
61f723
+import os
61f723
 from lib389 import Entry
61f723
 from lib389._constants import *
61f723
 from lib389.properties import *
61f723
@@ -9,6 +10,7 @@ from lib389.tasks import *
61f723
 from lib389.utils import *
61f723
 from lib389.topologies import topology_st as topo
61f723
 
61f723
+
61f723
 DEBUGGING = os.getenv("DEBUGGING", default=False)
61f723
 if DEBUGGING:
61f723
     logging.getLogger(__name__).setLevel(logging.DEBUG)
61f723
@@ -19,11 +21,39 @@ log = logging.getLogger(__name__)
61f723
 USER_DN = 'uid=user,dc=example,dc=com'
61f723
 
61f723
 
61f723
+def ssl_init(topo):
61f723
+    """ Setup TLS
61f723
+    """
61f723
+    topo.standalone.stop()
61f723
+    # Prepare SSL but don't enable it.
61f723
+    for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):
61f723
+        try:
61f723
+            os.remove("%s/%s" % (topo.standalone.confdir, f))
61f723
+        except:
61f723
+            pass
61f723
+    assert(topo.standalone.nss_ssl.reinit() is True)
61f723
+    assert(topo.standalone.nss_ssl.create_rsa_ca() is True)
61f723
+    assert(topo.standalone.nss_ssl.create_rsa_key_and_cert() is True)
61f723
+    # Start again
61f723
+    topo.standalone.start()
61f723
+    topo.standalone.rsa.create()
61f723
+    topo.standalone.config.set('nsslapd-ssl-check-hostname', 'off')
61f723
+    topo.standalone.config.set('nsslapd-secureport', '%s' %
61f723
+                               SECUREPORT_STANDALONE1)
61f723
+    topo.standalone.config.set('nsslapd-security', 'on')
61f723
+    topo.standalone.restart()
61f723
+
61f723
+    log.info("SSL setup complete\n")
61f723
+
61f723
+
61f723
 def test_ticket49039(topo):
61f723
     """Test "password must change" verses "password min age".  Min age should not
61f723
     block password update if the password was reset.
61f723
     """
61f723
 
61f723
+    # Setup SSL (for ldappasswd test)
61f723
+    ssl_init(topo)
61f723
+
61f723
     # Configure password policy
61f723
     try:
61f723
         topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'),
61f723
@@ -68,6 +98,38 @@ def test_ticket49039(topo):
61f723
         log.fatal('Failed to change password: error ' + e.message['desc'])
61f723
         assert False
61f723
 
61f723
+    ###################################
61f723
+    # Make sure ldappasswd also works
61f723
+    ###################################
61f723
+
61f723
+    # Reset password as RootDN
61f723
+    try:
61f723
+        topo.standalone.simple_bind_s(DN_DM, PASSWORD)
61f723
+    except ldap.LDAPError as e:
61f723
+        log.fatal('Failed to bind as rootdn: error ' + e.message['desc'])
61f723
+        assert False
61f723
+
61f723
+    try:
61f723
+        topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])
61f723
+    except ldap.LDAPError as e:
61f723
+        log.fatal('Failed to bind: error ' + e.message['desc'])
61f723
+        assert False
61f723
+
61f723
+    time.sleep(1)
61f723
+
61f723
+    # Run ldappasswd as the User.
61f723
+    cmd = ('LDAPTLS_REQCERT=never LDAPTLS_CACERTDIR=' + topo.standalone.get_cert_dir() +
61f723
+           ' ldappasswd' + ' -h ' + topo.standalone.host + ' -Z -p 38901 -D ' + USER_DN +
61f723
+           ' -w password -a password -s password2 ' + USER_DN)
61f723
+    os.system(cmd)
61f723
+    time.sleep(1)
61f723
+
61f723
+    try:
61f723
+        topo.standalone.simple_bind_s(USER_DN, "password2")
61f723
+    except ldap.LDAPError as e:
61f723
+        log.fatal('Failed to bind: error ' + e.message['desc'])
61f723
+        assert False
61f723
+
61f723
     log.info('Test Passed')
61f723
 
61f723
 
61f723
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
61f723
index 32defae..e23fe67 100644
61f723
--- a/ldap/servers/slapd/modify.c
61f723
+++ b/ldap/servers/slapd/modify.c
61f723
@@ -1326,7 +1326,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old
61f723
 	       
61f723
 	/* check if password is within password minimum age;
61f723
 	   error result is sent directly from check_pw_minage */	
61f723
-	if (!pb->pb_conn->c_needpw &&
61f723
+	if (pb->pb_conn && !pb->pb_conn->c_needpw &&
61f723
 	    check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)
61f723
 	{
61f723
 		if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))
61f723
-- 
61f723
2.9.3
61f723