Re: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry
On Wed, 15 Jun 2016, thierry bordaz wrote: Thanks Alexander for the review. You are right I forgot to remove those lines during the cleanup. ACK -- I've committed this patch to slapi-nis and released 0.56.0 version. https://bodhi.fedoraproject.org/updates/slapi-nis-0.56.0-2.fc24 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry
Thanks Alexander for the review. You are right I forgot to remove those lines during the cleanup. thanks thierry On 06/15/2016 05:54 PM, Alexander Bokovoy wrote: On Wed, 15 Jun 2016, thierry bordaz wrote: From 6cd06b9004f8ab72e13c26742d11ee31d30bbc79 Mon Sep 17 00:00:00 2001 From: Thierry BordazDate: Mon, 13 Jun 2016 18:13:04 +0200 Subject: [PATCH] slapi-nis should allow password update on a virtual entry During password modification ext. op (1.3.6.1.4.1.4203.1.11.1), if the target entry is in the compat tree, slapi-nis should remap the entry to the real entry. This needs to be done in a pre-op extop that calls the callback function handling a given OID. The password mod. callback does a reverse mapping of extop USERID and set it in SLAPI_TARGET_SDN. --- configure.ac | 1 + src/back-sch.c | 217 + src/back-sch.h | 16 + src/plug-sch.c | 24 +++ 4 files changed, 258 insertions(+) diff --git a/configure.ac b/configure.ac index 5b10376..9ce6bcf 100644 --- a/configure.ac +++ b/configure.ac @@ -113,6 +113,7 @@ dirsrv) SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN, SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN, SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN, +SLAPI_PLUGIN_PRE_EXTOP_FN, NULL] ,,, [AC_INCLUDES_DEFAULT diff --git a/src/back-sch.c b/src/back-sch.c index 32b1d9e..f9ab812 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -54,6 +54,8 @@ #include "map.h" #include "back-sch.h" +backend_extop_handlers_t extop_handlers[] = {{EXTOP_PASSWD_OID, (IFP) backend_passwdmod_extop}, +{NULL, NULL}}; static void backend_entries_to_return_push(struct backend_search_cbdata *cbdata, Slapi_Entry *e); @@ -2223,6 +2225,203 @@ done_with_lock: return ret; } +/* This callback handles EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1" + * If the extop defines a USERID, it sets SLAPI_TARGET_SDN to + * the reverse mapping of the USERID. + * + * If it is not possible to retrieve USERID in the ber + * then value of SLAPI_TARGET_SDN is unchanged. + * + * Else the value of SLAPI_TARGET_SDN is freed and replaced + * either by the USERID or the reverse mapping of USERID (if it exists) + */ +static int +backend_passwdmod_extop(Slapi_PBlock *pb) +{ +struct backend_entry_data *data; +struct plugin_state *state; +Slapi_DN *sdn = NULL; +char *extopdn; +char *ndn; +char *username = NULL; +char *group = NULL; +const char *entry_group = NULL; +char *set = NULL; +const char *entry_set = NULL; +struct berval*extop_value = NULL; +BerElement*ber = NULL; +ber_tag_ttag = 0; +ber_len_tlen = (ber_len_t) -1; + +if (wrap_get_call_level() > 0) { +return 0; +} + +slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, ); +if (state->ready_to_serve == 0) { +/* No data to serve yet */ +goto free_and_return; +} +/* Retrieve the original DN from the ber request */ +/* Get the ber value of the extended operation */ +slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, _value); +if (!BV_HAS_DATA(extop_value)) { +goto free_and_return; +} + +if ((ber = ber_init(extop_value)) == NULL) { +goto free_and_return; +} ++/* Format of request to parse + * + * PasswdModifyRequestValue ::= SEQUENCE { + * userIdentity[0] OCTET STRING OPTIONAL + * oldPasswd [1] OCTET STRING OPTIONAL + * newPasswd [2] OCTET STRING OPTIONAL } + * + * The request value field is optional. If it is + * provided, at least one field must be filled in. + */ + +/* ber parse code */ +if ( ber_scanf( ber, "{") == LBER_ERROR ) { +/* The request field wasn't provided. We'll + * now try to determine the userid and verify + * knowledge of the old password via other + * means. + */ +goto free_and_return; +} else { +tag = ber_peek_tag( ber, ); +} + +/* identify userID field by tags */ +if (tag == LDAP_EXTOP_PASSMOD_TAG_USERID ) { + +if ( ber_scanf( ber, "a", ) == LBER_ERROR ) { +slapi_ch_free_string(); +goto free_and_return; +} + +slapi_log_error(SLAPI_LOG_PLUGIN, "backend_passwdmod_extop", +"extopdn = %s\n", extopdn ? extopdn : "" ); + +/* Free the current target_DN */ +slapi_pblock_get(pb, SLAPI_TARGET_SDN, ); +if (sdn) { +const char *olddn; +olddn = slapi_sdn_get_ndn(sdn); +slapi_log_error(SLAPI_LOG_PLUGIN, "backend_passwdmod_extop", + "olddn = %s (unknown expected)\n", olddn ? olddn : "" ); +slapi_sdn_free(); +} + +/* replace it with the one in the extop req*/ +sdn = slapi_sdn_new_dn_byref(extopdn); +slapi_pblock_set(pb,
Re: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry
On Wed, 15 Jun 2016, thierry bordaz wrote: From 6cd06b9004f8ab72e13c26742d11ee31d30bbc79 Mon Sep 17 00:00:00 2001 From: Thierry BordazDate: Mon, 13 Jun 2016 18:13:04 +0200 Subject: [PATCH] slapi-nis should allow password update on a virtual entry During password modification ext. op (1.3.6.1.4.1.4203.1.11.1), if the target entry is in the compat tree, slapi-nis should remap the entry to the real entry. This needs to be done in a pre-op extop that calls the callback function handling a given OID. The password mod. callback does a reverse mapping of extop USERID and set it in SLAPI_TARGET_SDN. --- configure.ac | 1 + src/back-sch.c | 217 + src/back-sch.h | 16 + src/plug-sch.c | 24 +++ 4 files changed, 258 insertions(+) diff --git a/configure.ac b/configure.ac index 5b10376..9ce6bcf 100644 --- a/configure.ac +++ b/configure.ac @@ -113,6 +113,7 @@ dirsrv) SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN, SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN, SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN, + SLAPI_PLUGIN_PRE_EXTOP_FN, NULL] ,,, [AC_INCLUDES_DEFAULT diff --git a/src/back-sch.c b/src/back-sch.c index 32b1d9e..f9ab812 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -54,6 +54,8 @@ #include "map.h" #include "back-sch.h" +backend_extop_handlers_t extop_handlers[] = {{EXTOP_PASSWD_OID, (IFP) backend_passwdmod_extop}, + {NULL, NULL}}; static void backend_entries_to_return_push(struct backend_search_cbdata *cbdata, Slapi_Entry *e); @@ -2223,6 +2225,203 @@ done_with_lock: return ret; } +/* This callback handles EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1" + * If the extop defines a USERID, it sets SLAPI_TARGET_SDN to + * the reverse mapping of the USERID. + * + * If it is not possible to retrieve USERID in the ber + * then value of SLAPI_TARGET_SDN is unchanged. + * + * Else the value of SLAPI_TARGET_SDN is freed and replaced + * either by the USERID or the reverse mapping of USERID (if it exists) + */ +static int +backend_passwdmod_extop(Slapi_PBlock *pb) +{ + struct backend_entry_data *data; + struct plugin_state *state; + Slapi_DN *sdn = NULL; + char *extopdn; + char *ndn; + char *username = NULL; + char *group = NULL; + const char *entry_group = NULL; + char *set = NULL; + const char *entry_set = NULL; + struct berval *extop_value = NULL; + BerElement *ber = NULL; + ber_tag_t tag = 0; +ber_len_t len = (ber_len_t) -1; + + if (wrap_get_call_level() > 0) { + return 0; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, ); + if (state->ready_to_serve == 0) { + /* No data to serve yet */ + goto free_and_return; + } + /* Retrieve the original DN from the ber request */ + /* Get the ber value of the extended operation */ + slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, _value); + if (!BV_HAS_DATA(extop_value)) { + goto free_and_return; + } + +if ((ber = ber_init(extop_value)) == NULL) { + goto free_and_return; + } + + /* Format of request to parse +* +* PasswdModifyRequestValue ::= SEQUENCE { +* userIdentity[0] OCTET STRING OPTIONAL +* oldPasswd [1] OCTET STRING OPTIONAL +* newPasswd [2] OCTET STRING OPTIONAL } +* +* The request value field is optional. If it is +* provided, at least one field must be filled in. +*/ + + /* ber parse code */ + if ( ber_scanf( ber, "{") == LBER_ERROR ) { + /* The request field wasn't provided. We'll +* now try to determine the userid and verify +* knowledge of the old password via other +* means. +*/ + goto free_and_return; + } else { + tag = ber_peek_tag( ber, ); + } + + /* identify userID field by tags */ + if (tag == LDAP_EXTOP_PASSMOD_TAG_USERID ) { + + if ( ber_scanf( ber, "a", ) == LBER_ERROR ) { + slapi_ch_free_string(); + goto free_and_return; + } + +slapi_log_error(SLAPI_LOG_PLUGIN, "backend_passwdmod_extop", + "extopdn = %s\n", extopdn ? extopdn : "" ); + + /* Free the current target_DN */ + slapi_pblock_get(pb, SLAPI_TARGET_SDN, ); + if (sdn) { + const char *olddn; + olddn = slapi_sdn_get_ndn(sdn); + slapi_log_error(SLAPI_LOG_PLUGIN, "backend_passwdmod_extop", +
Re: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry
On 15.06.2016 17:19, thierry bordaz wrote: Hello, This patch is for https://fedorahosted.org/freeipa/ticket/5955 Please put this link to commit message This is the last patch related "IdM user password change support for legacy client compat tree" * It requires DS > 1.3.5.5 (https://fedorahosted.org/389/ticket/48880) Please bump version in freeipa.spec.in and put DS srpms to @freeipa/freeipa-master if new DS is not at least in updates testing * * PATCH 0020 https://fedorahosted.org/freeipa/ticket/5946 ipapwd (review by Alexander) * this PATCH 0021 This patch is not the final one because I had to locally define SLAPI_PLUGIN_PRE_EXTOP_FN in order to build on copr. The define SLAPI_PLUGIN_PRE_EXTOP_FN comes with DS > 1.3.5.5 A test case is: create a user 'tb1' # step 1 verify that there is no passwd/krbkeys ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 2 verify that tb1 has a password/krbkeys ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 3 verify that tb1 has different passwd/krbkeys than in step 2 ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 4 verify that tb1 has different passwd/krbkeys than in step 3 ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 5 verify that tb1 has different passwd/krbkeys than in step 4 ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey Please put these steps to reproduce into ticket, we will need this for QA. thanks thierry Thank you, Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry
Hello, This patch is for https://fedorahosted.org/freeipa/ticket/5955 This is the last patch related "IdM user password change support for legacy client compat tree" * It requires DS > 1.3.5.5 (https://fedorahosted.org/389/ticket/48880) * PATCH 0020 https://fedorahosted.org/freeipa/ticket/5946 ipapwd (review by Alexander) * this PATCH 0021 This patch is not the final one because I had to locally define SLAPI_PLUGIN_PRE_EXTOP_FN in order to build on copr. The define SLAPI_PLUGIN_PRE_EXTOP_FN comes with DS > 1.3.5.5 A test case is: create a user 'tb1' # step 1 verify that there is no passwd/krbkeys ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 2 verify that tb1 has a password/krbkeys ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 3 verify that tb1 has different passwd/krbkeys than in step 2 ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 4 verify that tb1 has different passwd/krbkeys than in step 3 ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 5 verify that tb1 has different passwd/krbkeys than in step 4 ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey thanks thierry >From 6cd06b9004f8ab72e13c26742d11ee31d30bbc79 Mon Sep 17 00:00:00 2001 From: Thierry BordazDate: Mon, 13 Jun 2016 18:13:04 +0200 Subject: [PATCH] slapi-nis should allow password update on a virtual entry During password modification ext. op (1.3.6.1.4.1.4203.1.11.1), if the target entry is in the compat tree, slapi-nis should remap the entry to the real entry. This needs to be done in a pre-op extop that calls the callback function handling a given OID. The password mod. callback does a reverse mapping of extop USERID and set it in SLAPI_TARGET_SDN. --- configure.ac | 1 + src/back-sch.c | 217 + src/back-sch.h | 16 + src/plug-sch.c | 24 +++ 4 files changed, 258 insertions(+) diff --git a/configure.ac b/configure.ac index 5b10376..9ce6bcf 100644 --- a/configure.ac +++ b/configure.ac @@ -113,6 +113,7 @@ dirsrv) SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN, SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN, SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN, + SLAPI_PLUGIN_PRE_EXTOP_FN, NULL] ,,, [AC_INCLUDES_DEFAULT diff --git a/src/back-sch.c b/src/back-sch.c index 32b1d9e..f9ab812 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -54,6 +54,8 @@ #include "map.h" #include "back-sch.h" +backend_extop_handlers_t extop_handlers[] = {{EXTOP_PASSWD_OID, (IFP) backend_passwdmod_extop}, + {NULL, NULL}}; static void backend_entries_to_return_push(struct backend_search_cbdata *cbdata, Slapi_Entry *e); @@ -2223,6 +2225,203 @@ done_with_lock: return ret; } +/* This callback handles EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1" + * If the extop defines a USERID, it sets SLAPI_TARGET_SDN to + * the reverse mapping of the USERID. + * + * If it is not possible to retrieve USERID in the ber + * then value of SLAPI_TARGET_SDN is unchanged. + * + * Else the value of SLAPI_TARGET_SDN is freed and replaced + * either by the USERID or the reverse mapping of USERID (if it exists) + */ +static int +backend_passwdmod_extop(Slapi_PBlock *pb) +{ + struct backend_entry_data *data; + struct plugin_state *state; + Slapi_DN *sdn = NULL; + char *extopdn; + char *ndn; + char *username = NULL; + char *group = NULL; + const char *entry_group = NULL; + char *set = NULL; + const char *entry_set = NULL; + struct berval *extop_value = NULL; + BerElement *ber = NULL; + ber_tag_t tag = 0; +ber_len_t len = (ber_len_t) -1; + + if (wrap_get_call_level() > 0) { + return 0; + } + + slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, ); + if (state->ready_to_serve == 0) { + /* No data to serve yet */ + goto free_and_return; + } + /* Retrieve the original DN from the ber request */ + /* Get the ber value of the extended operation */ + slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, _value); + if (!BV_HAS_DATA(extop_value)) { + goto free_and_return; + } + +if ((ber = ber_init(extop_value)) == NULL) { + goto free_and_return; + } + + /* Format of request to parse + * + * PasswdModifyRequestValue ::= SEQUENCE { + * userIdentity