Merge remote-tracking branch 'origin/master' into OPENLDAP_REL_ENG_2_5

clients/tools/common.c

@@ -162,6 +162,10 @@ static int print_dirsync( LDAP *ld, LDAPControl *ctrl );
 #ifdef LDAP_CONTROL_X_ACCOUNT_USABILITY
 static int print_account_usability( LDAP *ld, LDAPControl *ctrl );
 #endif
+#ifdef LDAP_CONTROL_X_PASSWORD_EXPIRED
+static int print_netscape_pwexpired( LDAP *ld, LDAPControl *ctrl );
+static int print_netscape_pwexpiring( LDAP *ld, LDAPControl *ctrl );
+#endif
 
 static struct tool_ctrls_t {
 	const char	*oid;
@@ -194,6 +198,10 @@ static struct tool_ctrls_t {
 #endif
 #ifdef LDAP_CONTROL_X_ACCOUNT_USABILITY
 	{ LDAP_CONTROL_X_ACCOUNT_USABILITY,		TOOL_SEARCH,	print_account_usability },
+#endif
+#ifdef LDAP_CONTROL_X_PASSWORD_EXPIRED
+	{ LDAP_CONTROL_X_PASSWORD_EXPIRED,		TOOL_ALL,	print_netscape_pwexpired },
+	{ LDAP_CONTROL_X_PASSWORD_EXPIRING,		TOOL_ALL,	print_netscape_pwexpiring },
 #endif
 	{ NULL,						0,		NULL }
 };
@@ -1645,6 +1653,23 @@ tool_bind( LDAP *ld )
 		}
 	}
 
+#ifdef LDAP_CONTROL_X_PASSWORD_EXPIRED
+	if ( ctrls ) {
+		LDAPControl *ctrl;
+		ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRED,
+			ctrls, NULL );
+		if ( !ctrl )
+			ctrl = ldap_control_find( LDAP_CONTROL_X_PASSWORD_EXPIRING,
+				ctrls, NULL );
+		if ( ctrl ) {
+			LDAPControl *ctmp[2];
+			ctmp[0] = ctrl;
+			ctmp[1] = NULL;
+			tool_print_ctrls( ld, ctmp );
+		}
+	}
+#endif
+
 	if ( ctrls ) {
 		ldap_controls_free( ctrls );
 	}
@@ -2574,6 +2599,28 @@ print_ppolicy( LDAP *ld, LDAPControl *ctrl )
 }
 #endif
 
+#ifdef LDAP_CONTROL_X_PASSWORD_EXPIRED
+static int
+print_netscape_pwexpired( LDAP *ld, LDAPControl *ctrl )
+{
+	printf(_("# PasswordExpired control\n") );
+	return 0;
+}
+
+static int
+print_netscape_pwexpiring( LDAP *ld, LDAPControl *ctrl )
+{
+	long expiring = 0;
+	int rc;
+
+	rc = ldap_parse_password_expiring_control( ld, ctrl, &expiring );
+	if ( rc == LDAP_SUCCESS ) {
+		printf(_("# PasswordExpiring control seconds=%ld\n"), expiring );
+	}
+	return rc;
+}
+#endif
+
 #ifdef LDAP_CONTROL_X_ACCOUNT_USABILITY
 static int
 print_account_usability( LDAP *ld, LDAPControl *ctrl )

include/ldap.h

@@ -393,9 +393,8 @@ typedef struct ldapcontrol {
 #define LDAP_TAG_X_ACCOUNT_USABILITY_UNTIL_UNLOCK	((ber_tag_t) 0x84U)	/* primitive + 4 */
 
 /* Netscape Password policy response controls */
-/* https://docs.oracle.com/cd/E19957-01/816-5618-10/netscape/ldap/controls/LDAPPasswordExpiredControl.html */
+/* <draft-vchu-ldap-pwd-policy> */
 #define LDAP_CONTROL_X_PASSWORD_EXPIRED		"2.16.840.1.113730.3.4.4"
-/* https://docs.oracle.com/cd/E19957-01/816-5618-10/netscape/ldap/controls/LDAPPasswordExpiringControl.html */
 #define LDAP_CONTROL_X_PASSWORD_EXPIRING	"2.16.840.1.113730.3.4.5"
 
 /* LDAP Unsolicited Notifications */

servers/slapd/overlays/ppolicy.c

@@ -57,6 +57,7 @@ typedef struct pp_info {
 	int forward_updates;	/* use frontend for policy state updates */
 	int disable_write;
 	int send_netscape_controls;	/* send netscape password controls */
+	ldap_pvt_thread_mutex_t pwdFailureTime_mutex;
 } pp_info;
 
