e57a97aa67
- Resolves: RHEL-12589 ipa: Invalid CSRF protection - Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit - Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca' - Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT - Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix - Resolves: RHEL-21810 ipa-client-install --automount-location does not work - Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0 - Resolves: RHEL-21812 Backport latest test fixes in ipa - Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa - Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing - Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
767 lines
30 KiB
Diff
767 lines
30 KiB
Diff
From 3a8fe8c3a9de8d0e17ab4064ac689bce2b4b5042 Mon Sep 17 00:00:00 2001
|
|
From: Mark Reynolds <mreynolds@redhat.com>
|
|
Date: Tue, 12 Dec 2023 08:41:10 -0500
|
|
Subject: [PATCH] Issue 9497 - update debug logging in ipa-pwd-extop
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9497
|
|
|
|
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
---
|
|
.../ipa-slapi-plugins/ipa-pwd-extop/common.c | 25 +++--
|
|
.../ipa-pwd-extop/encoding.c | 5 +-
|
|
.../ipa-pwd-extop/ipa_pwd_extop.c | 106 ++++++++++--------
|
|
.../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 59 +++++-----
|
|
4 files changed, 105 insertions(+), 90 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
|
index 5251713c68855e10b0980af71696d944e683ae90..d30764bb2a05c7ca4a33ea114a2dc19af39e216f 100644
|
|
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
|
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
|
@@ -33,7 +33,7 @@
|
|
* Authors:
|
|
* Simo Sorce <ssorce@redhat.com>
|
|
*
|
|
- * Copyright (C) 2007-2010 Red Hat, Inc.
|
|
+ * Copyright (C) 2007-2023 Red Hat, Inc.
|
|
* All rights reserved.
|
|
* END COPYRIGHT BLOCK **/
|
|
|
|
@@ -81,7 +81,8 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
|
|
char **encsalts;
|
|
char **tmparray;
|
|
char *tmpstr;
|
|
- int i, ret;
|
|
+ int ret;
|
|
+ size_t i;
|
|
|
|
config = calloc(1, sizeof(struct ipapwd_krbcfg));
|
|
if (!config) {
|
|
@@ -327,7 +328,8 @@ int ipapwd_getPolicy(const char *dn,
|
|
"ipaPwdUserCheck", NULL};
|
|
Slapi_Entry **es = NULL;
|
|
Slapi_Entry *pe = NULL;
|
|
- int ret, res, scope, i;
|
|
+ int ret, res, scope;
|
|
+ size_t i;
|
|
int buffer_flags=0;
|
|
Slapi_ValueSet* results = NULL;
|
|
char *actual_type_name = NULL;
|
|
@@ -545,7 +547,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
|
|
}
|
|
sdn = slapi_sdn_new_dn_byref(dn);
|
|
if (!sdn) {
|
|
- LOG_FATAL("Unable to convert dn to sdn %s", dn ? dn : "<NULL>");
|
|
+ LOG_FATAL("Unable to convert dn to sdn %s\n", dn ? dn : "<NULL>");
|
|
*errMesg = "Internal Error";
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
goto done;
|
|
@@ -564,7 +566,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
|
|
/* get the kerberos context and master key */
|
|
*config = ipapwd_getConfig();
|
|
if (NULL == *config) {
|
|
- LOG_FATAL("Error Retrieving Master Key");
|
|
+ LOG_FATAL("Error Retrieving Master Key\n");
|
|
*errMesg = "Fatal Internal Error";
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
}
|
|
@@ -594,7 +596,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
|
|
/* Find the entry with the password policy */
|
|
ret = ipapwd_getPolicy(data->dn, data->target, &pol);
