From 3a8fe8c3a9de8d0e17ab4064ac689bce2b4b5042 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Tue, 12 Dec 2023 08:41:10 -0500 Subject: [PATCH] Issue 9497 - update debug logging in ipa-pwd-extop Fixes: https://pagure.io/freeipa/issue/9497 Signed-off-by: Mark Reynolds Reviewed-By: Alexander Bokovoy --- .../ipa-slapi-plugins/ipa-pwd-extop/common.c | 25 +++-- .../ipa-pwd-extop/encoding.c | 5 +- .../ipa-pwd-extop/ipa_pwd_extop.c | 106 ++++++++++-------- .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 59 +++++----- 4 files changed, 105 insertions(+), 90 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 5251713c68855e10b0980af71696d944e683ae90..d30764bb2a05c7ca4a33ea114a2dc19af39e216f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -33,7 +33,7 @@ * Authors: * Simo Sorce * - * Copyright (C) 2007-2010 Red Hat, Inc. + * Copyright (C) 2007-2023 Red Hat, Inc. * All rights reserved. * END COPYRIGHT BLOCK **/ @@ -81,7 +81,8 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) char **encsalts; char **tmparray; char *tmpstr; - int i, ret; + int ret; + size_t i; config = calloc(1, sizeof(struct ipapwd_krbcfg)); if (!config) { @@ -327,7 +328,8 @@ int ipapwd_getPolicy(const char *dn, "ipaPwdUserCheck", NULL}; Slapi_Entry **es = NULL; Slapi_Entry *pe = NULL; - int ret, res, scope, i; + int ret, res, scope; + size_t i; int buffer_flags=0; Slapi_ValueSet* results = NULL; char *actual_type_name = NULL; @@ -545,7 +547,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, } sdn = slapi_sdn_new_dn_byref(dn); if (!sdn) { - LOG_FATAL("Unable to convert dn to sdn %s", dn ? dn : ""); + LOG_FATAL("Unable to convert dn to sdn %s\n", dn ? dn : ""); *errMesg = "Internal Error"; rc = LDAP_OPERATIONS_ERROR; goto done; @@ -564,7 +566,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, /* get the kerberos context and master key */ *config = ipapwd_getConfig(); if (NULL == *config) { - LOG_FATAL("Error Retrieving Master Key"); + LOG_FATAL("Error Retrieving Master Key\n"); *errMesg = "Fatal Internal Error"; rc = LDAP_OPERATIONS_ERROR; } @@ -594,7 +596,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) /* Find the entry with the password policy */ ret = ipapwd_getPolicy(data->dn, data->target, &pol); if (ret) { - LOG_TRACE("No password policy, use defaults"); + LOG_TRACE("No password policy, use defaults\n"); } break; case IPA_CHANGETYPE_ADMIN: @@ -620,14 +622,14 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) */ ret = ipapwd_getPolicy(data->dn, data->target, &tmppol); if (ret) { - LOG_TRACE("No password policy, use defaults"); + LOG_TRACE("No password policy, use defaults\n"); } else { pol.max_pwd_life = tmppol.max_pwd_life; pol.history_length = tmppol.history_length; } break; default: - LOG_TRACE("Unknown password change type, use defaults"); + LOG_TRACE("Unknown password change type, use defaults\n"); break; } @@ -860,7 +862,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, case IPA_CHANGETYPE_DSMGR: case IPA_CHANGETYPE_ADMIN: /* Mark as administratively reset which will unlock acct */ - ret = ipapwd_setdate(data->target, smods, + ret = ipapwd_setdate(data->target, smods, "krbLastAdminUnlock", data->timeNow, false); if (ret != LDAP_SUCCESS) @@ -951,7 +953,7 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods, char **new_pwd_history = NULL; int n = 0; int ret; - int i; + size_t i; pwd_history = slapi_entry_attr_get_charray(data->target, "passwordHistory"); @@ -1083,10 +1085,9 @@ int ipapwd_set_extradata(const char *dn, void ipapwd_free_slapi_value_array(Slapi_Value ***svals) { Slapi_Value **sv = *svals; - int i; if (sv) { - for (i = 0; sv[i]; i++) { + for (size_t i = 0; sv[i]; i++) { slapi_value_free(&sv[i]); } } diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c index 7b2f341229b4f3bf48105c3856c0d6778da154a5..43ae6f0a645c8f3ff0fa2d147891f93efff0eb20 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c @@ -33,7 +33,7 @@ * Authors: * Simo Sorce * - * Copyright (C) 2007-2010 Red Hat, Inc. + * Copyright (C) 2007-2023 Red Hat, Inc. * All rights reserved. * END COPYRIGHT BLOCK **/ @@ -231,7 +231,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, if (!*svals) { /* errMesg should have been set in encrypt_encode_key() */ - LOG_FATAL("key encryption/encoding failed\n"); + LOG_FATAL("key encryption/encoding failed (%s)\n", *errMesg); rc = LDAP_OPERATIONS_ERROR; goto done; } @@ -267,6 +267,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, } (*ntvals)[0] = slapi_value_new(); if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) { + LOG("Failed to set value for nt_key"); rc = LDAP_OPERATIONS_ERROR; goto done; } diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 0d630ca04c38b739bb0d8bf22c162af9d3e15566..43c31becae45c1c91c7c2adf498aedbd05af9a69 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -33,7 +33,7 @@ * Authors: * Simo Sorce * - * Copyright (C) 2007-2010 Red Hat, Inc. + * Copyright (C) 2007-2023 Red Hat, Inc. * All rights reserved. * END COPYRIGHT BLOCK **/ @@ -108,7 +108,7 @@ static void filter_keys(struct ipapwd_krbcfg *krbcfg, struct ipapwd_keyset *kset, bool allow_nthash) { - int i, j; + size_t i, j; for (i = 0; i < kset->num_keys; i++) { for (j = 0; j < krbcfg->num_supp_encsalts; j++) { @@ -151,11 +151,11 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg, bool allow_nthash) { /* first filter for duplicates */ - for (int i = 0; i + 1 < *num_kenctypes; i++) { - for (int j = i + 1; j < *num_kenctypes; j++) { + for (size_t i = 0; i + 1 < *num_kenctypes; i++) { + for (size_t j = i + 1; j < *num_kenctypes; j++) { if (kenctypes[i].ks_enctype == kenctypes[j].ks_enctype) { /* duplicate, filter out */ - for (int k = j; k + 1 < *num_kenctypes; k++) { + for (size_t k = j; k + 1 < *num_kenctypes; k++) { kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype; kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype; } @@ -166,8 +166,8 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg, } /* then filter for supported */ - for (int i = 0; i < *num_kenctypes; i++) { - int j; + for (size_t i = 0; i < *num_kenctypes; i++) { + size_t j; /* Check if supported */ for (j = 0; j < krbcfg->num_supp_encsalts; j++) { @@ -184,7 +184,7 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg, } if (j == krbcfg->num_supp_encsalts) { /* Unsupported, filter out */ - for (int k = i; k + 1 < *num_kenctypes; k++) { + for (size_t k = i; k + 1 < *num_kenctypes; k++) { kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype; kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype; } @@ -344,6 +344,8 @@ parse_req_done: rc = ipapwd_check_max_pwd_len(strlen(newPasswd), &errMesg); if (rc) { + LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", + bindDN, errMesg); goto free_and_return; } @@ -456,7 +458,7 @@ parse_req_done: char *cur_pw; if (oldPasswd == NULL || *oldPasswd == '\0') { - LOG_FATAL("Old password was not provided!\n"); + LOG_FATAL("Old password was not provided for '%s'!\n", dn); rc = LDAP_INVALID_CREDENTIALS; goto free_and_return; } @@ -466,7 +468,7 @@ parse_req_done: cur_pw = slapi_entry_attr_get_charptr(targetEntry, "userPassword"); if (!cur_pw) { - LOG_FATAL("User has no current password?\n"); + LOG_FATAL("User '%s' does not have a current password?\n", dn); rc = LDAP_UNWILLING_TO_PERFORM; goto free_and_return; } @@ -485,7 +487,7 @@ parse_req_done: slapi_value_free(&pw); if (ret != 0) { - LOG_TRACE("Invalid password!\n"); + LOG_TRACE("Invalid password for '%s'!