Attachment 208771 Details for Bug 238504 – CVS Diffs

[patch] CVS Diffs

diffs.txt (text/plain), 7.46 KB, created by Nathan Kinder on 2007-09-27 17:50:09 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Nathan Kinder

Created: 2007-09-27 17:50:09 UTC

Size: 7.46 KB

patch

obsolete

>Index: windows_connection.c
>===================================================================
>RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_connection.c,v
>retrieving revision 1.16
>diff -u -5 -t -w -r1.16 windows_connection.c
>--- windows_connection.c	12 Sep 2007 23:05:24 -0000	1.16
>+++ windows_connection.c	27 Sep 2007 17:47:55 -0000
>@@ -1794,10 +1794,38 @@
>                 LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 );
>                 return (CONN_OPERATION_FAILED);
>         }
> }
> 
>+/* Attempt to bind as a user to AD in order to see if we posess the
>+ * most current password. Returns the LDAP return code of the bind. */
>+int
>+windows_check_user_password(Repl_Connection *conn, Slapi_DN *sdn, char *password)
>+{
>+        const char *binddn = NULL;
>+        LDAPMessage *res = NULL;
>+        int rc = 0;
>+        int msgid = 0;
>+
>+        /* If we're already connected, this will just return success */
>+        windows_conn_connect(conn);
>+
>+        /* Get binddn from sdn */
>+        binddn =  slapi_sdn_get_dn(sdn);
>+
>+        /* Attempt to do a bind on the existing connection 
>+         * using the dn and password that were passed in. */
>+        msgid = do_simple_bind(conn, conn->ld, (char *) binddn, password);
>+        ldap_result(conn->ld, msgid, LDAP_MSG_ALL, NULL, &res);
>+        ldap_parse_result( conn->ld, res, &rc, NULL, NULL, NULL, NULL, 1 /* Free res */);
>+
>+        /* rebind as the DN specified in the sync agreement */
>+        do_simple_bind(conn, conn->ld, conn->binddn, conn->plain);
>+
>+        return rc;
>+}
>+
> static int
> do_simple_bind (Repl_Connection *conn, LDAP *ld, char * binddn, char *password)
> {
>         int msgid;
> 
>Index: windows_protocol_util.c
>===================================================================
>RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_protocol_util.c,v
>retrieving revision 1.34
>diff -u -5 -t -w -r1.34 windows_protocol_util.c
>--- windows_protocol_util.c	20 Sep 2007 23:32:17 -0000	1.34
>+++ windows_protocol_util.c	27 Sep 2007 17:47:55 -0000
>@@ -739,10 +739,17 @@
> 
>                         slapi_mods_done(&smods);
> 
>                 } else
>                 {
>+                        /* We will attempt to bind to AD with the new password first. We do
>+                         * this to avoid playing a password change that originated from AD
>+                         * back to AD.  If we just played the password change back, then
>+                         * both sides would be in sync, but AD would contain the new password
>+                         * twice in it's password history, which undermines the password
>+                         * history policies in AD. */
>+                        if (windows_check_user_password(prp->conn, sdn, password)) {
>                         char *quoted_password = NULL;
>                         /* AD wants the password in quotes ! */
>                         quoted_password = PR_smprintf("\"%s\"",password);
>                         if (quoted_password)
>                         {
>@@ -783,10 +790,16 @@
> 
>                                         slapi_ch_free((void**)&unicode_password);
>                                 }
>                                 PR_smprintf_free(quoted_password);
>                         }
>+                        } else {
>+                                slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name,
>+                                        "%s: AD already has the current password for %s. "
>+                                        "Not sending password modify to AD.\n",
>+                                        agmt_get_long_name(prp->agmt), slapi_sdn_get_dn(sdn));
>+                        }
>                 }
> 
>                 return pw_return;
> }
> 
>@@ -1228,18 +1241,35 @@
>                                 "operation type %d found in changelog - skipping change.\n",
>                                 agmt_get_long_name(prp->agmt), op->operation_type);
>                 }
>                 if (password) 
>                 {
>+                        /* We need to have a non-GUID dn in send_password_modify in order to
>+                         * bind as the user to check if we need to send the password change.
>+                         * You are supposed to be able to bind using a GUID dn, but it doesn't
>+                         * seem to work over plain LDAP. */
>+                        if (is_guid_dn(remote_dn)) {
>+                                Slapi_DN *remote_dn_norm = NULL;
>+                                int norm_missing = 0;
>+
>+                                map_entry_dn_outbound(local_entry,&remote_dn_norm,prp,&norm_missing, 0);
>+                                return_value = send_password_modify(remote_dn_norm, password, prp);
>+                                slapi_sdn_free(&remote_dn_norm);
>+                        } else {
>                         return_value = send_password_modify(remote_dn, password, prp);
>+                        }
>+
>                         if (return_value)
>                         {
>-                                slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name, "%s: windows_replay_update: update password returned %d\n",
>+                                slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name,
>+                                        "%s: windows_replay_update: update password returned %d\n",
>                                         agmt_get_long_name(prp->agmt), return_value );
>                         } else {
>-                                /* If we successfully added an entry, and then subsequently changed its password, THEN we need to change its status in AD 
>-                                 * in order that it can be used (otherwise the user is marked as disabled). To do this we set this attribute and value:
>+                                /* If we successfully added an entry, and then subsequently changed
>+                                 * its password, THEN we need to change its status in AD in order
>+                                 * that it can be used (otherwise the user is marked as disabled).
>+                                 * To do this we set this attribute and value:
>                                  * userAccountControl: 512 */
>                                 if (op->operation_type == SLAPI_OPERATION_ADD && missing_entry)
>                                 {
>                                         return_value = send_accountcontrol_modify(remote_dn, prp);
>                                 }
>Index: windowsrepl.h
>===================================================================
>RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windowsrepl.h,v
>retrieving revision 1.13
>diff -u -5 -t -w -r1.13 windowsrepl.h
>--- windowsrepl.h	17 Sep 2007 19:18:30 -0000	1.13
>+++ windowsrepl.h	27 Sep 2007 17:47:55 -0000
>@@ -98,10 +98,11 @@
> ConnResult windows_conn_read_entry_attribute(Repl_Connection *conn, const char *dn, char *type,
>         struct berval ***returned_bvals);
> ConnResult windows_conn_push_schema(Repl_Connection *conn, CSN **remotecsn);
> void windows_conn_set_timeout(Repl_Connection *conn, long timeout);
> void windows_conn_set_agmt_changed(Repl_Connection *conn);
>+int windows_check_user_password(Repl_Connection *conn, Slapi_DN *sdn, char *password);
> 
> /* Used to work around a schema incompatibility between Microsoft and the IETF */
> #define FAKE_STREET_ATTR_NAME "in#place#of#streetaddress"
> /* Used to work around contrained attribute legth for initials on AD */
> #define AD_INITIALS_LENGTH 6

Actions: View | Diff

Attachments on bug 238504: 208771