Commit 229bd4ec authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

Merge remote-tracking branch 'origin/master' into OPENLDAP_REL_ENG_2_5

parents cfaf5f0b d4c7126e
Pipeline #656 passed with stage
in 34 minutes and 39 seconds
......@@ -162,6 +162,10 @@ static int print_dirsync( LDAP *ld, LDAPControl *ctrl );
#ifdef LDAP_CONTROL_X_ACCOUNT_USABILITY
static int print_account_usability( LDAP *ld, LDAPControl *ctrl );
#endif
#ifdef LDAP_CONTROL_X_PASSWORD_EXPIRED
static int print_netscape_pwexpired( LDAP *ld, LDAPControl *ctrl );
static int print_netscape_pwexpiring( LDAP *ld, LDAPControl *ctrl );
#endif
static struct tool_ctrls_t {
const char *oid;
......@@ -194,6 +198,10 @@ static struct tool_ctrls_t {
#endif
#ifdef LDAP_CONTROL_X_ACCOUNT_USABILITY
{ LDAP_CONTROL_X_ACCOUNT_USABILITY, TOOL_SEARCH, print_account_usability },
#endif
#ifdef LDAP_CONTROL_X_PASSWORD_EXPIRED
{ LDAP_CONTROL_X_PASSWORD_EXPIRED, TOOL_ALL, print_netscape_pwexpired },
{ LDAP_CONTROL_X_PASSWORD_EXPIRING, TOOL_ALL, print_netscape_pwexpiring },
#endif
{ NULL, 0, NULL }
};
......@@ -1645,6 +1653,23 @@ tool_bind( LDAP *ld )
}
}
#ifdef LDAP_CONTROL_X_PASSWORD_EXPIRED
if ( ctrls ) {
LDAPControl *ctrl;
ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRED,
ctrls, NULL );
if ( !ctrl )
ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRING,
ctrls, NULL );
if ( ctrl ) {
LDAPControl *ctmp[2];
ctmp[0] = ctrl;
ctmp[1] = NULL;
tool_print_ctrls( ld, ctmp );
}
}
#endif
if ( ctrls ) {
ldap_controls_free( ctrls );
}
......@@ -2574,6 +2599,28 @@ print_ppolicy( LDAP *ld, LDAPControl *ctrl )
}
#endif
#ifdef LDAP_CONTROL_X_PASSWORD_EXPIRED
static int
print_netscape_pwexpired( LDAP *ld, LDAPControl *ctrl )
{
printf(_("# PasswordExpired control\n") );
return 0;
}
static int
print_netscape_pwexpiring( LDAP *ld, LDAPControl *ctrl )
{
long expiring = 0;
int rc;
rc = ldap_parse_password_expiring_control( ld, ctrl, &expiring );
if ( rc == LDAP_SUCCESS ) {
printf(_("# PasswordExpiring control seconds=%ld\n"), expiring );
}
return rc;
}
#endif
#ifdef LDAP_CONTROL_X_ACCOUNT_USABILITY
static int
print_account_usability( LDAP *ld, LDAPControl *ctrl )
......
......@@ -393,9 +393,8 @@ typedef struct ldapcontrol {
#define LDAP_TAG_X_ACCOUNT_USABILITY_UNTIL_UNLOCK ((ber_tag_t) 0x84U) /* primitive + 4 */
/* Netscape Password policy response controls */
/* https://docs.oracle.com/cd/E19957-01/816-5618-10/netscape/ldap/controls/LDAPPasswordExpiredControl.html */
/* <draft-vchu-ldap-pwd-policy> */
#define LDAP_CONTROL_X_PASSWORD_EXPIRED "2.16.840.1.113730.3.4.4"
/* https://docs.oracle.com/cd/E19957-01/816-5618-10/netscape/ldap/controls/LDAPPasswordExpiringControl.html */
#define LDAP_CONTROL_X_PASSWORD_EXPIRING "2.16.840.1.113730.3.4.5"
/* LDAP Unsolicited Notifications */
......
