Don't manipulate password history if not configured in policy

This commit is contained in:
Howard Chu 2004-04-03 06:21:03 +00:00
parent 6a96ec96bd
commit e1fc5012bd

View File

@ -1325,7 +1325,7 @@ ppolicy_modify( Operation *op, SlapReply *rs )
* We need this, even if the user is root, in order to maintain * We need this, even if the user is root, in order to maintain
* the pwdHistory operational attributes properly. * the pwdHistory operational attributes properly.
*/ */
if (ha = attr_find( e->e_attrs, ad_pwdHistory )) { if (pp.pwdInHistory > 0 && (ha = attr_find( e->e_attrs, ad_pwdHistory ))) {
struct berval oldpw; struct berval oldpw;
time_t oldtime; time_t oldtime;
char *oid; char *oid;
@ -1343,8 +1343,8 @@ ppolicy_modify( Operation *op, SlapReply *rs )
oldpw.bv_len = 0; oldpw.bv_len = 0;
} }
} }
for(p=tl; p; p=p->next, hsize++); /* count history size */
} }
for(p=tl, hsize=0; p; p=p->next, hsize++); /* count history size */
if (be_isroot( op->o_bd, &op->o_ndn)) goto do_modify; if (be_isroot( op->o_bd, &op->o_ndn)) goto do_modify;
@ -1570,75 +1570,77 @@ do_modify:
modtail = mods; modtail = mods;
} }
if (hsize >= pp.pwdInHistory) { if (pp.pwdInHistory > 0) {
/* if (hsize >= pp.pwdInHistory) {
* We use the >= operator, since we are going to add a /*
* the existing password attribute value into the * We use the >= operator, since we are going to add
* history - thus the cardinality of history values is * the existing password attribute value into the
* about to rise by one. * history - thus the cardinality of history values is
* * about to rise by one.
* If this would push it over the limit of history *
* values (remembering - the password policy could have * If this would push it over the limit of history
* changed since the password was last altered), we must * values (remembering - the password policy could have
* delete at least 1 value from the pwdHistory list. * changed since the password was last altered), we must
* * delete at least 1 value from the pwdHistory list.
* In fact, we delete '(#pwdHistory attrs - max pwd *
* history length) + 1' values, starting with the oldest. * In fact, we delete '(#pwdHistory attrs - max pwd
* This is easily evaluated, since the linked list is * history length) + 1' values, starting with the oldest.
* created in ascending time order. * This is easily evaluated, since the linked list is
*/ * created in ascending time order.
mods = (Modifications *) ch_malloc( sizeof( Modifications ) ); */
mods->sml_op = LDAP_MOD_DELETE; mods = (Modifications *) ch_malloc( sizeof( Modifications ) );
mods->sml_type.bv_val = NULL; mods->sml_op = LDAP_MOD_DELETE;
mods->sml_desc = ad_pwdHistory; mods->sml_type.bv_val = NULL;
mods->sml_nvalues = NULL; mods->sml_desc = ad_pwdHistory;
mods->sml_values = ch_calloc( sizeof( struct berval ), mods->sml_nvalues = NULL;
hsize - pp.pwdInHistory + 2 ); mods->sml_values = ch_calloc( sizeof( struct berval ),
mods->sml_values[ hsize - pp.pwdInHistory + 1 ].bv_val = NULL; hsize - pp.pwdInHistory + 2 );
mods->sml_values[ hsize - pp.pwdInHistory + 1 ].bv_len = 0; mods->sml_values[ hsize - pp.pwdInHistory + 1 ].bv_val = NULL;
for(i=0,p=tl; i < (hsize - pp.pwdInHistory + 1); i++, p=p->next) { mods->sml_values[ hsize - pp.pwdInHistory + 1 ].bv_len = 0;
mods->sml_values[i].bv_val = NULL; for(i=0,p=tl; i < (hsize - pp.pwdInHistory + 1); i++, p=p->next) {
mods->sml_values[i].bv_len = 0; mods->sml_values[i].bv_val = NULL;
ber_dupbv( &(mods->sml_values[i]), &p->bv ); mods->sml_values[i].bv_len = 0;
ber_dupbv( &(mods->sml_values[i]), &p->bv );
}
mods->sml_next = NULL;
modtail->sml_next = mods;
modtail = mods;
} }
mods->sml_next = NULL; free_pwd_history_list( &tl );
modtail->sml_next = mods;
modtail = mods;
}
free_pwd_history_list( &tl );
/* /*
* Now add the existing password into the history list. * Now add the existing password into the history list.
* This will be executed even if the operation is to delete * This will be executed even if the operation is to delete
* the password entirely. * the password entirely.
* *
* This isn't in the spec explicitly, but it seems to make * This isn't in the spec explicitly, but it seems to make
* sense that the password history list is the list of all * sense that the password history list is the list of all
* previous passwords - even if they were deleted. Thus, if * previous passwords - even if they were deleted. Thus, if
* someone tries to add a historical password at some future * someone tries to add a historical password at some future
* point, it will fail. * point, it will fail.
*/ */
if ((pa = attr_find( e->e_attrs, pp.ad )) != NULL) { if ((pa = attr_find( e->e_attrs, pp.ad )) != NULL) {
mods = (Modifications *) ch_malloc( sizeof( Modifications ) ); mods = (Modifications *) ch_malloc( sizeof( Modifications ) );
mods->sml_op = LDAP_MOD_ADD; mods->sml_op = LDAP_MOD_ADD;
mods->sml_type.bv_val = NULL; mods->sml_type.bv_val = NULL;
mods->sml_desc = ad_pwdHistory; mods->sml_desc = ad_pwdHistory;
mods->sml_nvalues = NULL; mods->sml_nvalues = NULL;
mods->sml_values = ch_calloc( sizeof( struct berval ), 2 ); mods->sml_values = ch_calloc( sizeof( struct berval ), 2 );
mods->sml_values[ 1 ].bv_val = NULL; mods->sml_values[ 1 ].bv_val = NULL;
mods->sml_values[ 1 ].bv_len = 0; mods->sml_values[ 1 ].bv_len = 0;
make_pwd_history_value( timebuf, &mods->sml_values[0], pa ); make_pwd_history_value( timebuf, &mods->sml_values[0], pa );
mods->sml_next = NULL; mods->sml_next = NULL;
modtail->sml_next = mods; modtail->sml_next = mods;
modtail = mods; modtail = mods;
} else { } else {
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, ERR, LDAP_LOG ( OPERATION, ERR,
"ppolicy_modify: password attr lookup failed\n", 0, 0, 0 ); "ppolicy_modify: password attr lookup failed\n", 0, 0, 0 );
#else #else
Debug( LDAP_DEBUG_TRACE, Debug( LDAP_DEBUG_TRACE,
"ppolicy_modify: password attr lookup failed\n", 0, 0, 0 ); "ppolicy_modify: password attr lookup failed\n", 0, 0, 0 );
#endif #endif
}
} }
/* /*