 /* Our per-connection info - note, it is not per-instance, it is 
@@ -1418,11 +1419,13 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
 		goto locked;
 	}
 
+	ldap_pvt_thread_mutex_lock( &pi->pwdFailureTime_mutex );
 	op->o_bd->bd_info = (BackendInfo *)on->on_info;
 	rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
 	op->o_bd->bd_info = bi;
 
 	if ( rc != LDAP_SUCCESS ) {
+		ldap_pvt_thread_mutex_unlock( &pi->pwdFailureTime_mutex );
 		return SLAP_CB_CONTINUE;
 	}
 
@@ -1770,7 +1773,7 @@ locked:
 		}
 		ctrl = create_passcontrol( op, warn, ngut, ppb->pErr );
 	} else if ( pi->send_netscape_controls ) {
-		if ( ppb->pErr != PP_noError || ngut > 0 ) {
+		if ( ppb->pErr != PP_noError || pwExpired ) {
 			ctrl = create_passexpiry( op, 1, 0 );
 		} else if ( warn > 0 ) {
 			ctrl = create_passexpiry( op, 0, warn );
@@ -1781,6 +1784,7 @@ locked:
 		op->o_callback->sc_cleanup = ppolicy_ctrls_cleanup;
 	}
 	op->o_bd->bd_info = bi;
+	ldap_pvt_thread_mutex_unlock( &pi->pwdFailureTime_mutex );
 	return SLAP_CB_CONTINUE;
 }
 
@@ -3115,6 +3119,7 @@ ppolicy_db_init(
 )
 {
 	slap_overinst *on = (slap_overinst *) be->bd_info;
+	pp_info *pi;
 
 	if ( SLAP_ISGLOBALOVERLAY( be ) ) {
 		/* do not allow slapo-ppolicy to be global by now (ITS#5858) */
@@ -3126,7 +3131,7 @@ ppolicy_db_init(
 		return 1;
 	}
 
-	on->on_bi.bi_private = ch_calloc( sizeof(pp_info), 1 );
+	pi = on->on_bi.bi_private = ch_calloc( sizeof(pp_info), 1 );
 
 	if ( !pwcons ) {
 		/* accommodate for c_conn_idx == -1 */
@@ -3136,6 +3141,8 @@ ppolicy_db_init(
 
 	ov_count++;
 
+	ldap_pvt_thread_mutex_init( &pi->pwdFailureTime_mutex );
+
 	return 0;
 }
 
@@ -3177,6 +3184,7 @@ ppolicy_db_destroy(
 	pp_info *pi = on->on_bi.bi_private;
 
 	on->on_bi.bi_private = NULL;
+	ldap_pvt_thread_mutex_destroy( &pi->pwdFailureTime_mutex );
 	free( pi->def_policy.bv_val );
 	free( pi );
 

servers/slapd/syncrepl.c

@@ -2157,6 +2157,8 @@ syncrepl_accesslog_mods(
 
 		if ( !mod || ad != mod->sml_desc || op != mod->sml_op ) {
 			mod = (Modifications *) ch_malloc( sizeof( Modifications ) );
+			if ( op == LDAP_MOD_ADD && is_at_single_value( ad->ad_type ))
+				op = LDAP_MOD_REPLACE;
 			mod->sml_flags = 0;
 			mod->sml_op = op;
 			mod->sml_next = NULL;
@@ -5077,7 +5079,10 @@ attr_cmp( Operation *op, Attribute *old, Attribute *new,
 		/* some values were added */
 		if ( nn && no < o ) {
 			mod = ch_malloc( sizeof( Modifications ) );
-			mod->sml_op = LDAP_MOD_ADD;
+			if ( is_at_single_value( old->a_desc->ad_type ))
+				mod->sml_op = LDAP_MOD_REPLACE;
+			else
+				mod->sml_op = LDAP_MOD_ADD;
 			mod->sml_flags = 0;
 			mod->sml_desc = old->a_desc;
 			mod->sml_type = mod->sml_desc->ad_cname;

tests/scripts/test022-ppolicy

@@ -152,7 +152,7 @@ fi
 echo "Filling password history..."
 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w $PASS >> \
 	$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: $PASS
@@ -160,7 +160,7 @@ userpassword: $PASS
 replace: userpassword
 userpassword: 20urgle12-1
 
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: 20urgle12-1
@@ -168,7 +168,7 @@ userpassword: 20urgle12-1
 replace: userpassword
 userpassword: 20urgle12-2
 
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: 20urgle12-2
@@ -176,7 +176,7 @@ userpassword: 20urgle12-2
 replace: userpassword
 userpassword: 20urgle12-3
 
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: 20urgle12-3
@@ -184,7 +184,7 @@ userpassword: 20urgle12-3
 replace: userpassword
 userpassword: 20urgle12-4
 
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: 20urgle12-4
@@ -192,7 +192,7 @@ userpassword: 20urgle12-4
 replace: userpassword
 userpassword: 20urgle12-5
 
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userpassword
 userpassword: 20urgle12-5
@@ -210,7 +210,7 @@ fi
 echo "Testing password history..."
 $LDAPMODIFY -v -D "$USER" -h $LOCALHOST -p $PORT1 -w 20urgle12-6 >> \
 	$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: userPassword
 userPassword: 20urgle12-6
@@ -259,7 +259,7 @@ echo "Testing forced reset..."
 