\n", dn); rc = LDAP_INVALID_CREDENTIALS; goto free_and_return; } @@ -579,11 +581,9 @@ parse_req_done: /* special cases */ if ((strcasecmp(dn, bindDN) != 0) && (strcasecmp(ipa_changepw_principal_dn, bindDN) != 0)) { - int i; - pwdata.changetype = IPA_CHANGETYPE_ADMIN; - for (i = 0; i < krbcfg->num_passsync_mgrs; i++) { + for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) { if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) { pwdata.changetype = IPA_CHANGETYPE_DSMGR; break; @@ -606,6 +606,8 @@ parse_req_done: errMesg = ipapwd_error2string(ret); ret = ipapwd_to_ldap_pwpolicy_error(ret); slapi_pwpolicy_make_response_control(pb, -1, -1, ret); + LOG_PWDPOLICY("Failed to set password credentials for" + " '%s': %s\n", dn, errMesg); rc = LDAP_CONSTRAINT_VIOLATION; goto free_and_return; } @@ -666,7 +668,7 @@ free_and_return: if (targetEntry) slapi_entry_free(targetEntry); if (ber) ber_free(ber, 1); - LOG("%s", errMesg ? errMesg : "success"); + LOG("%s\n", errMesg ? errMesg : "success"); slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; @@ -732,7 +734,8 @@ static Slapi_Entry *get_entry_by_principal(const char *principal) "krbCanonicalName", "enrolledBy", NULL }; Slapi_Entry **es = NULL; - int res, ret, i; + int res, ret; + size_t i; Slapi_Entry *entry = NULL; /* Find ancestor base DN */ @@ -774,7 +777,7 @@ static Slapi_Entry *get_entry_by_principal(const char *principal) /* if there is none or more than one, freak out */ if (i != 1) { - LOG_TRACE("Too many entries, or entry no found (%d)", i); + LOG_TRACE("Too many entries, or entry no found (%ld)\n", i); goto free_and_return; } entry = slapi_entry_dup(es[0]); @@ -809,7 +812,7 @@ static bool is_allowed_to_access_attr(Slapi_PBlock *pb, char *bindDN, */ be = get_realm_backend(); if (!be) { - LOG_FATAL("Could not fetch REALM backend!"); + LOG_FATAL("Could not fetch REALM backend!\n"); return false; } if (slapi_pblock_set(pb, SLAPI_BACKEND, be)) { @@ -868,7 +871,8 @@ static void remove_user_password(Slapi_Mods *smods, if ((NULL != pw) && (NULL == krbLastPwdChange)) { slapi_mods_add_mod_values(smods, LDAP_MOD_DELETE, "userPassword", NULL); - LOG_TRACE("Removing userPassword from host entry\n"); + LOG_TRACE("Removing userPassword from host entry '%s'\n", + slapi_entry_get_dn_const(targetEntry)); } } if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange); @@ -891,8 +895,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn, rc = set_krbLastPwdChange(smods, time_now); if (rc) { rc = LDAP_OPERATIONS_ERROR; - LOG_FATAL("Failed to set krbLastPwdChange"); - err_msg = "Internal error while storing keytab data\n"; + LOG_FATAL("Failed to set krbLastPwdChange for target '%s'\n", + slapi_entry_get_dn_const(target)); + err_msg = "Internal error while storing keytab data"; goto done; } @@ -905,8 +910,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn, rc = ipapwd_apply_mods(slapi_entry_get_dn_const(target), smods); if (rc != LDAP_SUCCESS) { rc = LDAP_OPERATIONS_ERROR; - LOG_FATAL("Failed to apply mods"); - err_msg = "Internal error while saving keys\n"; + LOG_FATAL("Failed to apply mods to target '%s'\n", + slapi_entry_get_dn_const(target)); + err_msg = "Internal error while saving keys"; goto done; } @@ -914,8 +920,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn, svcname, time_now); if (rc != LDAP_SUCCESS) { rc = LDAP_OPERATIONS_ERROR; - LOG_FATAL("Failed to set extradata"); - err_msg = "Internal error while saving keytab extradata\n"; + LOG_FATAL("Failed to set extradata for target '%s'\n", + slapi_entry_get_dn_const(target)); + err_msg = "Internal error while saving keytab extradata"; goto done; } @@ -1003,7 +1010,7 @@ static int decode_setkeytab_request(krb5_context krbctx, kset->mkvno = mkvno; rtag = ber_peek_tag(ber, &tlen); - for (int i = 0; rtag == LBER_SEQUENCE; i++) { + for (size_t i = 0; rtag == LBER_SEQUENCE; i++) { krb5_key_data *newset; ber_tag_t ctag; ber_int_t type; @@ -1181,29 +1188,29 @@ static int encode_setkeytab_reply(struct ipapwd_keyset *kset, rc = ber_printf(ber, "{i{", (ber_int_t)kset->keys[0].key_data_kvno); if (rc == -1) { rc = LDAP_OPERATIONS_ERROR; - LOG_FATAL("Failed to ber_printf the kvno"); + LOG_FATAL("Failed to ber_printf