Re: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry

[Alexander Bokovoy]

On Wed, 15 Jun 2016, thierry bordaz wrote:

Thanks Alexander for the review.
You are right I forgot to remove those lines during the cleanup.

ACK -- I've committed this patch to slapi-nis and released 0.56.0
version.

https://bodhi.fedoraproject.org/updates/slapi-nis-0.56.0-2.fc24


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry

[thierry bordaz]

Thanks Alexander for the review.
You are right I forgot to remove those lines during the cleanup.

thanks
thierry

On 06/15/2016 05:54 PM, Alexander Bokovoy wrote:

On Wed, 15 Jun 2016, thierry bordaz wrote:

From 6cd06b9004f8ab72e13c26742d11ee31d30bbc79 Mon Sep 17 00:00:00 2001

From: Thierry Bordaz 
Date: Mon, 13 Jun 2016 18:13:04 +0200
Subject: [PATCH] slapi-nis should allow password update on a virtual 
entry


During password modification ext. op (1.3.6.1.4.1.4203.1.11.1),
if the target entry is in the compat tree, slapi-nis should
remap the entry to the real entry.

This needs to be done in a pre-op extop that calls the callback
function handling a given OID.
The password mod. callback does a reverse mapping of
extop USERID and set it in SLAPI_TARGET_SDN.
---
configure.ac   |   1 +
src/back-sch.c | 217 
+

src/back-sch.h |  16 +
src/plug-sch.c |  24 +++
4 files changed, 258 insertions(+)

diff --git a/configure.ac b/configure.ac
index 5b10376..9ce6bcf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -113,6 +113,7 @@ dirsrv)
SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN,
SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN,
SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN,
+SLAPI_PLUGIN_PRE_EXTOP_FN,
NULL]
   ,,,
   [AC_INCLUDES_DEFAULT
diff --git a/src/back-sch.c b/src/back-sch.c
index 32b1d9e..f9ab812 100644
--- a/src/back-sch.c
+++ b/src/back-sch.c
@@ -54,6 +54,8 @@
#include "map.h"
#include "back-sch.h"

+backend_extop_handlers_t extop_handlers[] = {{EXTOP_PASSWD_OID, 
(IFP) backend_passwdmod_extop}, +{NULL, NULL}};

static void
backend_entries_to_return_push(struct backend_search_cbdata *cbdata, 
Slapi_Entry *e);


@@ -2223,6 +2225,203 @@ done_with_lock:
return ret;
}

+/* This callback handles EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1"
+ * If the extop defines a USERID, it sets SLAPI_TARGET_SDN to
+ * the reverse mapping of the USERID.
+ *
+ * If it is not possible to retrieve USERID in the ber
+ * then value of SLAPI_TARGET_SDN is unchanged.
+ *
+ * Else the value of SLAPI_TARGET_SDN is freed and replaced
+ * either by the USERID or the reverse mapping of USERID (if it exists)
+ */
+static int
+backend_passwdmod_extop(Slapi_PBlock *pb)
+{
+struct backend_entry_data *data;
+struct plugin_state *state;
+Slapi_DN *sdn = NULL;
+char *extopdn;
+char *ndn;
+char *username = NULL;
+char *group = NULL;
+const char *entry_group = NULL;
+char *set = NULL;
+const char *entry_set = NULL;
+struct berval*extop_value = NULL;
+BerElement*ber = NULL;
+ber_tag_ttag = 0;
+ber_len_tlen = (ber_len_t) -1;
+
+if (wrap_get_call_level() > 0) {
+return 0;
+}
+
+slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, );
+if (state->ready_to_serve == 0) {
+/* No data to serve yet */
+goto free_and_return;
+}
+/* Retrieve the original DN from the ber request */
+/* Get the ber value of the extended operation */
+slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, _value);
+if (!BV_HAS_DATA(extop_value)) {
+goto free_and_return;
+}
+
+if ((ber = ber_init(extop_value)) == NULL) {
+goto free_and_return;
+}
++/* Format of request to parse
+ *
+ * PasswdModifyRequestValue ::= SEQUENCE {
+ * userIdentity[0]  OCTET STRING OPTIONAL
+ * oldPasswd   [1]  OCTET STRING OPTIONAL
+ * newPasswd   [2]  OCTET STRING OPTIONAL }
+ *
+ * The request value field is optional. If it is
+ * provided, at least one field must be filled in.
+ */
+
+/* ber parse code */
+if ( ber_scanf( ber, "{") == LBER_ERROR ) {
+/* The request field wasn't provided.  We'll
+ * now try to determine the userid and verify
+ * knowledge of the old password via other
+ * means.
+ */
+goto free_and_return;
+} else {
+tag = ber_peek_tag( ber, );
+}
+
+/* identify userID field by tags */
+if (tag == LDAP_EXTOP_PASSMOD_TAG_USERID ) {
+
+if ( ber_scanf( ber, "a", ) == LBER_ERROR ) {
+slapi_ch_free_string();
+goto free_and_return;
+}
+
+slapi_log_error(SLAPI_LOG_PLUGIN, 
"backend_passwdmod_extop",

