Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Nadezhda Ivanova
OpenLDAP
Commits
61e9b6d3
Commit
61e9b6d3
authored
Feb 24, 2021
by
Ondřej Kuzník
Committed by
Quanah Gibson-Mount
Mar 25, 2021
Browse files
ITS#9347 Log which policy attribute is invalid
parent
be266333
Changes
1
Hide whitespace changes
Inline
Side-by-side
servers/slapd/overlays/ppolicy.c
View file @
61e9b6d3
...
...
@@ -867,6 +867,7 @@ ppolicy_get( Operation *op, Entry *e, PassPolicy *pp )
slap_overinst
*
on
=
(
slap_overinst
*
)
op
->
o_bd
->
bd_info
;
pp_info
*
pi
=
on
->
on_bi
.
bi_private
;
BackendDB
*
bd
,
*
bd_orig
=
op
->
o_bd
;
AttributeDescription
*
ad
=
NULL
;
Attribute
*
a
;
BerVarray
vals
;
int
rc
=
LDAP_SUCCESS
;
...
...
@@ -877,7 +878,8 @@ ppolicy_get( Operation *op, Entry *e, PassPolicy *pp )
ppolicy_get_default
(
pp
);
if
((
a
=
attr_find
(
e
->
e_attrs
,
ad_pwdPolicySubentry
))
==
NULL
)
{
ad
=
ad_pwdPolicySubentry
;
if
(
(
a
=
attr_find
(
e
->
e_attrs
,
ad
))
==
NULL
)
{
/*
* entry has no password policy assigned - use default
*/
...
...
@@ -909,113 +911,156 @@ ppolicy_get( Operation *op, Entry *e, PassPolicy *pp )
slap_bv2ad( &a->a_vals[0], &pp->ad, &text );
#endif
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdMinAge
)
)
ad
=
ad_pwdMinAge
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdMinAge
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdMaxAge
)
)
ad
=
ad_pwdMaxAge
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdMaxAge
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdMaxIdle
)
)
ad
=
ad_pwdMaxIdle
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdMaxIdle
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdInHistory
)
)
ad
=
ad_pwdInHistory
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdInHistory
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdCheckQuality
)
)
ad
=
ad_pwdCheckQuality
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdCheckQuality
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdMinLength
)
)
ad
=
ad_pwdMinLength
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdMinLength
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdMaxLength
)
)
ad
=
ad_pwdMaxLength
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdMaxLength
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdMaxFailure
)
)
ad
=
ad_pwdMaxFailure
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdMaxFailure
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdMaxRecordedFailure
)
)
ad
=
ad_pwdMaxRecordedFailure
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdMaxRecordedFailure
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdGraceExpiry
)
)
ad
=
ad_pwdGraceExpiry
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdGraceExpiry
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdGraceAuthNLimit
)
)
ad
=
ad_pwdGraceAuthNLimit
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdGraceAuthNLimit
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdExpireWarning
)
)
ad
=
ad_pwdExpireWarning
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdExpireWarning
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdFailureCountInterval
)
)
ad
=
ad_pwdFailureCountInterval
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdFailureCountInterval
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdLockoutDuration
)
)
ad
=
ad_pwdLockoutDuration
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdLockoutDuration
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdMinDelay
)
)
ad
=
ad_pwdMinDelay
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdMinDelay
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdMaxDelay
)
)
ad
=
ad_pwdMaxDelay
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
&&
lutil_atoi
(
&
pp
->
pwdMaxDelay
,
a
->
a_vals
[
0
].
bv_val
)
!=
0
)
{
rc
=
LDAP_CONSTRAINT_VIOLATION
;
goto
defaultpol
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdCheckModule
)
)
)
{
ad
=
ad_pwdCheckModule
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
)
{
strncpy
(
pp
->
pwdCheckModule
,
a
->
a_vals
[
0
].
bv_val
,
sizeof
(
pp
->
pwdCheckModule
)
);
pp
->
pwdCheckModule
[
sizeof
(
pp
->
pwdCheckModule
)
-
1
]
=
'\0'
;
}
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdCheckModuleArg
)
)
)
{
ad
=
ad_pwdCheckModuleArg
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
)
{
ber_dupbv_x
(
&
pp
->
pwdCheckModuleArg
,
&
a
->
a_vals
[
0
],
op
->
o_tmpmemctx
);
}
if
((
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdLockout
)))
ad
=
ad_pwdLockout
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
)
pp
->
pwdLockout
=
bvmatch
(
&
a
->
a_nvals
[
0
],
&
slap_true_bv
);
if
((
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdMustChange
)))
ad
=
ad_pwdMustChange
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
)
pp
->
pwdMustChange
=
bvmatch
(
&
a
->
a_nvals
[
0
],
&
slap_true_bv
);
if
((
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdAllowUserChange
)))
ad
=
ad_pwdAllowUserChange
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
)
pp
->
pwdAllowUserChange
=
bvmatch
(
&
a
->
a_nvals
[
0
],
&
slap_true_bv
);
if
((
a
=
attr_find
(
pe
->
e_attrs
,
ad_pwdSafeModify
)))
ad
=
ad_pwdSafeModify
;
if
(
(
a
=
attr_find
(
pe
->
e_attrs
,
ad
))
)
pp
->
pwdSafeModify
=
bvmatch
(
&
a
->
a_nvals
[
0
],
&
slap_true_bv
);
if
(
pp
->
pwdMaxRecordedFailure
<
pp
->
pwdMaxFailure
)
pp
->
pwdMaxRecordedFailure
=
pp
->
pwdMaxFailure
;
if
(
!
pp
->
pwdMaxRecordedFailure
&&
pp
->
pwdMinDelay
)
pp
->
pwdMaxRecordedFailure
=
PPOLICY_DEFAULT_MAXRECORDED_FAILURE
;
if
(
pp
->
pwdMinDelay
&&
!
pp
->
pwdMaxDelay
)
{
Debug
(
LDAP_DEBUG_ANY
,
"ppolicy_get: pwdMinDelay was set but pwdMaxDelay wasn't, "
"assuming they are equal
\n
"
);
Debug
(
LDAP_DEBUG_ANY
,
"ppolicy_get: "
"pwdMinDelay was set but pwdMaxDelay wasn't, assuming they "
"are equal
\n
"
);
pp
->
pwdMaxDelay
=
pp
->
pwdMinDelay
;
}
...
...
@@ -1033,9 +1078,10 @@ defaultpol:
}
if
(
rc
&&
!
BER_BVISNULL
(
vals
)
)
{
Debug
(
LDAP_DEBUG_ANY
,
"ppolicy_get: policy subentry %s missing or invalid
\n
"
,
vals
->
bv_val
);
Debug
(
LDAP_DEBUG_ANY
,
"ppolicy_get: "
"policy subentry %s missing or invalid at '%s', "
"no policy will be applied!
\n
"
,
vals
->
bv_val
,
ad
?
ad
->
ad_cname
.
bv_val
:
""
);
}
else
{
Debug
(
LDAP_DEBUG_TRACE
,
"ppolicy_get: using default policy
\n
"
);
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment