From 1c4faa3c235c42abde1d7fe93cb43429772b65a6 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 26 Aug 2016 18:51:42 -0400
Subject: [PATCH 45/45] Ticket 48972 - remove old pwp code that adds/removes
ACIs
Bug Description: Old legacy code is still present in the DS that used
to enforce the password policy "user may change password"
using ACIs. This old code would re-add the ACI for
selfwrite on userpassword at server startup.
Fix Description: The current password policy does not depend on these access
access control rules to enforce if a user can change their
password or not.
https://fedorahosted.org/389/ticket/48972
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 32881be120f14b952de67a0d533ad94ba0956093)
---
ldap/servers/slapd/add.c | 15 --------
ldap/servers/slapd/libglobs.c | 14 -------
ldap/servers/slapd/proto-slap.h | 3 --
ldap/servers/slapd/pw.c | 81 -----------------------------------------
ldap/servers/slapd/pw_mgmt.c | 9 +----
5 files changed, 1 insertion(+), 121 deletions(-)
diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
index 629017e..708d3e7 100644
--- a/ldap/servers/slapd/add.c
+++ b/ldap/servers/slapd/add.c
@@ -643,21 +643,6 @@ static void op_shared_add (Slapi_PBlock *pb)
}
slapi_pblock_set(pb, SLAPI_BACKEND, be);
- /* we set local password policy ACI for non-replicated operations only */
- if (!repl_op &&
- !operation_is_flag_set(operation, OP_FLAG_REPL_FIXUP) &&
- !operation_is_flag_set(operation, OP_FLAG_LEGACY_REPLICATION_DN) &&
- !slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA) &&
- !slapi_be_private(be) &&
- slapi_be_issuffix (be, slapi_entry_get_sdn_const(e)))
- {
- /* this is a suffix. update the pw aci */
- slapdFrontendConfig_t *slapdFrontendConfig;
- slapdFrontendConfig = getFrontendConfig();
- pw_add_allowchange_aci(e, !slapdFrontendConfig->pw_policy.pw_change &&
- !slapdFrontendConfig->pw_policy.pw_must_change);
- }
-
if (!repl_op)
{
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index a630c6c..faf521b 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -2601,13 +2601,6 @@ config_set_pw_change( const char *attrname, char *value, char *errorbuf, int app
errorbuf,
apply);
- if (retVal == LDAP_SUCCESS) {
- /* LP: Update ACI to reflect the value ! */
- if (apply)
- pw_mod_allowchange_aci(!slapdFrontendConfig->pw_policy.pw_change &&
- !slapdFrontendConfig->pw_policy.pw_must_change);
- }
-
return retVal;
}
@@ -2638,13 +2631,6 @@ config_set_pw_must_change( const char *attrname, char *value, char *errorbuf, in
errorbuf,
apply);
- if (retVal == LDAP_SUCCESS) {
- /* LP: Update ACI to reflect the value ! */
- if (apply)
- pw_mod_allowchange_aci(!slapdFrontendConfig->pw_policy.pw_change &&
- !slapdFrontendConfig->pw_policy.pw_must_change);
- }
-
return retVal;
}
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 1f37010..712642f 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -951,9 +951,6 @@ void get_old_pw( Slapi_PBlock *pb, const Slapi_DN *sdn, char **old_pw);
int check_account_lock( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req, int account_inactivation_only /*no wire/no pw policy*/);
int check_pw_minage( Slapi_PBlock *pb, const Slapi_DN *sdn, struct berval **vals) ;
void add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e );
-void mod_allowchange_aci(char *val);
-void pw_mod_allowchange_aci(int pw_prohibit_change);
-void pw_add_allowchange_aci(Slapi_Entry *e, int pw_prohibit_change);
int add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e);
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 7469b9e..3f2cdb0 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -1337,69 +1337,6 @@ slapi_add_pwd_control ( Slapi_PBlock *pb, char *arg, long time) {
}
void
-pw_mod_allowchange_aci(int pw_prohibit_change)
-{
- const Slapi_DN *base;
- char *values_mod[2];
- LDAPMod mod;
- LDAPMod *mods[2];
- Slapi_Backend *be;
- char *cookie = NULL;
-
- mods[0] = &mod;
- mods[1] = NULL;
- mod.mod_type = "aci";
- mod.mod_values = values_mod;
-
- if (pw_prohibit_change) {
- mod.mod_op = LDAP_MOD_ADD;
- }
- else
- {
- /* Allow change password by default */
- /* remove the aci if it is there. it is ok to fail */
- mod.mod_op = LDAP_MOD_DELETE;
- }
-
- be = slapi_get_first_backend (&cookie);
- /* Foreach backend... */
- while (be)
- {
- /* Don't add aci on a chaining backend holding remote entries */
- if((!be->be_private) && (!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA)))
- {
- /* There's only One suffix per DB now. No need to loop */
- base = slapi_be_getsuffix(be, 0);
- if (base != NULL)
- {
- Slapi_PBlock pb;
- int rc;
-
- pblock_init (&pb);
- values_mod[0] = DENY_PW_CHANGE_ACI;
- values_mod[1] = NULL;
- slapi_modify_internal_set_pb_ext(&pb, base, mods, NULL, NULL,
- pw_get_componentID(), 0);
- slapi_modify_internal_pb(&pb);
- slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
- if (rc == LDAP_SUCCESS){
- /*
- ** Since we modified the acl
- ** successfully, let's update the
- ** in-memory acl list
- */
- slapi_pblock_set(&pb, SLAPI_TARGET_SDN, (void *)base);
- plugin_call_acl_mods_update (&pb, LDAP_REQ_MODIFY );
- }
- pblock_done(&pb);
- }
- }
- be = slapi_get_next_backend (cookie);
- }
- slapi_ch_free((void **) &cookie);
-}
-
-void
add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e )
{
struct berval bv;
@@ -1583,24 +1520,6 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char
return ( 0 );
}
-
-void
-pw_add_allowchange_aci(Slapi_Entry *e, int pw_prohibit_change) {
- char *aci_pw = NULL;
- const char *aciattr = "aci";
-
- aci_pw = slapi_ch_strdup(DENY_PW_CHANGE_ACI);
-
- if (pw_prohibit_change) {
- /* Add ACI */
- slapi_entry_add_string(e, aciattr, aci_pw);
- } else {
- /* Remove ACI */
- slapi_entry_delete_string(e, aciattr, aci_pw);
- }
- slapi_ch_free((void **) &aci_pw);
-}
-
int
pw_is_pwp_admin(Slapi_PBlock *pb, passwdPolicy *pwp){
Slapi_DN *bind_sdn = NULL;
diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index 5470556..7252c08 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -256,13 +256,8 @@ skip:
void
pw_init ( void )
{
- slapdFrontendConfig_t *slapdFrontendConfig;
-
pw_set_componentID(generate_componentid(NULL, COMPONENT_PWPOLICY));
-
- slapdFrontendConfig = getFrontendConfig();
- pw_mod_allowchange_aci (!slapdFrontendConfig->pw_policy.pw_change &&
- !slapdFrontendConfig->pw_policy.pw_must_change);
+
#if defined(USE_OLD_UNHASHED)
slapi_add_internal_attr_syntax( PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID,
@@ -273,5 +268,3 @@ pw_init ( void )
SLAPI_ATTR_FLAG_NOEXPOSE);
#endif
}
-
-
--
2.4.11