Blame SOURCES/0023-Issue-49210-Fix-regression-when-checking-is-password.patch

6f51e1
From 5854fc41c6620567f0356e382baec4eda1e645b2 Mon Sep 17 00:00:00 2001
6f51e1
From: Mark Reynolds <mreynolds@redhat.com>
6f51e1
Date: Wed, 5 Apr 2017 11:05:28 -0400
6f51e1
Subject: [PATCH] Issue 49210 - Fix regression when checking is password min 
6f51e1
 age should be checked
6f51e1
6f51e1
Bug Description:  If a plugin makes an internal modification of userpassword
6f51e1
                  the connection structure in the pblock is null, and it was
6f51e1
                  being dereferenced.
6f51e1
6f51e1
Fix Description:  These internal operations do not need to have the password
6f51e1
                  policy checks done.  They are intended to be unrestricted.
6f51e1
                  So we only need to check password policy on client connections.
6f51e1
                  The fix frist hecks if the connection structy is present,
6f51e1
                  only then it continues.
6f51e1
6f51e1
                  Revised test script to include the tool: ldappasswd
6f51e1
6f51e1
https://pagure.io/389-ds-base/issue/49210
6f51e1
6f51e1
Reviewed by: firstyear(Thanks!)
6f51e1
---
6f51e1
 dirsrvtests/tests/tickets/ticket49039_test.py | 62 +++++++++++++++++++++++++++
6f51e1
 ldap/servers/slapd/modify.c                   |  2 +-
6f51e1
 2 files changed, 63 insertions(+), 1 deletion(-)
6f51e1
6f51e1
diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py
6f51e1
index e6d4c03..f0b224c 100644
6f51e1
--- a/dirsrvtests/tests/tickets/ticket49039_test.py
6f51e1
+++ b/dirsrvtests/tests/tickets/ticket49039_test.py
6f51e1
@@ -2,6 +2,7 @@ import time
6f51e1
 import ldap
6f51e1
 import logging
6f51e1
 import pytest
6f51e1
+import os
6f51e1
 from lib389 import Entry
6f51e1
 from lib389._constants import *
6f51e1
 from lib389.properties import *
6f51e1
@@ -9,6 +10,7 @@ from lib389.tasks import *
6f51e1
 from lib389.utils import *
6f51e1
 from lib389.topologies import topology_st as topo
6f51e1
 
6f51e1
+
6f51e1
 DEBUGGING = os.getenv("DEBUGGING", default=False)
6f51e1
 if DEBUGGING:
6f51e1
     logging.getLogger(__name__).setLevel(logging.DEBUG)
6f51e1
@@ -19,11 +21,39 @@ log = logging.getLogger(__name__)
6f51e1
 USER_DN = 'uid=user,dc=example,dc=com'
6f51e1
 
6f51e1
 
6f51e1
+def ssl_init(topo):
6f51e1
+    """ Setup TLS
6f51e1
+    """
6f51e1
+    topo.standalone.stop()
6f51e1
+    # Prepare SSL but don't enable it.
6f51e1
+    for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):
6f51e1
+        try:
6f51e1
+            os.remove("%s/%s" % (topo.standalone.confdir, f))
6f51e1
+        except:
6f51e1
+            pass
6f51e1
+    assert(topo.standalone.nss_ssl.reinit() is True)
6f51e1
+    assert(topo.standalone.nss_ssl.create_rsa_ca() is True)
6f51e1
+    assert(topo.standalone.nss_ssl.create_rsa_key_and_cert() is True)
6f51e1
+    # Start again
6f51e1
+    topo.standalone.start()
6f51e1
+    topo.standalone.rsa.create()
6f51e1
+    topo.standalone.config.set('nsslapd-ssl-check-hostname', 'off')
6f51e1
+    topo.standalone.config.set('nsslapd-secureport', '%s' %
6f51e1
+                               SECUREPORT_STANDALONE1)
6f51e1
+    topo.standalone.config.set('nsslapd-security', 'on')
6f51e1
+    topo.standalone.restart()
6f51e1
+
6f51e1
+    log.info("SSL setup complete\n")
6f51e1
+
6f51e1
+
6f51e1
 def test_ticket49039(topo):
6f51e1
     """Test "password must change" verses "password min age".  Min age should not
6f51e1
     block password update if the password was reset.
6f51e1
     """
6f51e1
 
6f51e1
+    # Setup SSL (for ldappasswd test)
6f51e1
+    ssl_init(topo)
6f51e1
+
6f51e1
     # Configure password policy
6f51e1
     try:
6f51e1
         topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'),
6f51e1
@@ -68,6 +98,38 @@ def test_ticket49039(topo):
6f51e1
         log.fatal('Failed to change password: error ' + e.message['desc'])
6f51e1
         assert False
6f51e1
 
6f51e1
+    ###################################
6f51e1
+    # Make sure ldappasswd also works
6f51e1
+    ###################################
6f51e1
+
6f51e1
+    # Reset password as RootDN
6f51e1
+    try:
6f51e1
+        topo.standalone.simple_bind_s(DN_DM, PASSWORD)
6f51e1
+    except ldap.LDAPError as e:
6f51e1
+        log.fatal('Failed to bind as rootdn: error ' + e.message['desc'])
6f51e1
+        assert False
6f51e1
+
6f51e1
+    try:
6f51e1
+        topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)])
6f51e1
+    except ldap.LDAPError as e:
6f51e1
+        log.fatal('Failed to bind: error ' + e.message['desc'])
6f51e1
+        assert False
6f51e1
+
6f51e1
+    time.sleep(1)
6f51e1
+
6f51e1
+    # Run ldappasswd as the User.
6f51e1
+    cmd = ('LDAPTLS_REQCERT=never LDAPTLS_CACERTDIR=' + topo.standalone.get_cert_dir() +
6f51e1
+           ' ldappasswd' + ' -h ' + topo.standalone.host + ' -Z -p 38901 -D ' + USER_DN +
6f51e1
+           ' -w password -a password -s password2 ' + USER_DN)
6f51e1
+    os.system(cmd)
6f51e1
+    time.sleep(1)
6f51e1
+
6f51e1
+    try:
6f51e1
+        topo.standalone.simple_bind_s(USER_DN, "password2")
6f51e1
+    except ldap.LDAPError as e:
6f51e1
+        log.fatal('Failed to bind: error ' + e.message['desc'])
6f51e1
+        assert False
6f51e1
+
6f51e1
     log.info('Test Passed')
6f51e1
 
6f51e1
 
6f51e1
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
6f51e1
index 32defae..e23fe67 100644
6f51e1
--- a/ldap/servers/slapd/modify.c
6f51e1
+++ b/ldap/servers/slapd/modify.c
6f51e1
@@ -1326,7 +1326,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old
6f51e1
 	       
6f51e1
 	/* check if password is within password minimum age;
6f51e1
 	   error result is sent directly from check_pw_minage */	
6f51e1
-	if (!pb->pb_conn->c_needpw &&
6f51e1
+	if (pb->pb_conn && !pb->pb_conn->c_needpw &&
6f51e1
 	    check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1)
6f51e1
 	{
6f51e1
 		if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS))
6f51e1
-- 
6f51e1
2.9.3
6f51e1