Bug 181587 (pwd_extop_old_pwd)
Summary: | Password Modify LDAPv3 extended operation erroneously forces the client to supply old password | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] 389 | Reporter: | Felipe Alfaro Solana <felipe_alfaro> | ||||||
Component: | Security - Password Policy | Assignee: | Rich Megginson <rmeggins> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 1.0 | ||||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | 1.0.2 | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-12-07 17:01:40 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 152373, 183369, 240316 | ||||||||
Attachments: |
|
Description
Felipe Alfaro Solana
2006-02-15 00:14:03 UTC
Created attachment 124660 [details]
Quick n'Dirty patch to fix the problem
This is a quick and dirty patch which I think should fix the problem. However,
I must say I have _not_ tested it.
Could it be possible to apply patch https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=124660 and build a test binary RPM using Red Hats build facilities for me to try? Created attachment 124663 [details]
check for correctly bound connection
check for correctly bound connection
Reviewed by: Pete & Nathan (Thanks!) Files: passwd_extop.c Branch: HEAD Fix Description: If the BIND operation was successful, the CONN_DN field is always set to the proper DN. This is even the case during a SASL or client cert DN if the authentication was successful AND the given identity could be mapped to a real user in the directory. Also, the authmethod will be something other than NULL or none. So, if the old password was not given, that is ok if there is a non-anonymous bind DN and a real authmethod. The rest of the operation passes through the usual access control. Platforms tested: Fedora Core 4 Flag Day: no Doc impact: no Checking in passwd_extop.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v <-- passwd_extop.c new revision: 1.7; previous revision: 1.6 done I have rebuilt Fedora Directory Server from CVS. The changes you commited to "passwd_extop.c" are working fine. I'm finally able to synchronize passwords between SAMBA and Fedora Directory Server. Will you build a new RPM for Fedora Directory Server with these changes included? Yes, we are working on a new release. This fix will be in that new release when it comes out. Thanks for your help with this issue. |