Commit 1b22c04c authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

ppolicy fix

parent 368fd041
......@@ -27,6 +27,7 @@ OpenLDAP 2.3.12 Release
Fixed slapd-meta per-target retry (ITS#4150)
Fixed slapd-meta size/time limit handling (ITS#4145)
Fixed slapo-ppolicy pwdFailureTIme after bind success issue (ITS#4134)
Fixed slapo-ppolicy add passord_hash quality config dependency
Fixed slapo-syncprov LDAP response types (ITS#4183)
Fixed slapd spurious defer message (ITS#3850)
Fixed slapd attribute SYNTAX OIDM issue (ITS#4116)
......
......@@ -1102,38 +1102,39 @@ ppolicy_add(
send_ldap_error( op, rs, rc, "Password fails quality checking policy" );
return rs->sr_err;
}
/*
* A controversial bit. We hash cleartext
* passwords provided via add and modify operations
* You're not really supposed to do this, since
* the X.500 model says "store attributes" as they
* get provided. By default, this is what we do
*
* But if the hash_passwords flag is set, we hash
* any cleartext password attribute values via the
* default password hashing scheme.
*/
if ((pi->hash_passwords) &&
(password_scheme( &(pa->a_vals[0]), NULL ) != LDAP_SUCCESS)) {
struct berval hpw;
slap_passwd_hash( &(pa->a_vals[0]), &hpw, &txt );
if (hpw.bv_val == NULL) {
/*
* hashing didn't work. Emit an error.
*/
rs->sr_err = LDAP_OTHER;
rs->sr_text = txt;
send_ldap_error( op, rs, LDAP_OTHER, "Password hashing failed" );
return rs->sr_err;
}
}
/*
* A controversial bit. We hash cleartext
* passwords provided via add and modify operations
* You're not really supposed to do this, since
* the X.500 model says "store attributes" as they
* get provided. By default, this is what we do
*
* But if the hash_passwords flag is set, we hash
* any cleartext password attribute values via the
* default password hashing scheme.
*/
if ((pi->hash_passwords) &&
(password_scheme( &(pa->a_vals[0]), NULL ) != LDAP_SUCCESS)) {
struct berval hpw;
memset( pa->a_vals[0].bv_val, 0, pa->a_vals[0].bv_len);
ber_memfree( pa->a_vals[0].bv_val );
pa->a_vals[0].bv_val = hpw.bv_val;
pa->a_vals[0].bv_len = hpw.bv_len;
slap_passwd_hash( &(pa->a_vals[0]), &hpw, &txt );
if (hpw.bv_val == NULL) {
/*
* hashing didn't work. Emit an error.
*/
rs->sr_err = LDAP_OTHER;
rs->sr_text = txt;
send_ldap_error( op, rs, LDAP_OTHER, "Password hashing failed" );
return rs->sr_err;
}
memset( pa->a_vals[0].bv_val, 0, pa->a_vals[0].bv_len);
ber_memfree( pa->a_vals[0].bv_val );
pa->a_vals[0].bv_val = hpw.bv_val;
pa->a_vals[0].bv_len = hpw.bv_len;
}
/* If password aging is in effect, set the pwdChangedTime */
if ( pp.pwdMaxAge || pp.pwdMinAge ) {
struct berval timestamp;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment