Hi,

in IPAv3 we introduce a new attribute 'ipaNTHash' to store the NT hash.
Currently the plugin handling the change password extended operation
only sets and updates 'sambaNTPassword'. This patch add support for the
new attribute without removing the support for the old one.

bye,
Sumit
From 68d66eba4e31a314242322471dbfe698f4493737 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Thu, 24 Nov 2011 18:38:38 +0100
Subject: [PATCH] Make pwd-extop aware of new ipaNTHash attribute

---
 .../ipa-pwd-extop/ipa_pwd_extop.c                  |    4 +-
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h   |    7 ++-
 .../ipa-pwd-extop/ipapwd_common.c                  |   38 +++++++++++++---
 .../ipa-pwd-extop/ipapwd_encoding.c                |   22 ++++++++-
 .../ipa-pwd-extop/ipapwd_prepost.c                 |   47 +++++++++++++------
 5 files changed, 89 insertions(+), 29 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 
65c5834595f89aee8502347311f247be058c3416..82acc49dd0a48bea9b560b882966e996ae5c4775
 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -156,7 +156,7 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct 
ipapwd_krbcfg *krbcfg)
        Slapi_Value *objectclass=NULL;
        char *attrlist[] = {"*", "passwordHistory", NULL };
        struct ipapwd_data pwdata;
-       int is_krb, is_smb;
+       int is_krb, is_smb, is_ipant;
     char *principal = NULL;
 
        /* Get the ber value of the extended operation */
@@ -365,7 +365,7 @@ parse_req_done:
     }
 
         rc = ipapwd_entry_checks(pb, targetEntry,
-                               &is_root, &is_krb, &is_smb,
+                               &is_root, &is_krb, &is_smb, &is_ipant,
                                SLAPI_USERPWD_ATTR, SLAPI_ACL_WRITE);
         if (rc) {
                goto free_and_return;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index 
787ed500a080674d4a8e1002468006b020eb1578..0edd2dcad580b25d108a762bd78271b3d8244bc5
 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -113,7 +113,7 @@ struct ipapwd_krbcfg {
 };
 
 int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e,
-                        int *is_root, int *is_krb, int *is_smb,
+                        int *is_root, int *is_krb, int *is_smb, int *is_ipant,
                         char *attr, int access);
 int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
                       struct ipapwd_krbcfg **config, int check_flags);
@@ -144,8 +144,9 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset);
 
 int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
                       struct ipapwd_data *data, char *userpw,
-                      int is_krb, int is_smb, Slapi_Value ***svals,
-                      char **nthash, char **lmhash, char **errMesg);
+                      int is_krb, int is_smb, int is_ipant,
+                      Slapi_Value ***svals, char **nthash, char **lmhash,
+                      Slapi_Value ***ntvals, char **errMesg);
 
 /* from ipapwd_prepost.c */
 int ipapwd_ext_init(void);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index 
9e203be2763b13328e2d392c76e8545ba7ab549a..c36189987f785de8e8e97737554b854539b83ea2
 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -498,7 +498,7 @@ done:
 /*==Common-public-functions=============================================*/
 
 int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e,
-                        int *is_root, int *is_krb, int *is_smb,
+                        int *is_root, int *is_krb, int *is_smb, int *is_ipant,
                         char *attr, int acc)
 {
     Slapi_Value *sval;
@@ -535,6 +535,15 @@ int ipapwd_entry_checks(Slapi_PBlock *pb, struct 
slapi_entry *e,
     *is_smb = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS, 
sval);
     slapi_value_free(&sval);
 
+    sval = slapi_value_new_string("ipaNTUserAttrs");
+    if (!sval) {
+        rc = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+    *is_ipant = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS,
+                                                  sval);
+    slapi_value_free(&sval);
+
     rc = LDAP_SUCCESS;
 
 done:
@@ -765,14 +774,17 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
     int ret = 0;
     Slapi_Mods *smods = NULL;
     Slapi_Value **svals = NULL;
+    Slapi_Value **ntvals = NULL;
     Slapi_Value **pwvals = NULL;
     struct tm utctime;
     char timestr[GENERALIZED_TIME_LENGTH+1];
     char *lm = NULL;
     char *nt = NULL;
     int is_smb = 0;
+    int is_ipant = 0;
     int is_host = 0;
     Slapi_Value *sambaSamAccount;
+    Slapi_Value *ipaNTUserAttrs;
     Slapi_Value *ipaHost;
     char *errMesg = NULL;
     char *modtime = NULL;
@@ -782,10 +794,17 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
     sambaSamAccount = slapi_value_new_string("sambaSamAccount");
     if (slapi_entry_attr_has_syntax_value(data->target,
                                           "objectClass", sambaSamAccount)) {
-        is_smb = 1;;
+        is_smb = 1;
     }
     slapi_value_free(&sambaSamAccount);
 
