The way how unhashed password is stored in the entry was changed in
389-ds-base-1.3.0, it is now stored in an entry extension rather than
in a magic attribute unhashed#user#password. New API using an entry
extension was introduced. ipa-pwd-extop should take advantage of the
new API as the old one will be removed in 389-ds-base-1.3.1.
https://fedorahosted.org/freeipa/ticket/3439
---
This patch is based on Noriko's candidate patch in 389-ds-base ticket. I tested
various password scenarios including migration of users with cleartext/hashed
passwords, everything worked OK.
Martin
From 57bdfba0fd46d2d21ac8dc13d7723a23de3712b3 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Fri, 8 Mar 2013 13:01:45 +0100
Subject: [PATCH] Use new 389-ds-base cleartext password API
The way how unhashed password is stored in the entry was changed in
389-ds-base-1.3.0, it is now stored in an entry extension rather than
in a magic attribute unhashed#user#password. New API using an entry
extension was introduced. ipa-pwd-extop should take advantage of the
new API as the old one will be removed in 389-ds-base-1.3.1.
https://fedorahosted.org/freeipa/ticket/3439
---
.../ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c | 20
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 3b512a4744d3edddc52e224c11aaa93388d06b75..0318cecdcc37690838ffc778817cd60c9a8376a0 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -211,13 +211,19 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
slapi_ch_free_string(userpw);
userpw = tmp;
} else if (slapi_is_encoded(userpw)) {
-/* check if we have access to the unhashed user password */
-char *userpw_clear =
-slapi_entry_attr_get_charptr(e, unhashed#user#password);
+const char *userpw_clear = NULL;
+Slapi_Value **pwvals = NULL;
-/* unhashed#user#password doesn't always contain the clear text
- * password, therefore we need to check if its value isn't the same
- * as userPassword to make sure */
+/* Try to get clear password from an entry extension.
+ * This function does not return a copy of the values,
+ * no need to free them. */
+rc = slapi_pw_get_entry_ext(e, pwvals);
+if (LDAP_SUCCESS == rc) {
+userpw_clear = slapi_value_get_string(pwvals[0]);
+}
+
+/* Fail if we did not get a real clear text password from
+ * the extension. This will happen if the password is hashed. */
if (!userpw_clear || (0 == strcmp(userpw, userpw_clear))) {
rc = LDAP_CONSTRAINT_VIOLATION;
slapi_ch_free_string(userpw);
@@ -225,8 +231,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
userpw = slapi_ch_strdup(userpw_clear);
}
-slapi_ch_free_string(userpw_clear);
-
if (rc != LDAP_SUCCESS) {
/* we don't have access to the clear text password;
* let it slide if migration is enabled, but don't
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
