From 79fab655ceca9d1ea0791d3a0fb584ea51a9849d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mar 25 2020 18:36:52 +0000 Subject: ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN SLAPI_BIND_TARGET_DN is deprecated since 2011 by 389-ds team, see commit f6397113666f06848412bb12f754f04258cfa5fa in 389-ds: https://pagure.io/389-ds-base/c/f6397113666f06848412bb12f754f04258cfa5fa?branch=master Use SLAPI_BIND_TARGET_SDN instead and move internal ipa-pwd-extop helpers to accept Slapi_DN references rather than strings. Related: https://pagure.io/freeipa/issue/7181 Signed-off-by: Alexander Bokovoy Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Christian Heimes Reviewed-By: Alexander Bokovoy --- diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index d3cd3a7..dd42760 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -72,6 +72,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) Slapi_Entry *config_entry = NULL; Slapi_Attr *a; Slapi_Value *v; + Slapi_DN *sdn = NULL; BerElement *be = NULL; ber_tag_t tag, tvno; ber_int_t ttype; @@ -107,7 +108,9 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) } /* get the Realm Container entry */ - ret = ipapwd_getEntry(ipa_realm_dn, &realm_entry, NULL); + sdn = slapi_sdn_new_dn_byval(ipa_realm_dn); + ret = ipapwd_getEntry(sdn, &realm_entry, NULL); + slapi_sdn_free(&sdn); if (ret != LDAP_SUCCESS) { LOG_FATAL("No realm Entry?\n"); goto free_and_error; @@ -212,7 +215,9 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) slapi_entry_free(realm_entry); /* get the Realm Container entry */ - ret = ipapwd_getEntry(ipa_pwd_config_dn, &config_entry, NULL); + sdn = slapi_sdn_new_dn_byval(ipa_pwd_config_dn); + ret = ipapwd_getEntry(sdn, &config_entry, NULL); + slapi_sdn_free(&sdn); if (ret != LDAP_SUCCESS) { LOG_FATAL("No config Entry? Impossible!\n"); goto free_and_error; @@ -236,7 +241,9 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) if (ipapwd_fips_enabled()) { LOG("FIPS mode is enabled, NT hashes are not allowed.\n"); } else { - ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); + sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn); + ret = ipapwd_getEntry(sdn, &config_entry, NULL); + slapi_sdn_free(&sdn); if (ret != LDAP_SUCCESS) { LOG_FATAL("No config Entry?\n"); goto free_and_error; @@ -639,22 +646,28 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) * If found : fills in slapi_entry structure and returns 0 * If NOT found : returns the search result as LDAP_NO_SUCH_OBJECT */ -int ipapwd_getEntry(const char *dn, Slapi_Entry **e2, char **attrlist) +int ipapwd_getEntry(Slapi_DN *sdn, Slapi_Entry **e2, char **attrlist) { - Slapi_DN *sdn; int search_result = 0; + Slapi_DN *local_sdn = NULL; LOG_TRACE("=>\n"); - sdn = slapi_sdn_new_dn_byref(dn); - search_result = slapi_search_internal_get_entry(sdn, attrlist, e2, + if (sdn == NULL) { + LOG_TRACE("No entry to fetch!\n"); + return LDAP_PARAM_ERROR; + } + + local_sdn = slapi_sdn_dup(sdn); + search_result = slapi_search_internal_get_entry(local_sdn, attrlist, e2, ipapwd_plugin_id); if (search_result != LDAP_SUCCESS) { - LOG_TRACE("No such entry-(%s), err (%d)\n", dn, search_result); + LOG_TRACE("No such entry-(%s), err (%d)\n", + slapi_sdn_get_dn(sdn), search_result); } - slapi_sdn_free(&sdn); LOG_TRACE("<= result: %d\n", search_result); + slapi_sdn_free(&local_sdn); return search_result; } diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 7e52a88..a6d9100 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -382,15 +382,18 @@ parse_req_done: } } - /* Now we have the DN, look for the entry */ - ret = ipapwd_getEntry(dn, &targetEntry, attrlist); - /* If we can't find the entry, then that's an error */ - if (ret) { - /* Couldn't find the entry, fail */ - errMesg = "No such Entry exists.\n" ; - rc = LDAP_NO_SUCH_OBJECT; - goto free_and_return; - } + /* Now we have the DN, look for the entry */ + target_sdn = slapi_sdn_new_dn_byval(dn); + ret = ipapwd_getEntry(target_sdn, &targetEntry, attrlist); + slapi_sdn_free(&target_sdn); + + /* If we can't find the entry, then that's an error */ + if (ret) { + /* Couldn't find the entry, fail */ + errMesg = "No such Entry exists.