From 5854fc41c6620567f0356e382baec4eda1e645b2 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Wed, 5 Apr 2017 11:05:28 -0400 Subject: [PATCH] Issue 49210 - Fix regression when checking is password min age should be checked Bug Description: If a plugin makes an internal modification of userpassword the connection structure in the pblock is null, and it was being dereferenced. Fix Description: These internal operations do not need to have the password policy checks done. They are intended to be unrestricted. So we only need to check password policy on client connections. The fix frist hecks if the connection structy is present, only then it continues. Revised test script to include the tool: ldappasswd https://pagure.io/389-ds-base/issue/49210 Reviewed by: firstyear(Thanks!) --- dirsrvtests/tests/tickets/ticket49039_test.py | 62 +++++++++++++++++++++++++++ ldap/servers/slapd/modify.c | 2 +- 2 files changed, 63 insertions(+), 1 deletion(-) diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py index e6d4c03..f0b224c 100644 --- a/dirsrvtests/tests/tickets/ticket49039_test.py +++ b/dirsrvtests/tests/tickets/ticket49039_test.py @@ -2,6 +2,7 @@ import time import ldap import logging import pytest +import os from lib389 import Entry from lib389._constants import * from lib389.properties import * @@ -9,6 +10,7 @@ from lib389.tasks import * from lib389.utils import * from lib389.topologies import topology_st as topo + DEBUGGING = os.getenv("DEBUGGING", default=False) if DEBUGGING: logging.getLogger(__name__).setLevel(logging.DEBUG) @@ -19,11 +21,39 @@ log = logging.getLogger(__name__) USER_DN = 'uid=user,dc=example,dc=com' +def ssl_init(topo): + """ Setup TLS + """ + topo.standalone.stop() + # Prepare SSL but don't enable it. + for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'): + try: + os.remove("%s/%s" % (topo.standalone.confdir, f)) + except: + pass + assert(topo.standalone.nss_ssl.reinit() is True) + assert(topo.standalone.nss_ssl.create_rsa_ca() is True) + assert(topo.standalone.nss_ssl.create_rsa_key_and_cert() is True) + # Start again + topo.standalone.start() + topo.standalone.rsa.create() + topo.standalone.config.set('nsslapd-ssl-check-hostname', 'off') + topo.standalone.config.set('nsslapd-secureport', '%s' % + SECUREPORT_STANDALONE1) + topo.standalone.config.set('nsslapd-security', 'on') + topo.standalone.restart() + + log.info("SSL setup complete\n") + + def test_ticket49039(topo): """Test "password must change" verses "password min age". Min age should not block password update if the password was reset. """ + # Setup SSL (for ldappasswd test) + ssl_init(topo) + # Configure password policy try: topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'), @@ -68,6 +98,38 @@ def test_ticket49039(topo): log.fatal('Failed to change password: error ' + e.message['desc']) assert False + ################################### + # Make sure ldappasswd also works + ################################### + + # Reset password as RootDN + try: + topo.standalone.simple_bind_s(DN_DM, PASSWORD) + except ldap.LDAPError as e: + log.fatal('Failed to bind as rootdn: error ' + e.message['desc']) + assert False + + try: + topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)]) + except ldap.LDAPError as e: + log.fatal('Failed to bind: error ' + e.message['desc']) + assert False + + time.sleep(1) + + # Run ldappasswd as the User. + cmd = ('LDAPTLS_REQCERT=never LDAPTLS_CACERTDIR=' + topo.standalone.get_cert_dir() + + ' ldappasswd' + ' -h ' + topo.standalone.host + ' -Z -p 38901 -D ' + USER_DN + + ' -w password -a password -s password2 ' + USER_DN) + os.system(cmd) + time.sleep(1) + + try: + topo.standalone.simple_bind_s(USER_DN, "password2") + except ldap.LDAPError as e: + log.fatal('Failed to bind: error ' + e.message['desc']) + assert False + log.info('Test Passed') diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c index 32defae..e23fe67 100644 --- a/ldap/servers/slapd/modify.c +++ b/ldap/servers/slapd/modify.c @@ -1326,7 +1326,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old /* check if password is within password minimum age; error result is sent directly from check_pw_minage */ - if (!pb->pb_conn->c_needpw && + if (pb->pb_conn && !pb->pb_conn->c_needpw && check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1) { if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) -- 2.9.3