Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 172462 Details for
Bug 207893
rhds71 importing users with crypted passwords results in a AD-RHDirServ sync loop
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
CVS Diffs
diffs.txt (text/plain), 7.88 KB, created by
Nathan Kinder
on 2007-08-24 22:15:58 UTC
(
hide
)
Description:
CVS Diffs
Filename:
MIME Type:
Creator:
Nathan Kinder
Created:
2007-08-24 22:15:58 UTC
Size:
7.88 KB
patch
obsolete
>Index: windows_protocol_util.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_protocol_util.c,v >retrieving revision 1.28 >diff -u -5 -t -r1.28 windows_protocol_util.c >--- windows_protocol_util.c 23 Aug 2007 20:50:56 -0000 1.28 >+++ windows_protocol_util.c 24 Aug 2007 22:12:57 -0000 >@@ -1373,11 +1373,41 @@ > const char *password_value = NULL; > Slapi_Value *value = NULL; > > slapi_valueset_first_value(vs,&value); > password_value = slapi_value_get_string(value); >- *password = slapi_ch_strdup(password_value); >+ /* We need to check if the first character of password_value is an >+ * opening brace since strstr will simply return it's first argument >+ * if it is an empty string. */ >+ if (password_value && (*password_value == '{')) { >+ if (strchr( password_value, '}' )) { >+ /* A storage scheme is present. Check if it's the >+ * clear storage scheme. */ >+ if ((strlen(password_value) >= PASSWD_CLEAR_PREFIX_LEN + 1) && >+ (strncasecmp(password_value, PASSWD_CLEAR_PREFIX, PASSWD_CLEAR_PREFIX_LEN) == 0)) { >+ /* This password is in clear text. Strip off the clear prefix >+ * and sync it. */ >+ *password = slapi_ch_strdup(password_value + PASSWD_CLEAR_PREFIX_LEN); >+ } else { >+ /* This password is stored in a non-cleartext format. >+ * We can only sync cleartext passwords. */ >+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, >+ "%s: windows_create_remote_entry: " >+ "Password is already hashed. Not syncing.\n", >+ agmt_get_long_name(prp->agmt)); >+ } >+ } else { >+ /* This password doesn't have a storage prefix but >+ * just happens to start with the '{' character. We'll >+ * assume that it's just a cleartext password without >+ * the proper storage prefix. */ >+ *password = slapi_ch_strdup(password_value); >+ } >+ } else { >+ /* This password has no storage prefix, or the password is empty */ >+ *password = slapi_ch_strdup(password_value); >+ } > } > > } > if (vs) > { >@@ -1552,11 +1582,41 @@ > /* password mods are treated specially */ > if (0 == slapi_attr_type_cmp(attr_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD, SLAPI_TYPE_CMP_SUBTYPE) ) > { > char *password_value = NULL; > password_value = mod->mod_bvalues[0]->bv_val; >- *password = slapi_ch_strdup(password_value); >+ /* We need to check if the first character of password_value is an >+ * opening brace since strstr will simply return it's first argument >+ * if it is an empty string. */ >+ if (password_value && (*password_value == '{')) { >+ if (strchr( password_value, '}' )) { >+ /* A storage scheme is present. Check if it's the >+ * clear storage scheme. */ >+ if ((strlen(password_value) >= PASSWD_CLEAR_PREFIX_LEN + 1) && >+ (strncasecmp(password_value, PASSWD_CLEAR_PREFIX, PASSWD_CLEAR_PREFIX_LEN) == 0)) { >+ /* This password is in clear text. Strip off the clear prefix >+ * and sync it. */ >+ *password = slapi_ch_strdup(password_value + PASSWD_CLEAR_PREFIX_LEN); >+ } else { >+ /* This password is stored in a non-cleartext format. >+ * We can only sync cleartext passwords. */ >+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, >+ "%s: windows_create_remote_entry: " >+ "Password is already hashed. Not syncing.\n", >+ agmt_get_long_name(prp->agmt)); >+ } >+ } else { >+ /* This password doesn't have a storage prefix but >+ * just happens to start with the '{' character. We'll >+ * assume that it's just a cleartext password without >+ * the proper storage prefix. */ >+ *password = slapi_ch_strdup(password_value); >+ } >+ } else { >+ /* This password has no storage prefix, or the password is empty */ >+ *password = slapi_ch_strdup(password_value); >+ } > } > } > } > /* Otherwise we do not copy this mod at all */ > mod = slapi_mods_get_next_mod(&smods); >Index: windowsrepl.h >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windowsrepl.h,v >retrieving revision 1.10 >diff -u -5 -t -r1.10 windowsrepl.h >--- windowsrepl.h 23 Aug 2007 20:50:56 -0000 1.10 >+++ windowsrepl.h 24 Aug 2007 22:12:57 -0000 >@@ -97,6 +97,8 @@ > > /* Used to work around a schema incompatibility between Microsoft and the IETF */ > #define FAKE_STREET_ATTR_NAME "in#place#of#streetaddress" > /* Used to work around contrained attribute legth for initials on AD */ > #define AD_INITIALS_LENGTH 6 >- >+/* Used to check for pre-hashed passwords when syncing */ >+#define PASSWD_CLEAR_PREFIX "{clear}" >+#define PASSWD_CLEAR_PREFIX_LEN 7
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=172462">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 207893
: 172462 |
233131