\n" ; + rc = LDAP_NO_SUCH_OBJECT; + goto free_and_return; + } if (dn) { Slapi_DN *bind_sdn; @@ -1821,7 +1824,7 @@ static int ipapwd_start( Slapi_PBlock *pb ) krb5_context krbctx = NULL; krb5_error_code krberr; char *realm = NULL; - char *config_dn; + Slapi_DN *config_sdn = NULL; Slapi_Entry *config_entry = NULL; int ret; @@ -1834,13 +1837,13 @@ static int ipapwd_start( Slapi_PBlock *pb ) return LDAP_SUCCESS; } - if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &config_dn) != 0) { + if (slapi_pblock_get(pb, SLAPI_TARGET_SDN, &config_sdn) != 0) { LOG_FATAL("No config DN?\n"); ret = LDAP_OPERATIONS_ERROR; goto done; } - if (ipapwd_getEntry(config_dn, &config_entry, NULL) != LDAP_SUCCESS) { + if (ipapwd_getEntry(config_sdn, &config_entry, NULL) != LDAP_SUCCESS) { LOG_FATAL("No config Entry extop?\n"); ret = LDAP_SUCCESS; goto done; @@ -1869,7 +1872,7 @@ static int ipapwd_start( Slapi_PBlock *pb ) goto done; } - ipa_pwd_config_dn = slapi_ch_strdup(config_dn); + ipa_pwd_config_dn = slapi_ch_strdup(slapi_sdn_get_dn(config_sdn)); if (!ipa_pwd_config_dn) { LOG_OOM(); ret = LDAP_OPERATIONS_ERROR; diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index e96aa44..d21d74e 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -117,7 +117,7 @@ int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, struct ipapwd_krbcfg **config, int check_flags); int ipapwd_CheckPolicy(struct ipapwd_data *data); -int ipapwd_getEntry(const char *dn, Slapi_Entry **e2, char **attrlist); +int ipapwd_getEntry(Slapi_DN *sdn, Slapi_Entry **e2, char **attrlist); int ipapwd_get_cur_kvno(Slapi_Entry *target); int ipapwd_setdate(Slapi_Entry *source, Slapi_Mods *smods, const char *attr, time_t date, bool remove); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index 9aef2f7..cf88d0f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -129,6 +129,7 @@ static char *ipapwd_getIpaConfigAttr(const char *attr) const char *attrs_list[] = {attr, 0}; char *value = NULL; char *dn = NULL; + Slapi_DN *sdn = NULL; int ret; dn = slapi_ch_smprintf("cn=ipaconfig,cn=etc,%s", ipa_realm_tree); @@ -137,9 +138,12 @@ static char *ipapwd_getIpaConfigAttr(const char *attr) goto done; } - ret = ipapwd_getEntry(dn, &entry, (char **) attrs_list); + /* _byref() will take ownership of the dn */ + sdn = slapi_sdn_new_dn_byref(dn); + + ret = ipapwd_getEntry(sdn, &entry, (char **) attrs_list); if (ret) { - LOG("failed to retrieve config entry: %s\n", dn); + LOG("failed to retrieve config entry: %s\n", slapi_sdn_get_dn(sdn)); goto done; } @@ -147,7 +151,7 @@ static char *ipapwd_getIpaConfigAttr(const char *attr) done: slapi_entry_free(entry); - slapi_ch_free_string(&dn); + slapi_sdn_free(&sdn); return value; } @@ -210,7 +214,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) char *errMesg = "Internal operations error\n"; struct slapi_entry *e = NULL; char *userpw = NULL; - char *dn = NULL; + Slapi_DN *sdn = NULL; struct ipapwd_operation *pwdop = NULL; void *op; int is_repl_op, is_root, is_krb, is_smb, is_ipant; @@ -292,8 +296,10 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) * a valid krbPrincipalKey */ if (has_krbprincipalkey(e)) { - slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn); - LOG("User Life Cycle: %s is a activated stage user (with prehashed password and krb keys)\n", dn ? dn : "unknown"); + slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); + LOG("User Life Cycle: %s is a activated stage user " + "(with prehashed password and krb keys)\n", + sdn ? slapi_sdn_get_dn(sdn) : "unknown"); return 0; } @@ -317,7 +323,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) } /* Get target DN */ - ret = slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn); + ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); if (ret) { rc = LDAP_OPERATIONS_ERROR; goto done; @@ -441,7 +447,7 @@ done: #define NTHASH_REGEN_VAL "MagicRegen" #define NTHASH_REGEN_LEN sizeof(NTHASH_REGEN_VAL) static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods, - char *dn, struct