|
|
if (ret) {
|
|
- LOG_TRACE("No password policy, use defaults");
|
|
+ LOG_TRACE("No password policy, use defaults\n");
|
|
}
|
|
break;
|
|
case IPA_CHANGETYPE_ADMIN:
|
|
@@ -620,14 +622,14 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
|
|
*/
|
|
ret = ipapwd_getPolicy(data->dn, data->target, &tmppol);
|
|
if (ret) {
|
|
- LOG_TRACE("No password policy, use defaults");
|
|
+ LOG_TRACE("No password policy, use defaults\n");
|
|
} else {
|
|
pol.max_pwd_life = tmppol.max_pwd_life;
|
|
pol.history_length = tmppol.history_length;
|
|
}
|
|
break;
|
|
default:
|
|
- LOG_TRACE("Unknown password change type, use defaults");
|
|
+ LOG_TRACE("Unknown password change type, use defaults\n");
|
|
break;
|
|
}
|
|
|
|
@@ -860,7 +862,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
|
|
case IPA_CHANGETYPE_DSMGR:
|
|
case IPA_CHANGETYPE_ADMIN:
|
|
/* Mark as administratively reset which will unlock acct */
|
|
- ret = ipapwd_setdate(data->target, smods,
|
|
+ ret = ipapwd_setdate(data->target, smods,
|
|
"krbLastAdminUnlock",
|
|
data->timeNow, false);
|
|
if (ret != LDAP_SUCCESS)
|
|
@@ -951,7 +953,7 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
|
|
char **new_pwd_history = NULL;
|
|
int n = 0;
|
|
int ret;
|
|
- int i;
|
|
+ size_t i;
|
|
|
|
pwd_history = slapi_entry_attr_get_charray(data->target,
|
|
"passwordHistory");
|
|
@@ -1083,10 +1085,9 @@ int ipapwd_set_extradata(const char *dn,
|
|
void ipapwd_free_slapi_value_array(Slapi_Value ***svals)
|
|
{
|
|
Slapi_Value **sv = *svals;
|
|
- int i;
|
|
|
|
if (sv) {
|
|
- for (i = 0; sv[i]; i++) {
|
|
+ for (size_t i = 0; sv[i]; i++) {
|
|
slapi_value_free(&sv[i]);
|
|
}
|
|
}
|
|
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
|
|
index 7b2f341229b4f3bf48105c3856c0d6778da154a5..43ae6f0a645c8f3ff0fa2d147891f93efff0eb20 100644
|
|
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
|
|
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
|
|
@@ -33,7 +33,7 @@
|
|
* Authors:
|
|
* Simo Sorce <ssorce@redhat.com>
|
|
*
|
|
- * Copyright (C) 2007-2010 Red Hat, Inc.
|
|
+ * Copyright (C) 2007-2023 Red Hat, Inc.
|
|
* All rights reserved.
|
|
* END COPYRIGHT BLOCK **/
|
|
|
|
@@ -231,7 +231,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
|
|
|
|
if (!*svals) {
|
|
/* errMesg should have been set in encrypt_encode_key() */
|
|
- LOG_FATAL("key encryption/encoding failed\n");
|
|
+ LOG_FATAL("key encryption/encoding failed (%s)\n", *errMesg);
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
goto done;
|
|
}
|
|
@@ -267,6 +267,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
|
|
}
|
|
(*ntvals)[0] = slapi_value_new();
|
|
if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) {
|
|
+ LOG("Failed to set value for nt_key");
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
goto done;
|
|
}
|
|
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
|
|
index 0d630ca04c38b739bb0d8bf22c162af9d3e15566..43c31becae45c1c91c7c2adf498aedbd05af9a69 100644
|
|
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
|
|
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
|
|
@@ -33,7 +33,7 @@
|
|
* Authors:
|
|
* Simo Sorce <ssorce@redhat.com>
|
|
*
|
|
- * Copyright (C) 2007-2010 Red Hat, Inc.
|
|
+ * Copyright (C) 2007-2023 Red Hat, Inc.
|
|
* All rights reserved.