+"extopdn = %s\n", extopdn ? extopdn : "" );
+
+/* Free the current target_DN */
+slapi_pblock_get(pb, SLAPI_TARGET_SDN, );
+if (sdn) {
+const char *olddn;
+olddn = slapi_sdn_get_ndn(sdn);
+slapi_log_error(SLAPI_LOG_PLUGIN, 
"backend_passwdmod_extop",
+  "olddn = %s (unknown expected)\n", 
olddn ? olddn : "" );

+slapi_sdn_free();
+}
+
+/* replace it with the one in the extop req*/
+sdn = slapi_sdn_new_dn_byref(extopdn);
+slapi_pblock_set(pb, 

Re: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry

[Alexander Bokovoy]

On Wed, 15 Jun 2016, thierry bordaz wrote:

From 6cd06b9004f8ab72e13c26742d11ee31d30bbc79 Mon Sep 17 00:00:00 2001

From: Thierry Bordaz 
Date: Mon, 13 Jun 2016 18:13:04 +0200
Subject: [PATCH] slapi-nis should allow password update on a virtual entry

During password modification ext. op (1.3.6.1.4.1.4203.1.11.1),
if the target entry is in the compat tree, slapi-nis should
remap the entry to the real entry.

This needs to be done in a pre-op extop that calls the callback
function handling a given OID.
The password mod. callback does a reverse mapping of
extop USERID and set it in SLAPI_TARGET_SDN.
---
configure.ac   |   1 +
src/back-sch.c | 217 +
src/back-sch.h |  16 +
src/plug-sch.c |  24 +++
4 files changed, 258 insertions(+)

diff --git a/configure.ac b/configure.ac
index 5b10376..9ce6bcf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -113,6 +113,7 @@ dirsrv)
SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN,
SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN,
SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN,
+   SLAPI_PLUGIN_PRE_EXTOP_FN,
NULL]
   ,,,
   [AC_INCLUDES_DEFAULT
diff --git a/src/back-sch.c b/src/back-sch.c
index 32b1d9e..f9ab812 100644
--- a/src/back-sch.c
+++ b/src/back-sch.c
@@ -54,6 +54,8 @@
#include "map.h"
#include "back-sch.h"

+backend_extop_handlers_t extop_handlers[] = {{EXTOP_PASSWD_OID, (IFP) backend_passwdmod_extop}, 
+	{NULL, NULL}};

static void
backend_entries_to_return_push(struct backend_search_cbdata *cbdata, 
Slapi_Entry *e);

@@ -2223,6 +2225,203 @@ done_with_lock:
return ret;
}

+/* This callback handles EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1"
+ * If the extop defines a USERID, it sets SLAPI_TARGET_SDN to
+ * the reverse mapping of the USERID.
+ *
+ * If it is not possible to retrieve USERID in the ber
+ * then value of SLAPI_TARGET_SDN is unchanged.
+ *
+ * Else the value of SLAPI_TARGET_SDN is freed and replaced
+ * either by the USERID or the reverse mapping of USERID (if it exists)
+ */
+static int
+backend_passwdmod_extop(Slapi_PBlock *pb)
+{
+   struct backend_entry_data *data;
+   struct plugin_state *state;
+   Slapi_DN *sdn = NULL;
+   char *extopdn;
+   char *ndn;
+   char *username = NULL;
+   char *group = NULL;
+   const char *entry_group = NULL;
+   char *set = NULL;
+   const char *entry_set = NULL;
+   struct berval   *extop_value = NULL;
+   BerElement  *ber = NULL;
+   ber_tag_t   tag = 0;
+ber_len_t  len = (ber_len_t) -1;
+   
+   if (wrap_get_call_level() > 0) {
+   return 0;
+   }
+
+   slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, );
+   if (state->ready_to_serve == 0) {
+   /* No data to serve yet */
+   goto free_and_return;
+   }
+   /* Retrieve the original DN from the ber request */
+   /* Get the ber value of the extended operation */
+   slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, _value);
+   if (!BV_HAS_DATA(extop_value)) {
+   goto free_and_return;
+   }
+
+if ((ber = ber_init(extop_value)) == NULL) {
+   goto free_and_return;
+   }
+
+	/* Format of request to parse