slapi_entry *entry, + const char *dn, struct slapi_entry *entry, struct ipapwd_krbcfg *krbcfg); /* PRE MOD Operation: @@ -463,8 +469,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) Slapi_Mods *smods = NULL; char *userpw = NULL; char *unhashedpw = NULL; - char *dn = NULL; - Slapi_DN *tmp_dn; + Slapi_DN *sdn = NULL; + Slapi_DN *tmp_sdn; struct slapi_entry *e = NULL; struct ipapwd_operation *pwdop = NULL; void *op; @@ -570,14 +576,14 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) * pre-requisites */ /* Get target DN */ - ret = slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn); + ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); if (ret) { rc = LDAP_OPERATIONS_ERROR; goto done; } - tmp_dn = slapi_sdn_new_dn_byref(dn); - if (tmp_dn) { + tmp_sdn = slapi_sdn_dup(sdn); + if (tmp_sdn) { /* xxxPAR: Ideally SLAPI_MODIFY_EXISTING_ENTRY should be * available but it turns out that is only true if you are * a dbm backend pre-op plugin - lucky dbm backend pre-op @@ -589,8 +595,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) * slapi_pblock_get( pb, SLAPI_MODIFY_EXISTING_ENTRY, &e); */ - ret = slapi_search_internal_get_entry(tmp_dn, 0, &e, ipapwd_plugin_id); - slapi_sdn_free(&tmp_dn); + ret = slapi_search_internal_get_entry(tmp_sdn, 0, &e, ipapwd_plugin_id); + slapi_sdn_free(&tmp_sdn); if (ret != LDAP_SUCCESS) { LOG("Failed to retrieve entry?!\n"); rc = LDAP_NO_SUCH_OBJECT; @@ -617,7 +623,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) /* Make sense to call only if this entry has krb keys to source * the nthash from */ if (is_krb) { - rc = ipapwd_regen_nthash(pb, smods, dn, e, krbcfg); + rc = ipapwd_regen_nthash(pb, smods, slapi_sdn_get_dn(sdn), e, krbcfg); } else { rc = LDAP_UNWILLING_TO_PERFORM; } @@ -818,7 +824,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) /* Check Bind DN */ slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn); bdn = slapi_sdn_new_dn_byref(binddn); - tdn = slapi_sdn_new_dn_byref(dn); + tdn = slapi_sdn_dup(sdn); /* if the change is performed by someone else, * it is an admin change that will require a new @@ -841,7 +847,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) } - pwdop->pwdata.dn = slapi_ch_strdup(dn); + pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn)); pwdop->pwdata.timeNow = time(NULL); pwdop->pwdata.target = e; @@ -932,7 +938,7 @@ done: } static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods, - char *dn, struct slapi_entry *entry, + const char *dn, struct slapi_entry *entry, struct ipapwd_krbcfg *krbcfg) { Slapi_Attr *attr; @@ -1388,7 +1394,9 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) }; struct berval *credentials = NULL; Slapi_Entry *entry = NULL; - char *dn = NULL; + Slapi_DN *target_sdn = NULL; + Slapi_DN *sdn = NULL; + const char *dn = NULL; int method = 0; bool syncreq; bool otpreq; @@ -1399,7 +1407,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) struct tm expire_tm; /* get BIND parameters */ - ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn); + ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &target_sdn); ret |= slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method); ret |= slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &credentials); if (ret) { @@ -1412,7 +1420,9 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) return 0; /* Retrieve the user's entry. */ - ret = ipapwd_getEntry(dn, &entry, (char **) attrs_list); + sdn = slapi_sdn_dup(target_sdn); + dn = slapi_sdn_get_dn(sdn); + ret = ipapwd_getEntry(sdn, &entry, (char **) attrs_list); if (ret) { LOG("failed to retrieve user entry: %s\n", dn); return 0; @@ -1469,13 +1479,15 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) goto invalid_creds; /* Attempt to write out kerberos keys for the user. */ - ipapwd_write_krb_keys(pb, dn, entry, credentials); + ipapwd_write_krb_keys(pb, discard_const(dn), entry, credentials); slapi_entry_free(entry); + slapi_sdn_free(&sdn); return 0; invalid_creds: slapi_entry_free(entry); + slapi_sdn_free(&sdn); slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); return 1;