......@@ -57,6 +57,7 @@ typedef struct pp_info {
int forward_updates; /* use frontend for policy state updates */
int disable_write;
int send_netscape_controls; /* send netscape password controls */
ldap_pvt_thread_mutex_t pwdFailureTime_mutex;
} pp_info;
/* Our per-connection info - note, it is not per-instance, it is
......@@ -1418,11 +1419,13 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
goto locked;
}
ldap_pvt_thread_mutex_lock( &pi->pwdFailureTime_mutex );
op->o_bd->bd_info = (BackendInfo *)on->on_info;
rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
op->o_bd->bd_info = bi;
if ( rc != LDAP_SUCCESS ) {
ldap_pvt_thread_mutex_unlock( &pi->pwdFailureTime_mutex );
return SLAP_CB_CONTINUE;
}
......@@ -1770,7 +1773,7 @@ locked:
}
ctrl = create_passcontrol( op, warn, ngut, ppb->pErr );
} else if ( pi->send_netscape_controls ) {
if ( ppb->pErr != PP_noError || ngut > 0 ) {
if ( ppb->pErr != PP_noError || pwExpired ) {
ctrl = create_passexpiry( op, 1, 0 );
} else if ( warn > 0 ) {
ctrl = create_passexpiry( op, 0, warn );
......@@ -1781,6 +1784,7 @@ locked:
op->o_callback->sc_cleanup = ppolicy_ctrls_cleanup;
}
op->o_bd->bd_info = bi;
ldap_pvt_thread_mutex_unlock( &pi->pwdFailureTime_mutex );
return SLAP_CB_CONTINUE;
}
......@@ -3115,6 +3119,7 @@ ppolicy_db_init(
)
{
slap_overinst *on = (slap_overinst *) be->bd_info;
pp_info *pi;
if ( SLAP_ISGLOBALOVERLAY( be ) ) {
/* do not allow slapo-ppolicy to be global by now (ITS#5858) */
......@@ -3126,7 +3131,7 @@ ppolicy_db_init(
return 1;
}
on->on_bi.bi_private = ch_calloc( sizeof(pp_info), 1 );
pi = on->on_bi.bi_private = ch_calloc( sizeof(pp_info), 1 );
if ( !pwcons ) {
/* accommodate for c_conn_idx == -1 */
......@@ -3136,6 +3141,8 @@ ppolicy_db_init(
ov_count++;
ldap_pvt_thread_mutex_init( &pi->pwdFailureTime_mutex );
return 0;
}
......@@ -3177,6 +3184,7 @@ ppolicy_db_destroy(
pp_info *pi = on->on_bi.bi_private;
on->on_bi.bi_private = NULL;
ldap_pvt_thread_mutex_destroy( &pi->pwdFailureTime_mutex );
free( pi->def_policy.bv_val );
free( pi );
......
......@@ -2157,6 +2157,8 @@ syncrepl_accesslog_mods(
if ( !mod || ad != mod->sml_desc || op != mod->sml_op ) {
mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
if ( op == LDAP_MOD_ADD && is_at_single_value( ad->ad_type ))
op = LDAP_MOD_REPLACE;
mod->sml_flags = 0;
mod->sml_op = op;
mod->sml_next = NULL;
......@@ -5077,7 +5079,10 @@ attr_cmp( Operation *op, Attribute *old, Attribute *new,
/* some values were added */
if ( nn && no < o ) {
mod = ch_malloc( sizeof( Modifications ) );
mod->sml_op = LDAP_MOD_ADD;
if ( is_at_single_value( old->a_desc->ad_type ))
mod->sml_op = LDAP_MOD_REPLACE;
else
mod->sml_op = LDAP_MOD_ADD;
mod->sml_flags = 0;
mod->sml_desc = old->a_desc;
mod->sml_type = mod->sml_desc->ad_cname;
......
......@@ -152,7 +152,7 @@ fi
echo "Filling password history..."
$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \
$TESTOUT 2>&1 << EOMODS
dn: uid=nd, ou=People, dc=example, dc=com
dn: $USER
changetype: modify
delete: userpassword
userpassword: $PASS
......@@ -160,7 +160,7 @@ userpassword: $PASS
replace: userpassword
userpassword: 20urgle12-1
dn: uid=nd, ou=People, dc=example, dc=com
dn: $USER
changetype: modify
delete: userpassword
userpassword: 20urgle12-1
......@@ -168,7 +168,7 @@ userpassword: 20urgle12-1
replace: userpassword
userpassword: 20urgle12-2
dn: uid=nd, ou=People, dc=example, dc=com
dn: $USER
changetype: modify
delete: userpassword
userpassword: 20urgle12-2
......@@ -176,7 +176,7 @@ userpassword: 20urgle12-2
replace: userpassword
userpassword: 20urgle12-3
dn: uid=nd, ou=People, dc=example, dc=com
dn: $USER
changetype: modify
delete: userpassword
userpassword: 20urgle12-3
......@@ -184,7 +184,7 @@ userpassword: 20urgle12-3
replace: userpassword
userpassword: 20urgle12-4
dn: uid=nd, ou=People, dc=example, dc=com
dn: $USER
changetype: modify
delete: userpassword
userpassword: 20urgle12-4
......@@ -192,7 +192,7 @@ userpassword: 20urgle12-4
replace: userpassword
userpassword: 20urgle12-5
dn: uid=nd, ou=People, dc=example, dc=com
dn: $USER
changetype: modify
delete: userpassword
userpassword: 20urgle12-5
......@@ -210,7 +210,7 @@ fi
echo "Testing password history..."
$LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \
$TESTOUT 2>&1 << EOMODS
dn: uid=nd, ou=People, dc=example, dc=com
dn: $USER
changetype: modify
delete: userPassword
userPassword: 20urgle12-6
......@@ -259,7 +259,7 @@ echo "Testing forced reset..."
$LDAPMODIFY -v -D "$PWADMIN" -h $LOCALHOST -p $PORT1 -w $ADMINPASSWD >> \
$TESTOUT 2>&1 << EOMODS
dn: uid=nd, ou=People, dc=example, dc=com
dn: $USER
changetype: modify
replace: userPassword
userPassword: $PASS
......@@ -292,7 +292,7 @@ echo "Clearing forced reset..."
$LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
$TESTOUT 2>&1 << EOMODS
dn: uid=nd, ou=People, dc=example, dc=com
dn: $USER
changetype: modify
delete: pwdReset
......@@ -661,6 +661,100 @@ fi
fi
echo ""
echo "Testing obsolete Netscape ppolicy controls..."
echo "Enabling Netscape controls..."
$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \
$TESTOUT 2>&1 << EOMODS
dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
changetype: modify
replace: olcPPolicySendNetscapeControls
olcPPolicySendNetscapeControls: TRUE
-
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Reconfiguring policy to remove grace logins..."
$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=Standard Policy, ou=Policies, dc=example, dc=com
changetype: modify
delete: pwdGraceAuthnLimit
-
replace: pwdMaxAge
pwdMaxAge: 15
-
EOMODS
RC=$?
if test $RC != 0 ; then
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
OLDPASS=$PASS
PASS=newpass
$LDAPPASSWD -H $URI1 \
-w secret -s $PASS \
-D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "Setting new password failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Clearing forced reset..."
$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
$TESTOUT 2>&1 << EOMODS
dn: $USER
changetype: modify
delete: pwdReset
EOMODS
DELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \
-b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\(\d*\)/\1/p'`
DELAY=`expr $DELAY - 10`
echo "Testing password expiration"
echo "Waiting $DELAY seconds for password to expire..."
sleep $DELAY
$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
-b "$BASEDN" -s base > $SEARCHOUT 2>&1
sleep 3
$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
sleep 3
$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
sleep 3
$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
sleep 3
$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
RC=$?
if test $RC = 0 ; then
echo "Password expiration failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit 1
fi
COUNT=`grep "PasswordExpiring" $SEARCHOUT | wc -l`
if test $COUNT = 0 ; then
echo "Password expiring warning test failed!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit 1
fi
test $KILLSERVERS != no && kill -HUP $KILLPIDS
echo ">>>>> Test succeeded"
......
......@@ -143,7 +143,7 @@ if test -n "$TLS_PEERKEY"; then
-ZZ -b "" -s base -H $URIP1 '@extensibleObject' > $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch (ldaps) failed ($RC)!"
echo "ldapsearch (StartTLS) failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
else
......@@ -160,7 +160,7 @@ if test -n "$TLS_PEERKEY_HASHED_FAIL"; then
-ZZ -b "" -s base -H $URIP1 '@extensibleObject' > $SEARCHOUT 2>&1
RC=$?
if test $RC = 0 ; then
echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!"
echo "ldapsearch (StartTLS) succeeded when it should have failed($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit 1
else
......@@ -177,7 +177,7 @@ if test -n "$TLS_PEERKEY_HASHED"; then
-ZZ -b "" -s base -H $URIP1 '@extensibleObject' > $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch (ldaps) failed ($RC)!"
echo "ldapsearch (StartTLS) failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
else
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment