Blame SOURCES/0045-Ticket-48972-remove-old-pwp-code-that-adds-removes-A.patch

7c7f29
From 1c4faa3c235c42abde1d7fe93cb43429772b65a6 Mon Sep 17 00:00:00 2001
7c7f29
From: Mark Reynolds <mreynolds@redhat.com>
7c7f29
Date: Fri, 26 Aug 2016 18:51:42 -0400
7c7f29
Subject: [PATCH 45/45] Ticket 48972 - remove old pwp code that adds/removes
7c7f29
 ACIs
7c7f29
7c7f29
Bug Description:  Old legacy code is still present in the DS that used
7c7f29
                  to enforce the password policy "user may change password"
7c7f29
                  using ACIs.  This old code would re-add the ACI for
7c7f29
                  selfwrite on userpassword at server startup.
7c7f29
7c7f29
Fix Description:  The current password policy does not depend on these access
7c7f29
                  access control rules to enforce if a user can change their
7c7f29
                  password or not.
7c7f29
7c7f29
https://fedorahosted.org/389/ticket/48972
7c7f29
7c7f29
Reviewed by: nhosoi(Thanks!)
7c7f29
7c7f29
(cherry picked from commit 32881be120f14b952de67a0d533ad94ba0956093)
7c7f29
---
7c7f29
 ldap/servers/slapd/add.c        | 15 --------
7c7f29
 ldap/servers/slapd/libglobs.c   | 14 -------
7c7f29
 ldap/servers/slapd/proto-slap.h |  3 --
7c7f29
 ldap/servers/slapd/pw.c         | 81 -----------------------------------------
7c7f29
 ldap/servers/slapd/pw_mgmt.c    |  9 +----
7c7f29
 5 files changed, 1 insertion(+), 121 deletions(-)
7c7f29
7c7f29
diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
7c7f29
index 629017e..708d3e7 100644
7c7f29
--- a/ldap/servers/slapd/add.c
7c7f29
+++ b/ldap/servers/slapd/add.c
7c7f29
@@ -643,21 +643,6 @@ static void op_shared_add (Slapi_PBlock *pb)
7c7f29
     }
7c7f29
 
7c7f29
 	slapi_pblock_set(pb, SLAPI_BACKEND, be);
7c7f29
-	/* we set local password policy ACI for non-replicated operations only */
7c7f29
-	if (!repl_op &&
7c7f29
-		!operation_is_flag_set(operation, OP_FLAG_REPL_FIXUP) &&
7c7f29
-		!operation_is_flag_set(operation, OP_FLAG_LEGACY_REPLICATION_DN) &&
7c7f29
-		!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA) &&
7c7f29
-		!slapi_be_private(be) &&
7c7f29
-		slapi_be_issuffix (be, slapi_entry_get_sdn_const(e)))
7c7f29
-	{
7c7f29
-		/* this is a suffix. update the pw aci */
7c7f29
-		slapdFrontendConfig_t *slapdFrontendConfig;
7c7f29
-		slapdFrontendConfig = getFrontendConfig();
7c7f29
-		pw_add_allowchange_aci(e, !slapdFrontendConfig->pw_policy.pw_change &&
7c7f29
-							   !slapdFrontendConfig->pw_policy.pw_must_change);
7c7f29
-	}
7c7f29
-
7c7f29
 
7c7f29
 	if (!repl_op)
7c7f29
 	{
7c7f29
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
7c7f29
index a630c6c..faf521b 100644
7c7f29
--- a/ldap/servers/slapd/libglobs.c
7c7f29
+++ b/ldap/servers/slapd/libglobs.c
7c7f29
@@ -2601,13 +2601,6 @@ config_set_pw_change( const char *attrname, char *value, char *errorbuf, int app
7c7f29
 							  errorbuf,
7c7f29
 							  apply);
7c7f29
   
7c7f29
-  if (retVal == LDAP_SUCCESS) {
7c7f29
-	  /* LP: Update ACI to reflect the value ! */
7c7f29
-	  if (apply)
7c7f29
-		  pw_mod_allowchange_aci(!slapdFrontendConfig->pw_policy.pw_change &&
7c7f29
-								 !slapdFrontendConfig->pw_policy.pw_must_change);
7c7f29
-  }
7c7f29
-  
7c7f29
   return retVal;
7c7f29
 }
7c7f29
 
7c7f29
@@ -2638,13 +2631,6 @@ config_set_pw_must_change( const char *attrname, char *value, char *errorbuf, in
7c7f29
 							  errorbuf,
7c7f29
 							  apply);
7c7f29
   
7c7f29
-  if (retVal == LDAP_SUCCESS) {
7c7f29
-	  /* LP: Update ACI to reflect the value ! */
7c7f29
-	  if (apply)
7c7f29
-		  pw_mod_allowchange_aci(!slapdFrontendConfig->pw_policy.pw_change &&
7c7f29
-								 !slapdFrontendConfig->pw_policy.pw_must_change);
7c7f29
-  }
7c7f29
-  
7c7f29
   return retVal;
7c7f29
 }
7c7f29
 
7c7f29
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
7c7f29
index 1f37010..712642f 100644
7c7f29
--- a/ldap/servers/slapd/proto-slap.h
7c7f29
+++ b/ldap/servers/slapd/proto-slap.h
7c7f29
@@ -951,9 +951,6 @@ void get_old_pw( Slapi_PBlock *pb, const Slapi_DN *sdn, char **old_pw);
7c7f29
 int check_account_lock( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req, int account_inactivation_only /*no wire/no pw policy*/);
7c7f29
 int check_pw_minage( Slapi_PBlock *pb, const Slapi_DN *sdn, struct berval **vals) ;
7c7f29
 void add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e );
7c7f29
-void mod_allowchange_aci(char *val);
7c7f29
-void pw_mod_allowchange_aci(int pw_prohibit_change);
7c7f29
-void pw_add_allowchange_aci(Slapi_Entry *e, int pw_prohibit_change);
7c7f29
 
7c7f29
 int add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e);
7c7f29
 
7c7f29
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
7c7f29
index 7469b9e..3f2cdb0 100644
7c7f29
--- a/ldap/servers/slapd/pw.c
7c7f29
+++ b/ldap/servers/slapd/pw.c
7c7f29
@@ -1337,69 +1337,6 @@ slapi_add_pwd_control ( Slapi_PBlock *pb, char *arg, long time) {
7c7f29
 }
7c7f29
 
7c7f29
 void
7c7f29
-pw_mod_allowchange_aci(int pw_prohibit_change)
7c7f29
-{
7c7f29
-	const Slapi_DN *base;
7c7f29
-	char		*values_mod[2];
7c7f29
-	LDAPMod		mod;
7c7f29
-	LDAPMod		*mods[2];
7c7f29
-	Slapi_Backend *be;
7c7f29
-	char *cookie = NULL;
7c7f29
-
7c7f29
-	mods[0] = &mod;
7c7f29
-	mods[1] = NULL;
7c7f29
-	mod.mod_type = "aci";
7c7f29
-	mod.mod_values = values_mod;
7c7f29
-
7c7f29
-	if (pw_prohibit_change) {
7c7f29
-		mod.mod_op = LDAP_MOD_ADD;
7c7f29
-	}
7c7f29
-	else
7c7f29
-	{
7c7f29
-		/* Allow change password by default  */
7c7f29
-		/* remove the aci if it is there.  it is ok to fail */
7c7f29
-		mod.mod_op = LDAP_MOD_DELETE;
7c7f29
-	}
7c7f29
-
7c7f29
-	be = slapi_get_first_backend (&cookie);
7c7f29
-	/* Foreach backend... */
7c7f29
-    while (be)
7c7f29
-    {
7c7f29
-		/* Don't add aci on a chaining backend holding remote entries */
7c7f29
-        if((!be->be_private) && (!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA)))
7c7f29
-        {
7c7f29
-			/* There's only One suffix per DB now. No need to loop */
7c7f29
-			base = slapi_be_getsuffix(be, 0);
7c7f29
-			if (base != NULL)
7c7f29
-			{
7c7f29
-				Slapi_PBlock pb;
7c7f29
-				int rc;
7c7f29
-				
7c7f29
-				pblock_init (&pb;;
7c7f29
-				values_mod[0] = DENY_PW_CHANGE_ACI;
7c7f29
-				values_mod[1] = NULL;
7c7f29
-				slapi_modify_internal_set_pb_ext(&pb, base, mods, NULL, NULL,
7c7f29
-				                                 pw_get_componentID(), 0);
7c7f29
-				slapi_modify_internal_pb(&pb;;
7c7f29
-				slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
7c7f29
-				if (rc == LDAP_SUCCESS){
7c7f29
-					/* 
7c7f29
-					** Since we modified the acl 
7c7f29
-					** successfully, let's update the 
7c7f29
-					** in-memory acl list
7c7f29
-					*/
7c7f29
-					slapi_pblock_set(&pb, SLAPI_TARGET_SDN, (void *)base);
7c7f29
-					plugin_call_acl_mods_update (&pb, LDAP_REQ_MODIFY );
7c7f29
-				}
7c7f29
-				pblock_done(&pb;;
7c7f29
-			}
7c7f29
-        }
7c7f29
-		be = slapi_get_next_backend (cookie);
7c7f29
-    }
7c7f29
-	slapi_ch_free((void **) &cookie);
7c7f29
-}
7c7f29
-
7c7f29
-void
7c7f29
 add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e )
7c7f29
 {
7c7f29
 	struct berval   bv;
7c7f29
@@ -1583,24 +1520,6 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char
7c7f29
 	return ( 0 );
7c7f29
 }
7c7f29
 
7c7f29
-
7c7f29
-void
7c7f29
-pw_add_allowchange_aci(Slapi_Entry *e, int pw_prohibit_change) {
7c7f29
-	char		*aci_pw = NULL;
7c7f29
-	const char *aciattr = "aci";
7c7f29
-
7c7f29
-	aci_pw = slapi_ch_strdup(DENY_PW_CHANGE_ACI);
7c7f29
-
7c7f29
-	if (pw_prohibit_change) {
7c7f29
-		/* Add ACI */
7c7f29
-		slapi_entry_add_string(e, aciattr, aci_pw);
7c7f29
-	} else {
7c7f29
-		/* Remove ACI */
7c7f29
-		slapi_entry_delete_string(e, aciattr, aci_pw);
7c7f29
-	}
7c7f29
-	slapi_ch_free((void **) &aci_pw);
7c7f29
-}
7c7f29
-
7c7f29
 int
7c7f29
 pw_is_pwp_admin(Slapi_PBlock *pb, passwdPolicy *pwp){
7c7f29
 	Slapi_DN *bind_sdn = NULL;
7c7f29
diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
7c7f29
index 5470556..7252c08 100644
7c7f29
--- a/ldap/servers/slapd/pw_mgmt.c
7c7f29
+++ b/ldap/servers/slapd/pw_mgmt.c
7c7f29
@@ -256,13 +256,8 @@ skip:
7c7f29
 void
7c7f29
 pw_init ( void )
7c7f29
 {
7c7f29
-	slapdFrontendConfig_t *slapdFrontendConfig;
7c7f29
-
7c7f29
 	pw_set_componentID(generate_componentid(NULL, COMPONENT_PWPOLICY));
7c7f29
-	
7c7f29
-	slapdFrontendConfig = getFrontendConfig();
7c7f29
-	pw_mod_allowchange_aci (!slapdFrontendConfig->pw_policy.pw_change && 
7c7f29
-                            !slapdFrontendConfig->pw_policy.pw_must_change);
7c7f29
+
7c7f29
 #if defined(USE_OLD_UNHASHED)
7c7f29
 	slapi_add_internal_attr_syntax( PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
7c7f29
 	                                PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID,
7c7f29
@@ -273,5 +268,3 @@ pw_init ( void )
7c7f29
 	                                SLAPI_ATTR_FLAG_NOEXPOSE);
7c7f29
 #endif
7c7f29
 }
7c7f29
-
7c7f29
-
7c7f29
-- 
7c7f29
2.4.11
7c7f29