Bug 203043
Summary: | Password modify extended operation should generate new passwords | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] 389 | Reporter: | Nathan Kinder <nkinder> | ||||||||||
Component: | Directory Server | Assignee: | Nathan Kinder <nkinder> | ||||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||||||
Severity: | medium | Docs Contact: | |||||||||||
Priority: | medium | ||||||||||||
Version: | 1.0.2 | ||||||||||||
Target Milestone: | --- | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2015-12-07 17:11:41 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | |||||||||||||
Bug Blocks: | 152373, 208654, 240316 | ||||||||||||
Attachments: |
|
Description
Nathan Kinder
2006-08-17 22:56:15 UTC
Created attachment 134417 [details]
CVS Diffs
Looks good to me. I think the error code should be LDAP_UNWILLING_TO_PERFORM - LDAP_PARAM_ERROR is only intended as an API error code e.g. an invalid parameter to ldap_search_s detected by the client side API library. The RFC doesn't say what error code to use, other than it must be != LDAP_SUCCESS - http://www.rfc-archive.org/getrfc.php?rfc=3062 - and openldap actually does generate a random password. They just use a random string of 8 bytes converted to base64 - we could do the same - we do the same thing in uuid generation. I think that it would be good to support generating a random password. I'll look into doing that. Created attachment 134486 [details]
Revised Diffs
This new set of diffs adds password generation support to ns-slapd. If a user
doesn't supply a new password in the password modify extop request, we will
generate a random 8 character password, store it as the users password, and
return it to the user in the password modify extop response.
I also removed a block of code that was setting the extop return OID in the pb
to the password modify OID. RFC3062 explicitly states that the password modify
response should have the responseName field absent.
Looks good. Created attachment 134493 [details]
Revised Diffs
I made two minor changes due to feedback from Noriko. One is simply adding a
bit more detail in one of the comments in the password generation function.
The other change is removing a check to see if slapi_ch_malloc() failed. If
slapi_ch_malloc() can't allocate memory, the server exits, so there's no need
for a check after calling it.
Checked changes in to ldapserver (HEAD). Thanks to Rich and Noriko for reviews! Checking in passwd_extop.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v <-- passwd_extop.c new revision: 1.10; previous revision: 1.9 done Created attachment 134569 [details]
Additional code clean-up
I made a few optimizations to the previous fix.
We only need to generate 6 random bytes from NSS to end up with an 8 character
password after base64 encoding. We were previously generating 8 bytes. The
new fix generates 6 bytes instead.
I also cleaned up the calls to ber_printf(). We really only need to make one
call to ber_printf() instead of three. This looks cleaner, and should be a
little bit more efficient.
Looks good. Checked in the additional changes from comment 9. Thanks for the review Noriko! Checking in passwd_extop.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/passwd_extop.c,v <-- passwd_extop.c new revision: 1.11; previous revision: 1.10 done Can we mark this bug as MODIFIED? Yes, we can. Verified with the following command: ldappasswd -w *pw* -D"cn=directory manager" -h localhost -p 1111 -ZZ -x "uid=mgreggtest,ou=people,o=redhat" The return was: New password: 28Ht0Pon Result: Success (0) This worked. No unwilling preform, or LDAP_PROTOCOL_ERROR Verified aginst: 1199305764 idm-console-framework-1.1.0-7.el4idm Wed Jan 02 2008 1199305765 redhat-ds-console-8.0.0-9.el4dsrv Wed Jan 02 2008 1199305766 redhat-admin-console-8.0.0-9.el4dsrv Wed Jan 02 2008 1199305768 redhat-idm-console-1.0.0-21.el4idm Wed Jan 02 2008 |