Re: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree
On 22.06.2016 19:02, Alexander Bokovoy wrote: On Wed, 22 Jun 2016, thierry bordaz wrote: I think FreeIPA also needs to raise dependency to slapi-nis >= 0.56.0 for this. Testing with slapi-nis 0.56.0-2, successful update of password from compat tree users. Great, ACK! Pushed to master: 1ce8d32fd6c09b0bfcb1593e2e5ad8e47eef3670 From 034a07211de4d11c6cb998676cc5f7439af981c6 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop plugin ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955) https://fedorahosted.org/freeipa/ticket/5946 --- .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +- freeipa.spec.in| 2 +- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 440e221..3c2c44f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; int is_krb, is_smb, is_ipant; -char *principal = NULL; +char *principal = NULL; Slapi_PBlock *chpwop_pb = NULL; +Slapi_DN *target_sdn = NULL; +char *target_dn = NULL; /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); @@ -327,14 +329,32 @@ parse_req_done: } } - /* Determine the target DN for this operation */ - /* Did they give us a DN ? */ -if (dn == NULL || *dn == '\0') { - /* Get the DN from the bind identity on this connection */ -dn = slapi_ch_strdup(bindDN); -LOG_TRACE("Missing userIdentity in request, " - "using the bind DN instead.\n"); +/* Determine the target DN for this operation */ +slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); +if (target_sdn != NULL) { +/* If there is a TARGET_DN we are consuming it */ +slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); +target_dn = slapi_sdn_get_ndn(target_sdn); } +if (target_dn == NULL || *target_dn == '\0') { +/* Did they give us a DN ? */ +if (dn == NULL || *dn == '\0') { +/* Get the DN from the bind identity on this connection */ +dn = slapi_ch_strdup(bindDN); +LOG_TRACE("Missing userIdentity in request, " +"using the bind DN instead.\n"); +} +LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); +} else { +/* At this point if SLAPI_TARGET_SDN was set that means + * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it + * So take this one rather that the raw one that is in the ber + */ +LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); +slapi_ch_free_string(&dn); +dn = slapi_ch_strdup(target_dn); +} +slapi_sdn_free(&target_sdn); if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { LOG_FATAL("slapi_pblock_set failed!\n"); diff --git a/freeipa.spec.in b/freeipa.spec.in index 0d5c745..84a1d65 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -154,7 +154,7 @@ Requires(pre): systemd-units Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} -Requires: slapi-nis >= 0.55-1 +Requires: slapi-nis >= 0.56.0 Requires: pki-ca >= 10.3.2 Requires: pki-kra >= 10.3.2 Requires(preun): python systemd-units -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree
On Wed, 22 Jun 2016, thierry bordaz wrote: I think FreeIPA also needs to raise dependency to slapi-nis >= 0.56.0 for this. Testing with slapi-nis 0.56.0-2, successful update of password from compat tree users. Great, ACK! From 034a07211de4d11c6cb998676cc5f7439af981c6 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop plugin ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955) https://fedorahosted.org/freeipa/ticket/5946 --- .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +- freeipa.spec.in| 2 +- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 440e221..3c2c44f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; int is_krb, is_smb, is_ipant; -char *principal = NULL; + char *principal = NULL; Slapi_PBlock *chpwop_pb = NULL; + Slapi_DN *target_sdn = NULL; + char *target_dn = NULL; /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); @@ -327,14 +329,32 @@ parse_req_done: } } -/* Determine the target DN for this operation */ -/* Did they give us a DN ? */ - if (dn == NULL || *dn == '\0') { - /* Get the DN from the bind identity on this connection */ - dn = slapi_ch_strdup(bindDN); - LOG_TRACE("Missing userIdentity in request, " - "using the bind DN instead.\n"); + /* Determine the target DN for this operation */ + slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); + if (target_sdn != NULL) { + /* If there is a TARGET_DN we are consuming it */ + slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); + target_dn = slapi_sdn_get_ndn(target_sdn); } + if (target_dn == NULL || *target_dn == '\0') { + /* Did they give us a DN ? */ + if (dn == NULL || *dn == '\0') { + /* Get the DN from the bind identity on this connection */ + dn = slapi_ch_strdup(bindDN); + LOG_TRACE("Missing userIdentity in request, " + "using the bind DN instead.\n"); + } + LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); + } else { + /* At this point if SLAPI_TARGET_SDN was set that means +* that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it +* So take this one rather that the raw one that is in the ber +*/ + LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); + slapi_ch_free_string(&dn); + dn = slapi_ch_strdup(target_dn); + } + slapi_sdn_free(&target_sdn); if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { LOG_FATAL("slapi_pblock_set failed!\n"); diff --git a/freeipa.spec.in b/freeipa.spec.in index 0d5c745..84a1d65 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -154,7 +154,7 @@ Requires(pre): systemd-units Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} -Requires: slapi-nis >= 0.55-1 +Requires: slapi-nis >= 0.56.0 Requires: pki-ca >= 10.3.2 Requires: pki-kra >= 10.3.2 Requires(preun): python systemd-units -- 2.5.0 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree
On 06/20/2016 08:27 PM, Alexander Bokovoy wrote: On Tue, 14 Jun 2016, thierry bordaz wrote: From ac6c0617f618fc609df93dc18ec25255484b533d Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop plugin ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) https://fedorahosted.org/freeipa/ticket/5946 --- .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 440e221..3c2c44f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; int is_krb, is_smb, is_ipant; -char *principal = NULL; +char *principal = NULL; Slapi_PBlock *chpwop_pb = NULL; +Slapi_DN *target_sdn = NULL; +char *target_dn = NULL; /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); @@ -327,14 +329,32 @@ parse_req_done: } } - /* Determine the target DN for this operation */ - /* Did they give us a DN ? */ -if (dn == NULL || *dn == '\0') { - /* Get the DN from the bind identity on this connection */ -dn = slapi_ch_strdup(bindDN); -LOG_TRACE("Missing userIdentity in request, " - "using the bind DN instead.\n"); +/* Determine the target DN for this operation */ +slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); +if (target_sdn != NULL) { +/* If there is a TARGET_DN we are consuming it */ +slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); +target_dn = slapi_sdn_get_ndn(target_sdn); } +if (target_dn == NULL || *target_dn == '\0') { +/* Did they give us a DN ? */ +if (dn == NULL || *dn == '\0') { +/* Get the DN from the bind identity on this connection */ +dn = slapi_ch_strdup(bindDN); +LOG_TRACE("Missing userIdentity in request, " +"using the bind DN instead.\n"); +} +LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); +} else { +/* At this point if SLAPI_TARGET_SDN was set that means + * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it + * So take this one rather that the raw one that is in the ber + */ +LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); +slapi_ch_free_string(&dn); +dn = slapi_ch_strdup(target_dn); +} +slapi_sdn_free(&target_sdn); if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { LOG_FATAL("slapi_pblock_set failed!\n"); -- 2.5.0 ACK. A build with slapi-nis 0.56.0-2.fc24 that includes pre-extop callback is available in Fedora -- https://bodhi.fedoraproject.org/updates/slapi-nis-0.56.0-2.fc24 so you can test against it. I think FreeIPA also needs to raise dependency to slapi-nis >= 0.56.0 for this. Testing with slapi-nis 0.56.0-2, successful update of password from compat tree users. >From 034a07211de4d11c6cb998676cc5f7439af981c6 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop plugin ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955) https://fedorahosted.org/freeipa/ticket/5946 --- .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +- freeipa.spec.in| 2 +- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 440e221..3c2c44f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
Re: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree
On Tue, 14 Jun 2016, thierry bordaz wrote: From ac6c0617f618fc609df93dc18ec25255484b533d Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop plugin ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) https://fedorahosted.org/freeipa/ticket/5946 --- .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 440e221..3c2c44f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; int is_krb, is_smb, is_ipant; -char *principal = NULL; + char *principal = NULL; Slapi_PBlock *chpwop_pb = NULL; + Slapi_DN *target_sdn = NULL; + char *target_dn = NULL; /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); @@ -327,14 +329,32 @@ parse_req_done: } } -/* Determine the target DN for this operation */ -/* Did they give us a DN ? */ - if (dn == NULL || *dn == '\0') { - /* Get the DN from the bind identity on this connection */ - dn = slapi_ch_strdup(bindDN); - LOG_TRACE("Missing userIdentity in request, " - "using the bind DN instead.\n"); + /* Determine the target DN for this operation */ + slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); + if (target_sdn != NULL) { + /* If there is a TARGET_DN we are consuming it */ + slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); + target_dn = slapi_sdn_get_ndn(target_sdn); } + if (target_dn == NULL || *target_dn == '\0') { + /* Did they give us a DN ? */ + if (dn == NULL || *dn == '\0') { + /* Get the DN from the bind identity on this connection */ + dn = slapi_ch_strdup(bindDN); + LOG_TRACE("Missing userIdentity in request, " + "using the bind DN instead.\n"); + } + LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); + } else { + /* At this point if SLAPI_TARGET_SDN was set that means +* that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it +* So take this one rather that the raw one that is in the ber +*/ + LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); + slapi_ch_free_string(&dn); + dn = slapi_ch_strdup(target_dn); + } + slapi_sdn_free(&target_sdn); if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { LOG_FATAL("slapi_pblock_set failed!\n"); -- 2.5.0 ACK. A build with slapi-nis 0.56.0-2.fc24 that includes pre-extop callback is available in Fedora -- https://bodhi.fedoraproject.org/updates/slapi-nis-0.56.0-2.fc24 so you can test against it. I think FreeIPA also needs to raise dependency to slapi-nis >= 0.56.0 for this. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree
On Tue, 14 Jun 2016, thierry bordaz wrote: From ac6c0617f618fc609df93dc18ec25255484b533d Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop plugin ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) https://fedorahosted.org/freeipa/ticket/5946 --- .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 440e221..3c2c44f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; int is_krb, is_smb, is_ipant; -char *principal = NULL; + char *principal = NULL; Slapi_PBlock *chpwop_pb = NULL; + Slapi_DN *target_sdn = NULL; + char *target_dn = NULL; /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); @@ -327,14 +329,32 @@ parse_req_done: } } -/* Determine the target DN for this operation */ -/* Did they give us a DN ? */ - if (dn == NULL || *dn == '\0') { - /* Get the DN from the bind identity on this connection */ - dn = slapi_ch_strdup(bindDN); - LOG_TRACE("Missing userIdentity in request, " - "using the bind DN instead.\n"); + /* Determine the target DN for this operation */ + slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); + if (target_sdn != NULL) { + /* If there is a TARGET_DN we are consuming it */ + slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); + target_dn = slapi_sdn_get_ndn(target_sdn); } + if (target_dn == NULL || *target_dn == '\0') { + /* Did they give us a DN ? */ + if (dn == NULL || *dn == '\0') { + /* Get the DN from the bind identity on this connection */ + dn = slapi_ch_strdup(bindDN); + LOG_TRACE("Missing userIdentity in request, " + "using the bind DN instead.\n"); + } + LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); + } else { + /* At this point if SLAPI_TARGET_SDN was set that means +* that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it +* So take this one rather that the raw one that is in the ber +*/ + LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); + slapi_ch_free_string(&dn); + dn = slapi_ch_strdup(target_dn); + } + slapi_sdn_free(&target_sdn); Looks good now. ACK for the patch, the testing will come once slapi-nis patches will be available. Thanks. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree
On 06/13/2016 05:06 PM, Alexander Bokovoy wrote: On Mon, 13 Jun 2016, thierry bordaz wrote: From fff11869d8cf3dfe98471e018c10926fc23b13da Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop plugin ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) https://fedorahosted.org/freeipa/ticket/5946 --- .../ipa-pwd-extop/ipa_pwd_extop.c | 33 -- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 440e221..10fff30 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; int is_krb, is_smb, is_ipant; -char *principal = NULL; +char *principal = NULL; Slapi_PBlock *chpwop_pb = NULL; +Slapi_DN *target_sdn = NULL; +char *target_dn = NULL; /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); @@ -327,13 +329,28 @@ parse_req_done: } } - /* Determine the target DN for this operation */ - /* Did they give us a DN ? */ -if (dn == NULL || *dn == '\0') { - /* Get the DN from the bind identity on this connection */ -dn = slapi_ch_strdup(bindDN); -LOG_TRACE("Missing userIdentity in request, " - "using the bind DN instead.