+    ipaNTUserAttrs = slapi_value_new_string("ipaNTUserAttrs");
+    if (slapi_entry_attr_has_syntax_value(data->target,
+                                          "objectClass", ipaNTUserAttrs)) {
+        is_ipant = 1;
+    }
+    slapi_value_free(&ipaNTUserAttrs);
+
     ipaHost = slapi_value_new_string("ipaHost");
     if (slapi_entry_attr_has_syntax_value(data->target,
                                           "objectClass", ipaHost)) {
@@ -795,8 +814,8 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
 
     ret = ipapwd_gen_hashes(krbcfg, data,
                             data->password,
-                            is_krb, is_smb,
-                            &svals, &nt, &lm, &errMesg);
+                            is_krb, is_smb, is_ipant,
+                            &svals, &nt, &lm, &ntvals, &errMesg);
     if (ret) {
         goto free_and_return;
     }
@@ -835,15 +854,21 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
                }
        }
 
-    if (lm) {
+    if (lm && is_smb) {
         slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                               "sambaLMPassword", lm);
     }
 
-    if (nt) {
+    if (nt && is_smb) {
         slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                               "sambaNTPassword", nt);
     }
+
+    if (ntvals && is_ipant) {
+        slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE,
+                                  "ipaNTHash", ntvals);
+    }
+
     if (is_smb) {
         /* with samba integration we need to also set sambaPwdLastSet or
          * samba will decide the user has to change the password again */
@@ -899,6 +924,7 @@ free_and_return:
     if (modtime) slapi_ch_free((void **)&modtime);
     slapi_mods_free(&smods);
     ipapwd_free_slapi_value_array(&svals);
+    ipapwd_free_slapi_value_array(&ntvals);
     ipapwd_free_slapi_value_array(&pwvals);
 
     return ret;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index 
8e59e19c636299c68415f0e5f346dd47cdf5aaae..5720d3e6e0a7e6b1520e51a5ee319bcc47354fc9
 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -395,8 +395,9 @@ done:
 
 int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
                       struct ipapwd_data *data, char *userpw,
-                      int is_krb, int is_smb, Slapi_Value ***svals,
-                      char **nthash, char **lmhash, char **errMesg)
+                      int is_krb, int is_smb, int is_ipant, Slapi_Value 
***svals,
+                      char **nthash, char **lmhash, Slapi_Value ***ntvals,
+                      char **errMesg)
 {
     int rc;
 
@@ -417,7 +418,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
         }
     }
 
-    if (is_smb) {
+    if (is_smb || is_ipant) {
         char lm[33], nt[33];
         struct ntlm_keys ntlm;
         int ret;
@@ -442,6 +443,20 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
             nt[32] = '\0';
             *nthash = slapi_ch_strdup(nt);
         }
+
+        if (is_ipant) {
+            *ntvals = (Slapi_Value **)calloc(2, sizeof(Slapi_Value *));
+            if (!svals) {
+                LOG_OOM();
+                rc = LDAP_OPERATIONS_ERROR;
+                goto done;
+            }
+            (*ntvals)[0] = slapi_value_new();
+            if (slapi_value_set((*ntvals)[0], ntlm.nt, 16) == NULL) {
+                rc = LDAP_OPERATIONS_ERROR;
+                goto done;
+            }
+        }
     }
 
     rc = LDAP_SUCCESS;
@@ -451,6 +466,7 @@ done:
     /* when error, free possibly allocated output parameters */
     if (rc) {
         ipapwd_free_slapi_value_array(svals);
+        ipapwd_free_slapi_value_array(ntvals);
     }
 
     return rc;
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 
961678acb4f7a3265b5b221acedb96a63cea5855..a4663c0cce3722da4920fedca5d994966bc6d47d
 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -163,7 +163,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
     char *dn = NULL;
     struct ipapwd_operation *pwdop = NULL;
     void *op;
-    int is_repl_op, is_root, is_krb, is_smb;
+    int is_repl_op, is_root, is_krb, is_smb, is_ipant;
     int ret;
     int rc = LDAP_SUCCESS;
 
@@ -240,7 +240,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
     }
 
     rc = ipapwd_entry_checks(pb, e,
-                             &is_root, &is_krb, &is_smb,
+                             &is_root, &is_krb, &is_smb, &is_ipant,
                              NULL, SLAPI_ACL_ADD);
     if (rc != LDAP_SUCCESS) {
         goto done;
@@ -307,17 +307,18 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
         goto done;
     }
 
