When password syntax checking is enabled, we check the password syntax before evaluating ACIs. This means that an anonymous user can attempt to change a user's password and they will receive an error about the syntax being invalid rather than an access denied message. This is keeping us from returning more detailed error messages (password too short, not enough digits, etc.) when the password syntax is incorrect since we don't want to give away policy information to an un-authenticated user. The attached changes cause the ACIs to be checked for write priviledge to the userPassword attribute before we check the password syntax.
Created attachment 128620 [details] CVS Diffs
Created attachment 128660 [details] Revised Diffs In response to Rich's review of the fix, a few things have been changed. Instead of searching for the target entry to check the ACIs in modify.c, I now simply create a new Slapi_Entry that only has the dn set. This is all that is needed when calling slapi_acl_check_mods(), and it should have better performance than fetching the real entry. I also fixed a confusing piece of code where an array of LDAPMod elements is created from the single userPassword LDAPMod in modify.c.
Checked into ldapserver (HEAD). Reviewed by Rich (thanks!). Checking in add.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/add.c,v <-- add.c new revision: 1.7; previous revision: 1.6 done Checking in modify.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/modify.c,v <-- modify.c new revision: 1.10; previous revision: 1.9 done
Created attachment 128671 [details] Additional diff to fix HP-UX PA compilation error The previos code fails to build on HP-UX PA because it doesn't like the way we initialize the LDAPMod array in modify.c. Strangely, it works fine on HP-UX IPF. This change shoudl fix the build on PA.
Checked in additional fix for HP-UX PA compilation error. Checking in modify.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/modify.c,v <-- modify.c new revision: 1.11; previous revision: 1.10 done
Verification test: PASS Test machine: cypher.dsdev.sjc.redhat.com (REHL 64bit) Test steps: 1. setup DS on cypher 2. access "cn=config" as anonalymous (ensure anonalymous access success) 3. change password for user "cn=directory manager" as anonalysis Except result : access denial Actual result : access denied , test passed acutal test output: [yzhang@cypher en]$ /usr/lib64/mozldap/ldapsearch -h cypher -p 389 -s sub -b "cn=config" objectclass=* "*" version: 1 dn: cn=SNMP,cn=config objectClass: top objectClass: nsSNMP cn: SNMP nsSNMPEnabled: on nsSNMPName: [yzhang@cypher tmp]$ /usr/lib64/mozldap/ldapmodify -h cypher -p 389 -a -f ./changepw.ldif modifying entry cn=Directory Administrators, dc=dsdev, dc=sjc, dc=redhat, dc=com ldap_modify: Insufficient access ldap_modify: additional info: Insufficient 'write' privilege to the 'password' attribute of entry 'cn=directory administrators,dc=dsdev,dc=sjc,dc=redhat,dc=com'. Data file used [yzhang@cypher tmp]$ cat < changepw.ldif dn: cn=Directory Administrators, dc=dsdev, dc=sjc, dc=redhat, dc=com changetype: modify replace: password password: newpassword nsSNMPOrganization: nsSNMPLocation: nsSNMPContact: nsSNMPDescription: nsSNMPMasterHost: nsSNMPMasterPort: