Commits (8)
......@@ -5,6 +5,8 @@ OpenLDAP 2.5.12 Engineering
Fixed slapd to clear runqueue task correctly (ITS#9785)
Fixed slapd bconfig locking for cn=config replication (ITS#9584)
Fixed slapd syncrepl handling of new sessions (ITS#9584)
Fixed slapd to clear connections on bind (ITS#9799)
Fixed slapo-ppolicy operation handling to be consistent (ITS#9794)
Build Environment
Fix compilation with openssl exclusions (ITS#9791)
Fix warnings from make jobserver (ITS#9788)
......
......@@ -1857,7 +1857,8 @@ Internet-Draft Password Policy for LDAP Directories July 2014
server performs the following steps in order to update the necessary
password policy state attributes:
If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
If the value of either pwdMaxAge or pwdMinAge is non-zero and the
change does not include a pwdChangedTime update already, the server
updates the pwdChangedTime attribute on the entry to the current
time.
......
......@@ -1577,7 +1577,8 @@
server performs the following steps in order to update the necessary
password policy state attributes:</t>
<t>If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
<t>If the value of either pwdMaxAge or pwdMinAge is non-zero and the
change does not include a pwdChangedTime update already, the server
updates the pwdChangedTime attribute on the entry to the current
time.</t>
......
......@@ -455,6 +455,12 @@ This option is OpenLDAP specific.
.B LDAP_OPT_TCP_USER_TIMEOUT
Allows to configure TCP_USER_TIMEOUT in milliseconds on the connection, overriding the operating system setting.
This option is OpenLDAP specific and supported only on Linux 2.6.37 or higher.
.B invalue
must be a
.BR "const unsigned int *" ;
.BR outvalue
must be an
.BR "unsigned int *" .
.SH SASL OPTIONS
The SASL options are OpenLDAP specific.
......@@ -587,6 +593,7 @@ must be a
.BR "char **" .
Its content needs to be freed by the caller using
.BR ldap_memfree (3).
.TP
.B LDAP_OPT_X_SASL_CBINDING
Sets/gets the channel-binding type to use in SASL,
one of
......@@ -602,7 +609,6 @@ must be
.BR outvalue
must be
.BR "int *" .
.TP
.SH TCP OPTIONS
The TCP options are OpenLDAP specific.
Mainly intended for use with Linux, they may not be portable.
......@@ -873,6 +879,17 @@ must be
.BR "char **" ,
and its contents need to be freed by the caller using
.BR ldap_memfree (3).
.TP
.B LDAP_OPT_X_TLS_PEERKEY_HASH
Sets the (public) key that the application expects the peer to be using.
.B invalue
must be
.BR "const char *"
containing the base64 encoding of the expected peer's key or in the format
.B "<hashalg>:<peerkey hash base64 encoded>"
where as a TLS session is established, the library will hash the peer's key
with the provided hash algorithm and compare it with value provided and will
only allow the session to continue if they match.
.SH ERRORS
On success, the functions return
.BR LDAP_OPT_SUCCESS ,
......
......@@ -734,6 +734,7 @@ static void connection_abandon( Connection *c )
LDAP_STAILQ_NEXT(o, o_next) = NULL;
slap_op_free( o, NULL );
}
c->c_n_ops_pending = 0;
}
static void
......
......@@ -2215,6 +2215,7 @@ ppolicy_add(
PassPolicy pp;
Attribute *pa;
const char *txt;
int is_pwdadmin = 0;
if ( ppolicy_restrict( op, rs ) != SLAP_CB_CONTINUE )
return rs->sr_err;
......@@ -2223,10 +2224,14 @@ ppolicy_add(
if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) )
return SLAP_CB_CONTINUE;
ppolicy_get( op, op->ora_e, &pp );
if ( access_allowed( op, op->ora_e, pp.ad, NULL, ACL_MANAGE, NULL ) ) {
is_pwdadmin = 1;
}
/* Check for password in entry */
if ((pa = attr_find( op->oq_add.rs_e->e_attrs,
slap_schema.si_ad_userPassword )))
{
if ( (pa = attr_find( op->oq_add.rs_e->e_attrs, pp.ad )) ) {
assert( pa->a_vals != NULL );
assert( !BER_BVISNULL( &pa->a_vals[ 0 ] ) );
......@@ -2235,15 +2240,13 @@ ppolicy_add(
return rs->sr_err;
}
ppolicy_get( op, op->ora_e, &pp );
/*
* new entry contains a password - if we're not the root user
* new entry contains a password - if we're not the password admin
* then we need to check that the password fits in with the
* security policy for the new entry.
*/
if (pp.pwdCheckQuality > 0 && !be_isroot( op )) {
if ( pp.pwdCheckQuality > 0 && !is_pwdadmin ) {
struct berval *bv = &(pa->a_vals[0]);
int rc, send_ctrl = 0;
LDAPPasswordPolicyError pErr = PP_noError;
......@@ -2305,7 +2308,8 @@ ppolicy_add(
}
/* If password aging is in effect, set the pwdChangedTime */
if ( pp.pwdMaxAge || pp.pwdMinAge ) {
if ( ( pp.pwdMaxAge || pp.pwdMinAge ) &&
!attr_find( op->ora_e->e_attrs, ad_pwdChangedTime ) ) {
struct berval timestamp;
char timebuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
time_t now = slap_get_time();
......