the kvno\n"); goto done; } - for (int i = 0; i < kset->num_keys; i++) { + for (size_t i = 0; i < kset->num_keys; i++) { rc = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].key_data_type[0]); if (rc == -1) { rc = LDAP_OPERATIONS_ERROR; - LOG_FATAL("Failed to ber_printf the enctype"); + LOG_FATAL("Failed to ber_printf the enctype\n"); goto done; } } rc = ber_printf(ber, "}}"); if (rc == -1) { rc = LDAP_OPERATIONS_ERROR; - LOG_FATAL("Failed to ber_printf the termination"); + LOG_FATAL("Failed to ber_printf the termination\n"); goto done; } rc = ber_flatten(ber, &bvp); if (rc == -1) { rc = LDAP_OPERATIONS_ERROR; - LOG_FATAL("Failed to ber_flatten the buffer"); + LOG_FATAL("Failed to ber_flatten the buffer\n"); goto done; } @@ -1306,7 +1313,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) /* get next kvno for entry (will be 1 if this is new) and fix keyset */ kvno = ipapwd_get_cur_kvno(targetEntry) + 1; - for (int i = 0; i < kset->num_keys; i++) { + for (size_t i = 0; i < kset->num_keys; i++) { kset->keys[i].key_data_kvno = kvno; } @@ -1352,7 +1359,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) rc = encode_setkeytab_reply(kset, &bvp); if (rc) { - errMesg = "Internal Error.\n"; + errMesg = "Internal Error."; goto free_and_return; } @@ -1372,7 +1379,7 @@ free_and_return: if (targetEntry) slapi_entry_free(targetEntry); if (svals) { - for (int i = 0; svals[i]; i++) { + for (size_t i = 0; svals[i]; i++) { slapi_value_free(&svals[i]); } free(svals); @@ -1382,7 +1389,7 @@ free_and_return: if (rc == LDAP_SUCCESS) errMesg = NULL; - LOG("%s", errMesg ? errMesg : "success"); + LOG("%s\n", errMesg ? errMesg : "success"); slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; @@ -1403,7 +1410,6 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold, krb5_key_salt_tuple *enctypes = NULL; bool newkt; bool ret; - int i; ret = ipaasn1_dec_getkt(extop->bv_val, extop->bv_len, &newkt, &svcname, &password, &etypes, &numtypes); @@ -1423,7 +1429,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold, goto done; } - for (i = 0; i < numtypes; i++) { + for (size_t i = 0; i < numtypes; i++) { enctypes[i].ks_enctype = etypes[i]; enctypes[i].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL; } @@ -1466,7 +1472,7 @@ static int encode_getkeytab_reply(krb5_context krbctx, /* uses last key kvno */ kvno = keys[num_keys-1].key_data_kvno; - for (int i = 0; i < num_keys; i++) { + for (size_t i = 0; i < num_keys; i++) { krb5_enc_data cipher = { 0 }; krb5_data plain = { 0 }; krb5_int16 plen; @@ -1516,7 +1522,7 @@ static int encode_getkeytab_reply(krb5_context krbctx, rc = LDAP_SUCCESS; done: - for (int i = 0; i < ksc.nkeys; i ++) { + for (size_t i = 0; i < ksc.nkeys; i++) { free(ksc.ksdata[i].key.contents); } if (rc != LDAP_SUCCESS) { @@ -1632,7 +1638,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) * this operation. */ if (bind_dn == NULL || *bind_dn == '\0') { /* Refuse the operation because they're bound anonymously */ - err_msg = "Anonymous Binds are not allowed.\n"; + err_msg = "Anonymous Binds are not allowed."; rc = LDAP_INSUFFICIENT_ACCESS; goto free_and_return; } @@ -1648,7 +1654,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); if (!extop_value) { LOG_FATAL("Failed to retrieve extended op value from pblock\n"); - err_msg = "Failed to retrieve extended operation value\n"; + err_msg = "Failed to retrieve extended operation value"; rc = LDAP_OPERATIONS_ERROR; goto free_and_return; } @@ -1674,7 +1680,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) /* get Entry by krbPrincipalName */ target_entry = get_entry_by_principal(service_name); if (!target_entry) { - err_msg = "PrincipalName not found.\n"; + err_msg = "PrincipalName not found."; rc = LDAP_NO_SUCH_OBJECT; goto free_and_return; } @@ -1690,7 +1696,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) if (!acl_ok) { LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n", service_name, bind_dn); - err_msg = "Insufficient access rights\n"; + err_msg = "Insufficient access rights"; rc = LDAP_INSUFFICIENT_ACCESS; goto free_and_return; } @@ -1701,6 +1707,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) /* if password was passed-in, check its length */ rc = ipapwd_check_max_pwd_len(strlen(password), &err_msg); if (rc) { + LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", + bind_dn, err_msg); goto free_and_return; } } @@ -1712,7 +1720,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) if (!acl_ok) { LOG_FATAL("Not allowed to set keytab on [%s]!\n", service_name); - err_msg = "Insufficient access rights\n"; + err_msg = "Insufficient access rights"; rc = LDAP_INSUFFICIENT_ACCESS; goto free_and_return; } @@ -1745,7 +1753,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) if (!svals) { rc = LDAP_OPERATIONS_ERROR; LOG_FATAL("encrypt_encode_keys failed!\n"); - err_msg = "Internal error while encrypting keys\n"; + err_msg = "Internal error while encrypting keys"; goto free_and_return; } @@ -1765,7 +1773,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) rc = encode_getkeytab_reply(krbctx, krbcfg->kmkey, mkvno, keys, num_keys, &bvp); if (rc != LDAP_SUCCESS) { - err_msg = "Internal Error.\n"; + err_msg = "Internal Error."; goto free_and_return; } @@ -1776,7 +1784,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) free_and_return: if (rc == LDAP_SUCCESS) err_msg = NULL; - LOG("%s", err_msg ? err_msg : "success"); + LOG("%s\n", err_msg ? err_msg : "success"); slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL); /* Free anything that we allocated above */ @@ -1787,7 +1795,7 @@ free_and_return: if (target_entry) slapi_entry_free(target_entry); if (keys) ipa_krb5_free_key_data(keys, num_keys); if (svals) { - for (int i = 0; svals[i]; i++) { + for (size_t i = 0; svals[i]; i++) { slapi_value_free(&svals[i]); } free(svals); @@ -2031,7 +2039,7 @@ int ipapwd_init( Slapi_PBlock *pb ) "ipapwd_post_init_betxn", ipapwd_post_init_betxn, "IPA pwd post ops betxn", NULL, ipapwd_plugin_id); - } + } slapi_register_plugin("preoperation", 1, "ipapwd_pre_init", ipapwd_pre_init, diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index 45626523ffa1030cdff4f3e0ccdfa1618a51ccaf..6898e6596e1cbbb2cc69ba592401619ce86899d8 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -33,7 +33,7 @@ * Authors: * Simo Sorce * - * Copyright (C) 2007-2010 Red Hat, Inc. + * Copyright (C) 2007-2023 Red Hat, Inc. * All rights reserved. * END COPYRIGHT BLOCK **/ @@ -248,6 +248,13 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) return 0; } + /* Get target DN */ + ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); + if (ret) { + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + /* Ok this is interesting, * Check this is a clear text password, or refuse operation */ if ('{' == userpw[0]) { @@ -280,6 +287,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) } else { rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg); if (rc) { + LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", + slapi_sdn_get_dn(sdn), errMesg); goto done; } userpw = slapi_ch_strdup(userpw_clear); @@ -329,13 +338,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) goto done; } - /* Get target DN */ - ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); - if (ret) { - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - /* time to get the operation handler */ ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op); if (ret != 0) { @@ -359,7 +361,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR; } else { char *binddn; - int i; pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN; @@ -367,7 +368,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn); /* if it is a passsync manager we also need to skip resets */ - for (i = 0; i < krbcfg->num_passsync_mgrs; i++) { + for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) { if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) { pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR; break; @@ -385,6 +386,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) && (ret != 0) ) { errMesg = ipapwd_error2string(ret); + LOG_PWDPOLICY("Failed to add password credentials for '%s': %s\n", + slapi_sdn_get_dn(sdn), errMesg); rc = LDAP_CONSTRAINT_VIOLATION; goto done; } @@ -507,6 +510,13 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) goto done; } + /* Get target DN */ + ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); + if (ret) { + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + /* grab the mods - we'll put them back later with * our modifications appended */ @@ -568,6 +578,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) rc = ipapwd_check_max_pwd_len(bv->bv_len, &errMesg); if (rc) { + LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", + slapi_sdn_get_dn(sdn), errMesg); goto done; } slapi_ch_free_string(&unhashedpw); @@ -591,14 +603,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) /* OK we have something interesting here, start checking for * pre-requisites */ - - /* Get target DN */ - ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); - if (ret) { - rc = LDAP_OPERATIONS_ERROR; - goto done; - } - tmp_sdn = slapi_sdn_dup(sdn); if (tmp_sdn) { /* xxxPAR: Ideally SLAPI_MODIFY_EXISTING_ENTRY should be @@ -795,6 +799,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) const char *userpw_clear = &userpw[strlen("{CLEAR}")]; rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg); if (rc) { + LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", + slapi_sdn_get_dn(sdn), errMesg); goto done; } unhashedpw = slapi_ch_strdup(userpw_clear); @@ -806,9 +812,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) slapi_ch_free_string(&userpw); } else if (slapi_is_encoded(userpw)) { - - LOG("Pre-Encoded passwords are not valid\n"); - errMesg = "Pre-Encoded passwords are not valid\n"; + errMesg = "Pre-Encoded passwords are not valid"; + LOG("%s (%s)\n", errMesg, slapi_sdn_get_dn(sdn)); rc = LDAP_CONSTRAINT_VIOLATION; goto done; } @@ -843,7 +848,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) } else { char *binddn; Slapi_DN *bdn, *tdn; - int i; /* Check Bind DN */ slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn); @@ -857,18 +861,16 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN; /* if it is a passsync manager we also need to skip resets */ - for (i = 0; i < krbcfg->num_passsync_mgrs; i++) { + for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) { if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) { pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR; break; } } - } slapi_sdn_free(&bdn); slapi_sdn_free(&tdn); - } pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn)); @@ -884,6 +886,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) && (ret != 0)) { errMesg = ipapwd_error2string(ret); + LOG_PWDPOLICY("Check Password Policy failed for (%s) - %s/n", + pwdop->pwdata.dn, errMesg); rc = LDAP_CONSTRAINT_VIOLATION; goto done; } @@ -976,7 +980,6 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods, int num_keys; int mkvno; int ret; - int i; ret = slapi_entry_attr_find(entry, "ipaNTHash", &attr); if (ret == 0) { @@ -1008,7 +1011,7 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods, ret = LDAP_UNWILLING_TO_PERFORM; - for (i = 0; i < num_keys; i++) { + for (size_t i = 0; i < num_keys; i++) { char nthash[16]; krb5_enc_data cipher; krb5_data plain; @@ -1511,6 +1514,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) } else { rc = ipapwd_check_max_pwd_len(credentials->bv_len, &errMesg); if (rc) { + LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", + slapi_sdn_get_dn(sdn), errMesg); goto invalid_creds; } } -- 2.43.0