int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e,
int *is_root, int *is_krb, int *is_smb, int *is_ipant,
char *attr, int acc)
{
Slapi_Value *sval;
int rc;
/* Check ACIs */
slapi_pblock_get(pb, SLAPI_REQUESTOR_ISROOT, is_root);
if (!*is_root) {
/* verify this user is allowed to write a user password */
rc = slapi_access_allowed(pb, e, attr, NULL, acc);
if (rc != LDAP_SUCCESS) {
/* we have no business here, the operation will be denied anyway */
rc = LDAP_SUCCESS;
goto done;
}
}
/* Check if this is a krbPrincial and therefore needs us to generate other
* hashes */
sval = slapi_value_new_string("krbPrincipalAux");
if (!sval) {
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
*is_krb = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS, sval);
slapi_value_free(&sval);
sval = slapi_value_new_string("sambaSamAccount");
if (!sval) {
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
*is_smb = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS, sval);
slapi_value_free(&sval);
sval = slapi_value_new_string("ipaNTUserAttrs");
if (!sval) {
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
*is_ipant = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS,
sval);
slapi_value_free(&sval);
rc = LDAP_SUCCESS;
done:
return rc;
}
/* Modify the Password attributes of the entry */
int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, int is_krb)
{
int ret = 0;
Slapi_Mods *smods = NULL;
Slapi_Value **svals = NULL;
Slapi_Value **ntvals = NULL;
Slapi_Value **pwvals = NULL;
char *nt = NULL;
int is_smb = 0;
int is_ipant = 0;
int is_host = 0;
Slapi_Value *sambaSamAccount;
Slapi_Value *ipaNTUserAttrs;
Slapi_Value *ipaHost;
char *errMesg = NULL;
char *modtime = NULL;
LOG_TRACE("=>\n");
sambaSamAccount = slapi_value_new_string("sambaSamAccount");
if (slapi_entry_attr_has_syntax_value(data->target,
"objectClass", sambaSamAccount)) {
is_smb = 1;
}
slapi_value_free(&sambaSamAccount);
ipaNTUserAttrs = slapi_value_new_string("ipaNTUserAttrs");
if (slapi_entry_attr_has_syntax_value(data->target,
"objectClass", ipaNTUserAttrs)) {
is_ipant = 1;
}
slapi_value_free(&ipaNTUserAttrs);
ipaHost = slapi_value_new_string("ipaHost");
if (slapi_entry_attr_has_syntax_value(data->target,
"objectClass", ipaHost)) {
is_host = 1;
}
slapi_value_free(&ipaHost);
ret = ipapwd_gen_hashes(krbcfg, data,
data->password,
is_krb, is_smb, is_ipant,
&svals, &nt, &ntvals, &errMesg);
if (ret) {
goto free_and_return;
}
smods = slapi_mods_new();
if (svals) {
slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE,
"krbPrincipalKey", svals);
/* krbLastPwdChange is used to tell whether a host entry has a
* keytab so don't set it on hosts.
*/
if (!is_host) {
/* change Last Password Change field with the current date */
ret = ipapwd_setdate(data->target, smods, "krbLastPwdChange",
data->timeNow, false);
if (ret != LDAP_SUCCESS)
goto free_and_return;
/* set Password Expiration date */
ret = ipapwd_setdate(data->target, smods, "krbPasswordExpiration",
data->expireTime, (data->expireTime == 0));
if (ret != LDAP_SUCCESS)
goto free_and_return;
}
}
if (nt && is_smb) {
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"sambaNTPassword", nt);
}
if (ntvals && is_ipant) {
slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE,
"ipaNTHash", ntvals);
}
if (is_smb) {
/* with samba integration we need to also set sambaPwdLastSet or
* samba will decide the user has to change the password again */
if (data->changetype == IPA_CHANGETYPE_ADMIN) {
/* if it is an admin change instead we need to let know to
* samba as well that the use rmust change its password */
modtime = slapi_ch_smprintf("0");
} else {
modtime = slapi_ch_smprintf("%ld", (long)data->timeNow);
}
if (!modtime) {
LOG_FATAL("failed to smprintf string!\n");
ret = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"sambaPwdLastset", modtime);
}
if (is_krb) {
if (data->changetype == IPA_CHANGETYPE_ADMIN) {
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"krbLoginFailedCount", "0");
}
}
/* let DS encode the password itself, this allows also other plugins to
* intercept it to perform operations like synchronization with Active
* Directory domains through the replication plugin */
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"userPassword", data->password);
/* set password history */
if (data->policy.history_length > 0) {
pwvals = ipapwd_setPasswordHistory(smods, data);
if (pwvals) {
slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE,
"passwordHistory", pwvals);
}
}
/* FIXME:
* instead of replace we should use a delete/add so that we are
* completely sure nobody else modified the entry meanwhile and
* fail if that's the case */
/* commit changes */
ret = ipapwd_apply_mods(data->dn, smods);
LOG_TRACE("<= result: %d\n", ret);
free_and_return:
if (nt) slapi_ch_free((void **)&nt);
if (modtime) slapi_ch_free((void **)&modtime);
slapi_mods_free(&smods);
ipapwd_free_slapi_value_array(&svals);
ipapwd_free_slapi_value_array(&ntvals);
ipapwd_free_slapi_value_array(&pwvals);
return ret;
}
/*
* preop_modrdn - Pre-operation call for modify RDN
*
* Check that the new RDN does not include attributes that
* cause a constraint violation
*/
static int
preop_modrdn(Slapi_PBlock *pb)
{
int result = LDAP_SUCCESS;
Slapi_Entry *e = NULL;
Slapi_Value *sv_requiredObjectClass = NULL;
char *errtext = NULL;
char *attrName = NULL;
#ifdef DEBUG
slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
"MODRDN begin\n");
#endif
BEGIN
int err;
char *markerObjectClass=NULL;
char *requiredObjectClass=NULL;
Slapi_DN *sdn = NULL;
Slapi_DN *superior;
char *rdn;
int deloldrdn = 0;
int isupdatedn;
Slapi_Attr *attr;
int argc;
char **argv = NULL;
/*
* If this is a replication update, just be a noop.