\n"); +/* Determine the target DN for this operation */ +slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); +target_dn = slapi_sdn_get_ndn(target_sdn); +if (target_dn) { can you please use the same style for writing comparisons as the file using already? if (!(target_dn == NULL || *target_dn == '\0')) { ... } +/* At this point if SLAPI_TARGET_SDN was set that means + * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it + * So take this one rather that the raw one that is in the ber + */ +LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); +slapi_ch_free_string(&dn); +dn = slapi_ch_strdup(target_dn); +slapi_sdn_free(&target_sdn); +slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); +} else { +/* Did they give us a DN ? */ +if (dn == NULL || *dn == '\0') { +/* Get the DN from the bind identity on this connection */ +dn = slapi_ch_strdup(bindDN); +LOG_TRACE("Missing userIdentity in request, " +"using the bind DN instead.\n"); +} +LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); } if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { -- 2.5.0 Changing the comparison style >From ac6c0617f618fc609df93dc18ec25255484b533d Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop plugin ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) https://fedorahosted.org/freeipa/ticket/5946 --- .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 440e221..3c2c44f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; int is_krb, is_smb, is_ipant; -char *principal = NULL; + char *principal = NULL; Slapi_PBlock *chpwop_pb = NULL; + Slapi_DN *target_sdn = NULL; + char *target_dn = NULL; /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); @@ -327,14 +329,32 @@ parse_req_done: } } - /* Determine the target DN for this operation */ - /* Did they give us a DN
Re: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree
On Mon, 13 Jun 2016, thierry bordaz wrote: From fff11869d8cf3dfe98471e018c10926fc23b13da Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Fri, 10 Jun 2016 15:34:40 +0200 Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop plugin ipapwd_extop allows to update the password on a specific entry, identified by its DN. It can be usefull to support virtual DN in the extop so that update of a virtual entry would land into the proper real entry. If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value of TARGET_DN, instead of using the original one (in the ber req) https://fedorahosted.org/freeipa/ticket/5946 --- .../ipa-pwd-extop/ipa_pwd_extop.c | 33 -- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 440e221..10fff30 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; int is_krb, is_smb, is_ipant; -char *principal = NULL; + char *principal = NULL; Slapi_PBlock *chpwop_pb = NULL; + Slapi_DN *target_sdn = NULL; + char *target_dn = NULL; /* Get the ber value of the extended operation */ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); @@ -327,13 +329,28 @@ parse_req_done: } } -/* Determine the target DN for this operation */ -/* Did they give us a DN ? */ - if (dn == NULL || *dn == '\0') { - /* Get the DN from the bind identity on this connection */ - dn = slapi_ch_strdup(bindDN); - LOG_TRACE("Missing userIdentity in request, " - "using the bind DN instead.\n"); + /* Determine the target DN for this operation */ + slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); + target_dn = slapi_sdn_get_ndn(target_sdn); + if (target_dn) { can you please use the same style for writing comparisons as the file using already? if (!(target_dn == NULL || *target_dn == '\0')) { ... } + /* At this point if SLAPI_TARGET_SDN was set that means +* that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it +* So take this one rather that the raw one that is in the ber +*/ + LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); + slapi_ch_free_string(&dn); + dn = slapi_ch_strdup(target_dn); + slapi_sdn_free(&target_sdn); + slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); + } else { + /* Did they give us a DN ? */ + if (dn == NULL || *dn == '\0') { + /* Get the DN from the bind identity on this connection */ + dn = slapi_ch_strdup(bindDN); + LOG_TRACE("Missing userIdentity in request, " + "using the bind DN instead.\n"); + } + LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); } if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { -- 2.5.0 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code