+*
+* PasswdModifyRequestValue ::= SEQUENCE {
+* userIdentity[0]  OCTET STRING OPTIONAL
+* oldPasswd   [1]  OCTET STRING OPTIONAL
+* newPasswd   [2]  OCTET STRING OPTIONAL }
+*
+* The request value field is optional. If it is
+* provided, at least one field must be filled in.
+*/
+
+   /* ber parse code */
+   if ( ber_scanf( ber, "{") == LBER_ERROR ) {
+   /* The request field wasn't provided.  We'll
+* now try to determine the userid and verify
+* knowledge of the old password via other
+* means.
+*/
+   goto free_and_return;
+   } else {
+   tag = ber_peek_tag( ber, );
+   }
+
+   /* identify userID field by tags */
+   if (tag == LDAP_EXTOP_PASSMOD_TAG_USERID ) {
+
+   if ( ber_scanf( ber, "a", ) == LBER_ERROR ) {
+   slapi_ch_free_string();
+   goto free_and_return;
+   }
+
+slapi_log_error(SLAPI_LOG_PLUGIN, "backend_passwdmod_extop",
+   "extopdn = %s\n", extopdn ? extopdn : "" );
+   
+   /* Free the current target_DN */
+   slapi_pblock_get(pb, SLAPI_TARGET_SDN, );
+   if (sdn) {
+   const char *olddn;
+   olddn = slapi_sdn_get_ndn(sdn);
+   slapi_log_error(SLAPI_LOG_PLUGIN, 
"backend_passwdmod_extop",
+  

Re: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry

[Martin Basti]

On 15.06.2016 17:19, thierry bordaz wrote:

Hello,

This patch is for https://fedorahosted.org/freeipa/ticket/5955

Please put this link to commit message


This is the last patch related "IdM user password change support for 
legacy client compat tree"


  * It requires DS > 1.3.5.5 (https://fedorahosted.org/389/ticket/48880)

Please bump version in freeipa.spec.in and put DS srpms to 
@freeipa/freeipa-master if new DS is not at least in updates testing




 *



  * PATCH 0020 https://fedorahosted.org/freeipa/ticket/5946 ipapwd
(review by Alexander)
  * this PATCH 0021

This patch is not the final one because I had to locally define 
SLAPI_PLUGIN_PRE_EXTOP_FN in order to build on copr.

The define SLAPI_PLUGIN_PRE_EXTOP_FN comes with DS > 1.3.5.5

A test case is:

create a user 'tb1'

# step 1 verify that there is no passwd/krbkeys
ldapsearch -LLL -D "cn=directory manager" -w xxx -b
"uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey


# step 2 verify that tb1 has a password/krbkeys
ldappasswd -D "cn=directory manager" -w xxx
"uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy
ldapsearch -LLL -D "cn=directory manager" -w xxx -b
"uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey

# step 3 verify that tb1 has different passwd/krbkeys than in step 2
ldappasswd -D "cn=directory manager" -w xxx
"uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy
ldapsearch -LLL -D "cn=directory manager" -w xxx -b
"uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey


# step 4 verify that tb1 has different passwd/krbkeys than in step 3
ldappasswd -D "cn=directory manager" -w xxx
"uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy
ldapsearch -LLL -D "cn=directory manager" -w xxx -b
"uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey

# step 5 verify that tb1 has different passwd/krbkeys than in step 4
ldappasswd -D "cn=directory manager" -w xxx
"uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy
ldapsearch -LLL -D "cn=directory manager" -w xxx -b
"uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey


Please put these steps to reproduce into ticket, we will need this for QA.


thanks
thierry




Thank you,
Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry

[thierry bordaz]

Hello,

This patch is for https://fedorahosted.org/freeipa/ticket/5955

This is the last patch related "IdM user password change support for 
legacy client compat tree"


 * It requires DS > 1.3.5.5 (https://fedorahosted.org/389/ticket/48880)
 * PATCH 0020 https://fedorahosted.org/freeipa/ticket/5946 ipapwd
   (review by Alexander)
 * this PATCH 0021

This patch is not the final one because I had to locally define 
SLAPI_PLUGIN_PRE_EXTOP_FN in order to build on copr.

The define SLAPI_PLUGIN_PRE_EXTOP_FN comes with DS > 1.3.5.5

A test case is:

   create a user 'tb1'

   # step 1 verify that there is no passwd/krbkeys
   ldapsearch -LLL -D "cn=directory manager" -w xxx -b
   "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey


   # step 2 verify that tb1 has a password/krbkeys
   ldappasswd -D "cn=directory manager" -w xxx
   "uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy
   ldapsearch -LLL -D "cn=directory manager" -w xxx -b
   "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey

   # step 3 verify that tb1 has different passwd/krbkeys than in step 2
   ldappasswd -D "cn=directory manager" -w xxx
   "uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy
   ldapsearch -LLL -D "cn=directory manager" -w xxx -b
   "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey


   # step 4 verify that tb1 has different passwd/krbkeys than in step 3
   ldappasswd -D "cn=directory manager" -w xxx
   "uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy
   ldapsearch -LLL -D "cn=directory manager" -w xxx -b
   "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey

   # step 5 verify that tb1 has different passwd/krbkeys than in step 4
   ldappasswd -D "cn=directory manager" -w xxx
   "uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy
   ldapsearch -LLL -D "cn=directory manager" -w xxx -b
   "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey

thanks
thierry

>From 6cd06b9004f8ab72e13c26742d11ee31d30bbc79 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz 
Date: Mon, 13 Jun 2016 18:13:04 +0200
Subject: [PATCH] slapi-nis should allow password update on a virtual entry

During password modification ext. op (1.3.6.1.4.1.4203.1.11.1),
if the target entry is in the compat tree, slapi-nis should
remap the entry to the real entry.

This needs to be done in a pre-op extop that calls the callback
function handling a given OID.
The password mod. callback does a reverse mapping of
extop USERID and set it in SLAPI_TARGET_SDN.
---
 configure.ac   |   1 +
 src/back-sch.c | 217 +
 src/back-sch.h |  16 +
 src/plug-sch.c |  24 +++
 4 files changed, 258 insertions(+)

diff --git a/configure.ac b/configure.ac
index 5b10376..9ce6bcf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -113,6 +113,7 @@ dirsrv)
 			SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN,
 			SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN,
 			SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN,
+			SLAPI_PLUGIN_PRE_EXTOP_FN,
 			NULL]
 		   ,,,
 		   [AC_INCLUDES_DEFAULT
diff --git a/src/back-sch.c b/src/back-sch.c
index 32b1d9e..f9ab812 100644
--- a/src/back-sch.c
+++ b/src/back-sch.c
@@ -54,6 +54,8 @@
 #include "map.h"
 #include "back-sch.h"
 
+backend_extop_handlers_t extop_handlers[] = {{EXTOP_PASSWD_OID, (IFP) backend_passwdmod_extop}, 
+	{NULL, NULL}};
 static void
 backend_entries_to_return_push(struct backend_search_cbdata *cbdata, Slapi_Entry *e);
 
@@ -2223,6 +2225,203 @@ done_with_lock:
 	return ret;
 }
 
+/* This callback handles EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1"
+ * If the extop defines a USERID, it sets SLAPI_TARGET_SDN to
+ * the reverse mapping of the USERID.
+ *
+ * If it is not possible to retrieve USERID in the ber
+ * then value of SLAPI_TARGET_SDN is unchanged.
+ *
+ * Else the value of SLAPI_TARGET_SDN is freed and replaced
+ * either by the USERID or the reverse mapping of USERID (if it exists)
+ */
+static int
+backend_passwdmod_extop(Slapi_PBlock *pb)
+{
+	struct backend_entry_data *data;
+	struct plugin_state *state;
+	Slapi_DN *sdn = NULL;
+	char *extopdn;
+	char *ndn;
+	char *username = NULL;
+	char *group = NULL;
+	const char *entry_group = NULL;
+	char *set = NULL;
+	const char *entry_set = NULL;
+	struct berval	*extop_value = NULL;
+	BerElement	*ber = NULL;
+	ber_tag_t	tag = 0;
+ber_len_t	len = (ber_len_t) -1;
+	
+	if (wrap_get_call_level() > 0) {
+		return 0;
+	}
+
+	slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, );
+	if (state->ready_to_serve == 0) {
+		/* No data to serve yet */
+		goto free_and_return;
+	}
+	/* Retrieve the original DN from the ber request */
+	/* Get the ber value of the extended operation */
+	slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, _value);
+	if (!BV_HAS_DATA(extop_value)) {
+		goto free_and_return;
+	}
+
+if ((ber = ber_init(extop_value)) == NULL) {
+		goto free_and_return;
+	}
+
+	/* Format of request to parse
+	 *
+	 * PasswdModifyRequestValue ::= SEQUENCE {
+	 * userIdentity