-    if (is_krb || is_smb) {
+    if (is_krb || is_smb || is_ipant) {
 
         Slapi_Value **svals = NULL;
+        Slapi_Value **ntvals = NULL;
         char *nt = NULL;
         char *lm = NULL;
 
         pwdop->is_krb = is_krb;
 
         rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata,
-                               userpw, is_krb, is_smb,
-                               &svals, &nt, &lm, &errMesg);
+                               userpw, is_krb, is_smb, is_ipant,
+                               &svals, &nt, &lm, &ntvals, &errMesg);
         if (rc != LDAP_SUCCESS) {
             goto done;
         }
@@ -335,17 +336,22 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
             ipapwd_free_slapi_value_array(&svals);
         }
 
-        if (lm) {
+        if (lm && is_smb) {
             /* set value */
             slapi_entry_attr_set_charptr(e, "sambaLMPassword", lm);
             slapi_ch_free_string(&lm);
         }
-        if (nt) {
+        if (nt && is_smb) {
             /* set value */
             slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
             slapi_ch_free_string(&nt);
         }
 
+        if (ntvals && is_ipant) {
+            slapi_entry_attr_replace_sv(e, "ipaNTHash", ntvals);
+            ipapwd_free_slapi_value_array(&ntvals);
+        }
+
         if (is_smb) {
             /* with samba integration we need to also set sambaPwdLastSet or
              * samba will decide the user has to change the password again */
@@ -397,7 +403,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
     struct slapi_entry *e = NULL;
     struct ipapwd_operation *pwdop = NULL;
     void *op;
-    int is_repl_op, is_pwd_op, is_root, is_krb, is_smb;
+    int is_repl_op, is_pwd_op, is_root, is_krb, is_smb, is_ipant;
     int has_krb_keys = 0;
     int has_history = 0;
     int gen_krb_keys = 0;
@@ -514,7 +520,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
     }
 
     rc = ipapwd_entry_checks(pb, e,
-                             &is_root, &is_krb, &is_smb,
+                             &is_root, &is_krb, &is_smb, &is_ipant,
                              SLAPI_USERPWD_ATTR, SLAPI_ACL_WRITE);
     if (rc) {
         goto done;
@@ -585,6 +591,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
                  * flags, so we sero them out and see if they get set again */
                 is_krb = 0;
                 is_smb = 0;
+                is_ipant = 0;
 
             case LDAP_MOD_ADD:
                 bv = slapi_mod_get_first_value(smod);
@@ -598,6 +605,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
                         is_krb = 1;
                     if (0 == strncasecmp("sambaSamAccount", bv->bv_val, 
bv->bv_len))
                         is_smb = 1;
+                    if (0 == strncasecmp("ipaNTUserAttrs", bv->bv_val, 
bv->bv_len))
+                        is_ipant = 1;
                 } while ((bv = slapi_mod_get_next_value(smod)) != NULL);
 
                 break;
@@ -606,6 +615,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
                 /* can this happen for objectclasses ? */
                 is_krb = 0;
                 is_smb = 0;
+                is_ipant = 0;
 
             default:
                 break;
@@ -654,7 +664,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
 
     /* Check this is a clear text password, or refuse operation (only if we 
need
      * to comput other hashes */
-    if (! unhashedpw && (gen_krb_keys || is_smb)) {
+    if (! unhashedpw && (gen_krb_keys || is_smb || is_ipant)) {
         if ('{' == userpw[0]) {
             if (0 == strncasecmp(userpw, "{CLEAR}", strlen("{CLEAR}"))) {
                 unhashedpw = slapi_ch_strdup(&userpw[strlen("{CLEAR}")]);
@@ -746,15 +756,16 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
         }
     }
 
-    if (gen_krb_keys || is_smb) {
+    if (gen_krb_keys || is_smb || is_ipant) {
 
         Slapi_Value **svals = NULL;
+        Slapi_Value **ntvals = NULL;
         char *nt = NULL;
         char *lm = NULL;
 
         rc = ipapwd_gen_hashes(krbcfg, &pwdop->pwdata, unhashedpw,
-                               gen_krb_keys, is_smb,
-                               &svals, &nt, &lm, &errMesg);
+                               gen_krb_keys, is_smb, is_ipant,
+                               &svals, &nt, &lm, &ntvals, &errMesg);
         if (rc) {
             goto done;
         }
@@ -766,19 +777,25 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
             ipapwd_free_slapi_value_array(&svals);
         }
 
-        if (lm) {
+        if (lm && is_smb) {
             /* replace value */
             slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                                   "sambaLMPassword", lm);
             slapi_ch_free_string(&lm);
         }
-        if (nt) {
+        if (nt && is_smb) {
             /* replace value */
             slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                                   "sambaNTPassword", nt);
             slapi_ch_free_string(&nt);
         }
 
+        if (ntvals && is_ipant) {
+            slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE,
+                                      "ipaNTHash", ntvals);
+            ipapwd_free_slapi_value_array(&ntvals);
+        }
+
         if (is_smb) {
             /* with samba integration we need to also set sambaPwdLastSet or
              * samba will decide the user has to change the password again */
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to