On Wed, 22 Jun 2016, thierry bordaz wrote:
I think FreeIPA also needs to raise dependency to slapi-nis >= 0.56.0
for this.


Testing with slapi-nis 0.56.0-2, successful update of password from compat tree users.

Great, ACK!




From 034a07211de4d11c6cb998676cc5f7439af981c6 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbor...@redhat.com>
Date: Fri, 10 Jun 2016 15:34:40 +0200
Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop
plugin

ipapwd_extop allows to update the password on a specific entry, identified by 
its DN.
It can be usefull to support virtual DN in the extop so that update of a 
virtual entry
would land into the proper real entry.

If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value
of TARGET_DN, instead of using the original one (in the ber req)
There is a dependency on slapi-nis >= 0.56-0.1 
(https://fedorahosted.org/freeipa/ticket/5955)

https://fedorahosted.org/freeipa/ticket/5946
---
.../ipa-pwd-extop/ipa_pwd_extop.c                  | 36 +++++++++++++++++-----
freeipa.spec.in                                    |  2 +-
2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c 
b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 440e221..3c2c44f 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct 
ipapwd_krbcfg *krbcfg)
        char *attrlist[] = {"*", "passwordHistory", NULL };
        struct ipapwd_data pwdata;
        int is_krb, is_smb, is_ipant;
-    char *principal = NULL;
+       char *principal = NULL;
        Slapi_PBlock *chpwop_pb = NULL;
+       Slapi_DN     *target_sdn = NULL;
+       char         *target_dn = NULL;

        /* Get the ber value of the extended operation */
        slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
@@ -327,14 +329,32 @@ parse_req_done:
                }
        }

-        /* Determine the target DN for this operation */
-        /* Did they give us a DN ? */
-       if (dn == NULL || *dn == '\0') {
-               /* Get the DN from the bind identity on this connection */
-               dn = slapi_ch_strdup(bindDN);
-               LOG_TRACE("Missing userIdentity in request, "
-                          "using the bind DN instead.\n");
+       /* Determine the target DN for this operation */
+       slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
+       if (target_sdn != NULL) {
+               /* If there is a TARGET_DN we are consuming it */
+               slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL);
+               target_dn = slapi_sdn_get_ndn(target_sdn);
        }
+       if (target_dn == NULL || *target_dn == '\0') {
+               /* Did they give us a DN ? */
+               if (dn == NULL || *dn == '\0') {
+                       /* Get the DN from the bind identity on this connection 
*/
+                       dn = slapi_ch_strdup(bindDN);
+                       LOG_TRACE("Missing userIdentity in request, "
+                               "using the bind DN instead.\n");
+               }
+               LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : "<empty>");
+       } else {
+               /* At this point if SLAPI_TARGET_SDN was set that means
+                * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it
+                * So take this one rather that the raw one that is in the ber
+                */
+               LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : 
"<empty>", target_dn);
+               slapi_ch_free_string(&dn);
+               dn = slapi_ch_strdup(target_dn);
+       }
+       slapi_sdn_free(&target_sdn);

         if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) {
                LOG_FATAL("slapi_pblock_set failed!\n");
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 0d5c745..84a1d65 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -154,7 +154,7 @@ Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
-Requires: slapi-nis >= 0.55-1
+Requires: slapi-nis >= 0.56.0
Requires: pki-ca >= 10.3.2
Requires: pki-kra >= 10.3.2
Requires(preun): python systemd-units
--
2.5.0



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to