*/
err = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &isupdatedn);
if (err) { result = uid_op_error(30); break; }
if (isupdatedn)
{
break;
}
/*
* Get the arguments
*/
result = getArguments(pb, &attrName, &markerObjectClass,
&requiredObjectClass);
if (UNTAGGED_PARAMETER == result)
{
result = LDAP_SUCCESS;
/* Statically defined subtrees to monitor */
err = slapi_pblock_get(pb, SLAPI_PLUGIN_ARGC, &argc);
if (err) { result = uid_op_error(53); break; }
err = slapi_pblock_get(pb, SLAPI_PLUGIN_ARGV, &argv);
if (err) { result = uid_op_error(54); break; }
argc--; /* First argument was attribute name */
argv++;
} else if (0 != result)
{
break;
}
/* Create a Slapi_Value for the requiredObjectClass to use
* for checking the entry. */
if (requiredObjectClass) {
sv_requiredObjectClass = slapi_value_new_string(requiredObjectClass);
}
/* Get the DN of the entry being renamed */
err = slapi_pblock_get(pb, SLAPI_MODRDN_TARGET_SDN, &sdn);
if (err) { result = uid_op_error(31); break; }
/* Get superior value - unimplemented in 3.0/4.0/5.0 DS */
err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &superior);
if (err) { result = uid_op_error(32); break; }
/*
* No superior means the entry is just renamed at
* its current level in the tree. Use the target DN for
* determining which managed tree this belongs to
*/
if (!superior) superior = sdn;
/* Get the new RDN - this has the attribute values */
err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &rdn);
if (err) { result = uid_op_error(33); break; }
#ifdef DEBUG
slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
"MODRDN newrdn=%s\n", rdn);
#endif
/* See if the old RDN value is being deleted. */
err = slapi_pblock_get(pb, SLAPI_MODRDN_DELOLDRDN, &deloldrdn);
if (err) { result = uid_op_error(34); break; }
/* Get the entry that is being renamed so we can make a dummy copy
* of what it will look like after the rename. */
err = slapi_search_internal_get_entry(sdn, NULL, &e, plugin_identity);
if (err != LDAP_SUCCESS) {
result = uid_op_error(35);
/* We want to return a no such object error if the target doesn't exist. */
if (err == LDAP_NO_SUCH_OBJECT) {
result = err;
}
break;
}
/* Apply the rename operation to the dummy entry. */
/* slapi_entry_rename does not expect rdn normalized */
err = slapi_entry_rename(e, rdn, deloldrdn, superior);
if (err != LDAP_SUCCESS) { result = uid_op_error(36); break; }
/*
* Find any unique attribute data in the new RDN
*/
err = slapi_entry_attr_find(e, attrName, &attr);
if (err) break; /* no UID attribute */
/*
* Check if it has the required object class
*/
if (requiredObjectClass &&
!slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS, sv_requiredObjectClass)) { break; }
/*
* Passed all the requirements - this is an operation we
* need to enforce uniqueness on. Now find all parent entries
* with the marker object class, and do a search for each one.
*/
if (NULL != markerObjectClass)
{
/* Subtree defined by location of marker object class */
result = findSubtreeAndSearch(slapi_entry_get_sdn(e), attrName, attr, NULL,
requiredObjectClass, sdn,
markerObjectClass);
} else
{
/* Subtrees listed on invocation line */
result = searchAllSubtrees(argc, argv, attrName, attr, NULL,
requiredObjectClass, sdn);
}
END
/* Clean-up */
slapi_value_free(&sv_requiredObjectClass);
if (e) slapi_entry_free(e);
if (result)
{
slapi_log_error(SLAPI_LOG_PLUGIN, plugin_name,
"MODRDN result %d\n", result);
if (result == LDAP_CONSTRAINT_VIOLATION) {
errtext = slapi_ch_smprintf(moreInfo, attrName);
} else {
errtext = slapi_ch_strdup("Error checking for attribute uniqueness.");
}
slapi_send_ldap_result(pb, result, 0, errtext, 0, 0);
slapi_ch_free_string(&errtext);
}
return (result==LDAP_SUCCESS)?0:-1;
}