 $LDAPMODIFY -v -D "$PWADMIN" -h $LOCALHOST -p $PORT1 -w $ADMINPASSWD >> \
 	$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 replace: userPassword
 userPassword: $PASS
@@ -292,7 +292,7 @@ echo "Clearing forced reset..."
 
 $LDAPMODIFY -v -D "$MANAGERDN" -h $LOCALHOST -p $PORT1 -w $PASSWD >> \
 	$TESTOUT 2>&1 << EOMODS
-dn: uid=nd, ou=People, dc=example, dc=com
+dn: $USER
 changetype: modify
 delete: pwdReset
 
@@ -661,6 +661,100 @@ fi
 
 fi
 
+echo ""
+echo "Testing obsolete Netscape ppolicy controls..."
+echo "Enabling Netscape controls..."
+$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF >> \
+	$TESTOUT 2>&1 << EOMODS
+dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
+changetype: modify
+replace: olcPPolicySendNetscapeControls
+olcPPolicySendNetscapeControls: TRUE
+-
+
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Reconfiguring policy to remove grace logins..."
+$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
+	$TESTOUT 2>&1 << EOMODS
+dn: cn=Standard Policy, ou=Policies, dc=example, dc=com
+changetype: modify
+delete: pwdGraceAuthnLimit
+-
+replace: pwdMaxAge
+pwdMaxAge: 15
+-
+
+EOMODS
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+OLDPASS=$PASS
+PASS=newpass
+$LDAPPASSWD -H $URI1 \
+	-w secret -s $PASS \
+	-D "$MANAGERDN" "$USER" >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+	echo "Setting new password failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Clearing forced reset..."
+$LDAPMODIFY -v -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
+	$TESTOUT 2>&1 << EOMODS
+dn: $USER
+changetype: modify
+delete: pwdReset
+
+EOMODS
+
+DELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+    -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\(\d*\)/\1/p'`
+DELAY=`expr $DELAY - 10`
+
+echo "Testing password expiration"
+echo "Waiting $DELAY seconds for password to expire..."
+sleep $DELAY
+
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base > $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+sleep 3
+$LDAPSEARCH -H $URI1 -D "$USER" -w $PASS \
+	-b "$BASEDN" -s base >> $SEARCHOUT 2>&1
+RC=$?
+if test $RC = 0 ; then
+	echo "Password expiration failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+COUNT=`grep "PasswordExpiring" $SEARCHOUT | wc -l`
+if test $COUNT = 0 ; then
+	echo "Password expiring warning test failed!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
 test $KILLSERVERS != no && kill -HUP $KILLPIDS
 
 echo ">>>>> Test succeeded"

tests/scripts/test067-tls

@@ -143,7 +143,7 @@ if test -n "$TLS_PEERKEY"; then
 		-ZZ -b "" -s base -H $URIP1 '@extensibleObject' > $SEARCHOUT 2>&1
 	RC=$?
 	if test $RC != 0 ; then
-		echo "ldapsearch (ldaps) failed ($RC)!"
+		echo "ldapsearch (StartTLS) failed ($RC)!"
 		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 		exit $RC
 	else
@@ -160,7 +160,7 @@ if test -n "$TLS_PEERKEY_HASHED_FAIL"; then
 		-ZZ -b "" -s base -H $URIP1 '@extensibleObject' > $SEARCHOUT 2>&1
 	RC=$?
 	if test $RC = 0 ; then
-		echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!"
+		echo "ldapsearch (StartTLS) succeeded when it should have failed($RC)!"
 		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 		exit 1
 	else
@@ -177,7 +177,7 @@ if test -n "$TLS_PEERKEY_HASHED"; then
 		-ZZ -b "" -s base -H $URIP1 '@extensibleObject' > $SEARCHOUT 2>&1
 	RC=$?
 	if test $RC != 0 ; then
-		echo "ldapsearch (ldaps) failed ($RC)!"
+		echo "ldapsearch (StartTLS) failed ($RC)!"
 		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 		exit $RC
 	else