|
|
* END COPYRIGHT BLOCK **/
|
|
|
|
@@ -108,7 +108,7 @@ static void filter_keys(struct ipapwd_krbcfg *krbcfg,
|
|
struct ipapwd_keyset *kset,
|
|
bool allow_nthash)
|
|
{
|
|
- int i, j;
|
|
+ size_t i, j;
|
|
|
|
for (i = 0; i < kset->num_keys; i++) {
|
|
for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
|
|
@@ -151,11 +151,11 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
|
|
bool allow_nthash)
|
|
{
|
|
/* first filter for duplicates */
|
|
- for (int i = 0; i + 1 < *num_kenctypes; i++) {
|
|
- for (int j = i + 1; j < *num_kenctypes; j++) {
|
|
+ for (size_t i = 0; i + 1 < *num_kenctypes; i++) {
|
|
+ for (size_t j = i + 1; j < *num_kenctypes; j++) {
|
|
if (kenctypes[i].ks_enctype == kenctypes[j].ks_enctype) {
|
|
/* duplicate, filter out */
|
|
- for (int k = j; k + 1 < *num_kenctypes; k++) {
|
|
+ for (size_t k = j; k + 1 < *num_kenctypes; k++) {
|
|
kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
|
|
kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
|
|
}
|
|
@@ -166,8 +166,8 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
|
|
}
|
|
|
|
/* then filter for supported */
|
|
- for (int i = 0; i < *num_kenctypes; i++) {
|
|
- int j;
|
|
+ for (size_t i = 0; i < *num_kenctypes; i++) {
|
|
+ size_t j;
|
|
|
|
/* Check if supported */
|
|
for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
|
|
@@ -184,7 +184,7 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
|
|
}
|
|
if (j == krbcfg->num_supp_encsalts) {
|
|
/* Unsupported, filter out */
|
|
- for (int k = i; k + 1 < *num_kenctypes; k++) {
|
|
+ for (size_t k = i; k + 1 < *num_kenctypes; k++) {
|
|
kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
|
|
kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
|
|
}
|
|
@@ -344,6 +344,8 @@ parse_req_done:
|
|
|
|
rc = ipapwd_check_max_pwd_len(strlen(newPasswd), &errMesg);
|
|
if (rc) {
|
|
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
|
+ bindDN, errMesg);
|
|
goto free_and_return;
|
|
}
|
|
|
|
@@ -456,7 +458,7 @@ parse_req_done:
|
|
char *cur_pw;
|
|
|
|
if (oldPasswd == NULL || *oldPasswd == '\0') {
|
|
- LOG_FATAL("Old password was not provided!\n");
|
|
+ LOG_FATAL("Old password was not provided for '%s'!\n", dn);
|
|
rc = LDAP_INVALID_CREDENTIALS;
|
|
goto free_and_return;
|
|
}
|
|
@@ -466,7 +468,7 @@ parse_req_done:
|
|
cur_pw = slapi_entry_attr_get_charptr(targetEntry,
|
|
"userPassword");
|
|
if (!cur_pw) {
|
|
- LOG_FATAL("User has no current password?\n");
|
|
+ LOG_FATAL("User '%s' does not have a current password?\n", dn);
|
|
rc = LDAP_UNWILLING_TO_PERFORM;
|
|
goto free_and_return;
|
|
}
|
|
@@ -485,7 +487,7 @@ parse_req_done:
|
|
slapi_value_free(&pw);
|
|
|
|
if (ret != 0) {
|
|
- LOG_TRACE("Invalid password!\n");
|
|
+ LOG_TRACE("Invalid password for '%s'!\n", dn);
|
|
rc = LDAP_INVALID_CREDENTIALS;
|
|
goto free_and_return;
|
|
}
|
|
@@ -579,11 +581,9 @@ parse_req_done:
|
|
/* special cases */
|
|
if ((strcasecmp(dn, bindDN) != 0) &&
|
|
(strcasecmp(ipa_changepw_principal_dn, bindDN) != 0)) {
|
|
- int i;
|
|
-
|
|
pwdata.changetype = IPA_CHANGETYPE_ADMIN;
|
|
|
|
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
|
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
|
if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
|
|
pwdata.changetype = IPA_CHANGETYPE_DSMGR;
|
|
break;
|
|
@@ -606,6 +606,8 @@ parse_req_done:
|
|
errMesg = ipapwd_error2string(ret);
|
|
ret = ipapwd_to_ldap_pwpolicy_error(ret);
|
|
slapi_pwpolicy_make_response_control(pb, -1, -1, ret);
|
|
+ LOG_PWDPOLICY("Failed to set password credentials for"
|
|
+ " '%s': %s\n", dn, errMesg);
|
|
rc = LDAP_CONSTRAINT_VIOLATION;
|
|
goto free_and_return;
|
|
}
|
|
@@ -666,7 +668,7 @@ free_and_return:
|
|
if (targetEntry) slapi_entry_free(targetEntry);
|
|
if (ber) ber_free(ber, 1);
|
|
|
|
- LOG("%s", errMesg ? errMesg : "success");
|
|
+ LOG("%s\n", errMesg ? errMesg : "success");
|
|
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
|
|
|
|
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
|
|
@@ -732,7 +734,8 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
|
|
"krbCanonicalName",
|
|
"enrolledBy", NULL };
|
|
Slapi_Entry **es = NULL;
|
|
- int res, ret, i;
|
|
+ int res, ret;
|
|
+ size_t i;
|
|
Slapi_Entry *entry = NULL;
|
|
|
|
/* Find ancestor base DN */
|
|
@@ -774,7 +777,7 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
|
|
|
|
/* if there is none or more than one, freak out */
|
|
if (i != 1) {
|
|
- LOG_TRACE("Too many entries, or entry no found (%d)", i);
|
|
+ LOG_TRACE("Too many entries, or entry no found (%ld)\n", i);
|
|
goto free_and_return;
|
|
}
|
|
entry = slapi_entry_dup(es[0]);
|
|
@@ -809,7 +812,7 @@ static bool is_allowed_to_access_attr(Slapi_PBlock *pb, char *bindDN,
|
|
*/
|
|
be = get_realm_backend();
|
|
if (!be) {
|
|
- LOG_FATAL("Could not fetch REALM backend!");
|
|
+ LOG_FATAL("Could not fetch REALM backend!\n");
|
|
return false;
|
|
}
|
|
if (slapi_pblock_set(pb, SLAPI_BACKEND, be)) {
|
|
@@ -868,7 +871,8 @@ static void remove_user_password(Slapi_Mods *smods,
|
|
if ((NULL != pw) && (NULL == krbLastPwdChange)) {
|
|
slapi_mods_add_mod_values(smods, LDAP_MOD_DELETE,
|
|
"userPassword", NULL);
|
|
- LOG_TRACE("Removing userPassword from host entry\n");
|
|
+ LOG_TRACE("Removing userPassword from host entry '%s'\n",
|
|
+ slapi_entry_get_dn_const(targetEntry));
|
|
}
|
|
}
|
|
if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange);
|
|
@@ -891,8 +895,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
|
|
rc = set_krbLastPwdChange(smods, time_now);
|
|
if (rc) {
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
- LOG_FATAL("Failed to set krbLastPwdChange");
|
|
- err_msg = "Internal error while storing keytab data\n";
|
|
+ LOG_FATAL("Failed to set krbLastPwdChange for target '%s'\n",
|
|
+ slapi_entry_get_dn_const(target));
|
|
+ err_msg = "Internal error while storing keytab data";
|
|
goto done;
|
|
}
|
|
|
|
@@ -905,8 +910,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
|
|
rc = ipapwd_apply_mods(slapi_entry_get_dn_const(target), smods);
|
|
if (rc != LDAP_SUCCESS) {
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
- LOG_FATAL("Failed to apply mods");
|
|
- err_msg = "Internal error while saving keys\n";
|
|
+ LOG_FATAL("Failed to apply mods to target '%s'\n",
|
|
+ slapi_entry_get_dn_const(target));
|
|
+ err_msg = "Internal error while saving keys";
|
|
goto done;
|
|
}
|
|
|
|
@@ -914,8 +920,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
|
|
svcname, time_now);
|
|
if (rc != LDAP_SUCCESS) {
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
- LOG_FATAL("Failed to set extradata");
|
|
- err_msg = "Internal error while saving keytab extradata\n";
|
|
+ LOG_FATAL("Failed to set extradata for target '%s'\n",
|
|
+ slapi_entry_get_dn_const(target));
|
|
+ err_msg = "Internal error while saving keytab extradata";
|
|
goto done;
|
|
}
|
|
|
|
@@ -1003,7 +1010,7 @@ static int decode_setkeytab_request(krb5_context krbctx,
|
|
kset->mkvno = mkvno;
|
|
|
|
rtag = ber_peek_tag(ber, &tlen);
|
|
- for (int i = 0; rtag == LBER_SEQUENCE; i++) {
|
|
+ for (size_t i = 0; rtag == LBER_SEQUENCE; i++) {
|
|
krb5_key_data *newset;
|
|
ber_tag_t ctag;
|
|
ber_int_t type;
|
|
@@ -1181,29 +1188,29 @@ static int encode_setkeytab_reply(struct ipapwd_keyset *kset,
|
|
rc = ber_printf(ber, "{i{", (ber_int_t)kset->keys[0].key_data_kvno);
|
|
if (rc == -1) {
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
- LOG_FATAL("Failed to ber_printf the kvno");
|
|
+ LOG_FATAL("Failed to ber_printf the kvno\n");
|
|
goto done;
|
|
}
|
|
|
|
- for (int i = 0; i < kset->num_keys; i++) {
|
|
+ for (size_t i = 0; i < kset->num_keys; i++) {
|
|
rc = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].key_data_type[0]);
|
|
if (rc == -1) {
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
- LOG_FATAL("Failed to ber_printf the enctype");
|
|
+ LOG_FATAL("Failed to ber_printf the enctype\n");
|
|
goto done;
|
|
}
|
|
}
|
|
rc = ber_printf(ber, "}}");
|
|
if (rc == -1) {
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
- LOG_FATAL("Failed to ber_printf the termination");
|
|
+ LOG_FATAL("Failed to ber_printf the termination\n");
|
|
goto done;
|
|
}
|
|
|
|
rc = ber_flatten(ber, &bvp);
|
|
if (rc == -1) {
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
- LOG_FATAL("Failed to ber_flatten the buffer");
|
|
+ LOG_FATAL("Failed to ber_flatten the buffer\n");
|
|
goto done;
|
|
}
|
|
|
|
@@ -1306,7 +1313,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
|
|
/* get next kvno for entry (will be 1 if this is new) and fix keyset */
|
|
kvno = ipapwd_get_cur_kvno(targetEntry) + 1;
|
|
- for (int i = 0; i < kset->num_keys; i++) {
|
|
+ for (size_t i = 0; i < kset->num_keys; i++) {
|
|
kset->keys[i].key_data_kvno = kvno;
|
|
}
|
|
|
|
@@ -1352,7 +1359,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
|
|
rc = encode_setkeytab_reply(kset, &bvp);
|
|
if (rc) {
|
|
- errMesg = "Internal Error.\n";
|
|
+ errMesg = "Internal Error.";
|
|
goto free_and_return;
|
|
}
|
|
|
|
@@ -1372,7 +1379,7 @@ free_and_return:
|
|
if (targetEntry) slapi_entry_free(targetEntry);
|
|
|
|
if (svals) {
|
|
- for (int i = 0; svals[i]; i++) {
|
|
+ for (size_t i = 0; svals[i]; i++) {
|
|
slapi_value_free(&svals[i]);
|
|
}
|
|
free(svals);
|
|
@@ -1382,7 +1389,7 @@ free_and_return:
|
|
|
|
if (rc == LDAP_SUCCESS)
|
|
errMesg = NULL;
|
|
- LOG("%s", errMesg ? errMesg : "success");
|
|
+ LOG("%s\n", errMesg ? errMesg : "success");
|
|
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
|
|
|
|
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
|
|
@@ -1403,7 +1410,6 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
|
|
krb5_key_salt_tuple *enctypes = NULL;
|
|
bool newkt;
|
|
bool ret;
|
|
- int i;
|
|
|
|
ret = ipaasn1_dec_getkt(extop->bv_val, extop->bv_len, &newkt,
|
|
&svcname, &password, &etypes, &numtypes);
|
|
@@ -1423,7 +1429,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
|
|
goto done;
|
|
}
|
|
|
|
- for (i = 0; i < numtypes; i++) {
|
|
+ for (size_t i = 0; i < numtypes; i++) {
|
|
enctypes[i].ks_enctype = etypes[i];
|
|
enctypes[i].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
|
|
}
|
|
@@ -1466,7 +1472,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
|
|
/* uses last key kvno */
|
|
kvno = keys[num_keys-1].key_data_kvno;
|
|
|
|
- for (int i = 0; i < num_keys; i++) {
|
|
+ for (size_t i = 0; i < num_keys; i++) {
|
|
krb5_enc_data cipher = { 0 };
|
|
krb5_data plain = { 0 };
|
|
krb5_int16 plen;
|
|
@@ -1516,7 +1522,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
|
|
rc = LDAP_SUCCESS;
|
|
|
|
done:
|
|
- for (int i = 0; i < ksc.nkeys; i ++) {
|
|
+ for (size_t i = 0; i < ksc.nkeys; i++) {
|
|
free(ksc.ksdata[i].key.contents);
|
|
}
|
|
if (rc != LDAP_SUCCESS) {
|
|
@@ -1632,7 +1638,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
* this operation. */
|
|
if (bind_dn == NULL || *bind_dn == '\0') {
|
|
/* Refuse the operation because they're bound anonymously */
|
|
- err_msg = "Anonymous Binds are not allowed.\n";
|
|
+ err_msg = "Anonymous Binds are not allowed.";
|
|
rc = LDAP_INSUFFICIENT_ACCESS;
|
|
goto free_and_return;
|
|
}
|
|
@@ -1648,7 +1654,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
|
|
if (!extop_value) {
|
|
LOG_FATAL("Failed to retrieve extended op value from pblock\n");
|
|
- err_msg = "Failed to retrieve extended operation value\n";
|
|
+ err_msg = "Failed to retrieve extended operation value";
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
goto free_and_return;
|
|
}
|
|
@@ -1674,7 +1680,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
/* get Entry by krbPrincipalName */
|
|
target_entry = get_entry_by_principal(service_name);
|
|
if (!target_entry) {
|
|
- err_msg = "PrincipalName not found.\n";
|
|
+ err_msg = "PrincipalName not found.";
|
|
rc = LDAP_NO_SUCH_OBJECT;
|
|
goto free_and_return;
|
|
}
|
|
@@ -1690,7 +1696,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
if (!acl_ok) {
|
|
LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n",
|
|
service_name, bind_dn);
|
|
- err_msg = "Insufficient access rights\n";
|
|
+ err_msg = "Insufficient access rights";
|
|
rc = LDAP_INSUFFICIENT_ACCESS;
|
|
goto free_and_return;
|
|
}
|
|
@@ -1701,6 +1707,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
/* if password was passed-in, check its length */
|
|
rc = ipapwd_check_max_pwd_len(strlen(password), &err_msg);
|
|
if (rc) {
|
|
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
|
+ bind_dn, err_msg);
|
|
goto free_and_return;
|
|
}
|
|
}
|
|
@@ -1712,7 +1720,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
if (!acl_ok) {
|
|
LOG_FATAL("Not allowed to set keytab on [%s]!\n",
|
|
service_name);
|
|
- err_msg = "Insufficient access rights\n";
|
|
+ err_msg = "Insufficient access rights";
|
|
rc = LDAP_INSUFFICIENT_ACCESS;
|
|
goto free_and_return;
|
|
}
|
|
@@ -1745,7 +1753,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
if (!svals) {
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
LOG_FATAL("encrypt_encode_keys failed!\n");
|
|
- err_msg = "Internal error while encrypting keys\n";
|
|
+ err_msg = "Internal error while encrypting keys";
|
|
goto free_and_return;
|
|
}
|
|
|
|
@@ -1765,7 +1773,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
rc = encode_getkeytab_reply(krbctx, krbcfg->kmkey, mkvno,
|
|
keys, num_keys, &bvp);
|
|
if (rc != LDAP_SUCCESS) {
|
|
- err_msg = "Internal Error.\n";
|
|
+ err_msg = "Internal Error.";
|
|
goto free_and_return;
|
|
}
|
|
|
|
@@ -1776,7 +1784,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
|
|
free_and_return:
|
|
if (rc == LDAP_SUCCESS) err_msg = NULL;
|
|
- LOG("%s", err_msg ? err_msg : "success");
|
|
+ LOG("%s\n", err_msg ? err_msg : "success");
|
|
slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL);
|
|
|
|
/* Free anything that we allocated above */
|
|
@@ -1787,7 +1795,7 @@ free_and_return:
|
|
if (target_entry) slapi_entry_free(target_entry);
|
|
if (keys) ipa_krb5_free_key_data(keys, num_keys);
|
|
if (svals) {
|
|
- for (int i = 0; svals[i]; i++) {
|
|
+ for (size_t i = 0; svals[i]; i++) {
|
|
slapi_value_free(&svals[i]);
|
|
}
|
|
free(svals);
|
|
@@ -2031,7 +2039,7 @@ int ipapwd_init( Slapi_PBlock *pb )
|
|
"ipapwd_post_init_betxn", ipapwd_post_init_betxn,
|
|
"IPA pwd post ops betxn", NULL,
|
|
ipapwd_plugin_id);
|
|
- }
|
|
+ }
|
|
|
|
slapi_register_plugin("preoperation", 1,
|
|
"ipapwd_pre_init", ipapwd_pre_init,
|
|
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
index 45626523ffa1030cdff4f3e0ccdfa1618a51ccaf..6898e6596e1cbbb2cc69ba592401619ce86899d8 100644
|
|
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
|
@@ -33,7 +33,7 @@
|
|
* Authors:
|
|
* Simo Sorce <ssorce@redhat.com>
|
|
*
|
|
- * Copyright (C) 2007-2010 Red Hat, Inc.
|
|
+ * Copyright (C) 2007-2023 Red Hat, Inc.
|
|
* All rights reserved.
|
|
* END COPYRIGHT BLOCK **/
|
|
|
|
@@ -248,6 +248,13 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
|
return 0;
|
|
}
|
|
|
|
+ /* Get target DN */
|
|
+ ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
|
|
+ if (ret) {
|
|
+ rc = LDAP_OPERATIONS_ERROR;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
/* Ok this is interesting,
|
|
* Check this is a clear text password, or refuse operation */
|
|
if ('{' == userpw[0]) {
|
|
@@ -280,6 +287,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
|
} else {
|
|
rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
|
|
if (rc) {
|
|
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
|
+ slapi_sdn_get_dn(sdn), errMesg);
|
|
goto done;
|
|
}
|
|
userpw = slapi_ch_strdup(userpw_clear);
|
|
@@ -329,13 +338,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
|
goto done;
|
|
}
|
|
|
|
- /* Get target DN */
|
|
- ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
|
|
- if (ret) {
|
|
- rc = LDAP_OPERATIONS_ERROR;
|
|
- goto done;
|
|
- }
|
|
-
|
|
/* time to get the operation handler */
|
|
ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);
|
|
if (ret != 0) {
|
|
@@ -359,7 +361,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
|
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
|
|
} else {
|
|
char *binddn;
|
|
- int i;
|
|
|
|
pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN;
|
|
|
|
@@ -367,7 +368,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
|
slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn);
|
|
|
|
/* if it is a passsync manager we also need to skip resets */
|
|
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
|
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
|
if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) {
|
|
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
|
|
break;
|
|
@@ -385,6 +386,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
|
|
if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) &&
|
|
(ret != 0) ) {
|
|
errMesg = ipapwd_error2string(ret);
|
|
+ LOG_PWDPOLICY("Failed to add password credentials for '%s': %s\n",
|
|
+ slapi_sdn_get_dn(sdn), errMesg);
|
|
rc = LDAP_CONSTRAINT_VIOLATION;
|
|
goto done;
|
|
}
|
|
@@ -507,6 +510,13 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
|
goto done;
|
|
}
|
|
|
|
+ /* Get target DN */
|
|
+ ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
|
|
+ if (ret) {
|
|
+ rc = LDAP_OPERATIONS_ERROR;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
/* grab the mods - we'll put them back later with
|
|
* our modifications appended
|
|
*/
|
|
@@ -568,6 +578,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
|
|
|
rc = ipapwd_check_max_pwd_len(bv->bv_len, &errMesg);
|
|
if (rc) {
|
|
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
|
+ slapi_sdn_get_dn(sdn), errMesg);
|
|
goto done;
|
|
}
|
|
slapi_ch_free_string(&unhashedpw);
|
|
@@ -591,14 +603,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
|
|
|
/* OK we have something interesting here, start checking for
|
|
* pre-requisites */
|
|
-
|
|
- /* Get target DN */
|
|
- ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
|
|
- if (ret) {
|
|
- rc = LDAP_OPERATIONS_ERROR;
|
|
- goto done;
|
|
- }
|
|
-
|
|
tmp_sdn = slapi_sdn_dup(sdn);
|
|
if (tmp_sdn) {
|
|
/* xxxPAR: Ideally SLAPI_MODIFY_EXISTING_ENTRY should be
|
|
@@ -795,6 +799,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
|
const char *userpw_clear = &userpw[strlen("{CLEAR}")];
|
|
rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
|
|
if (rc) {
|
|
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
|
+ slapi_sdn_get_dn(sdn), errMesg);
|
|
goto done;
|
|
}
|
|
unhashedpw = slapi_ch_strdup(userpw_clear);
|
|
@@ -806,9 +812,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
|
slapi_ch_free_string(&userpw);
|
|
|
|
} else if (slapi_is_encoded(userpw)) {
|
|
-
|
|
- LOG("Pre-Encoded passwords are not valid\n");
|
|
- errMesg = "Pre-Encoded passwords are not valid\n";
|
|
+ errMesg = "Pre-Encoded passwords are not valid";
|
|
+ LOG("%s (%s)\n", errMesg, slapi_sdn_get_dn(sdn));
|
|
rc = LDAP_CONSTRAINT_VIOLATION;
|
|
goto done;
|
|
}
|
|
@@ -843,7 +848,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
|
} else {
|
|
char *binddn;
|
|
Slapi_DN *bdn, *tdn;
|
|
- int i;
|
|
|
|
/* Check Bind DN */
|
|
slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn);
|
|
@@ -857,18 +861,16 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
|
pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN;
|
|
|
|
/* if it is a passsync manager we also need to skip resets */
|
|
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
|
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
|
|
if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) {
|
|
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
|
|
break;
|
|
}
|
|
}
|
|
-
|
|
}
|
|
|
|
slapi_sdn_free(&bdn);
|
|
slapi_sdn_free(&tdn);
|
|
-
|
|
}
|
|
|
|
pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
|
|
@@ -884,6 +886,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
|
|
if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) &&
|
|
(ret != 0)) {
|
|
errMesg = ipapwd_error2string(ret);
|
|
+ LOG_PWDPOLICY("Check Password Policy failed for (%s) - %s/n",
|
|
+ pwdop->pwdata.dn, errMesg);
|
|
rc = LDAP_CONSTRAINT_VIOLATION;
|
|
goto done;
|
|
}
|
|
@@ -976,7 +980,6 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
|
|
int num_keys;
|
|
int mkvno;
|
|
int ret;
|
|
- int i;
|
|
|
|
ret = slapi_entry_attr_find(entry, "ipaNTHash", &attr);
|
|
if (ret == 0) {
|
|
@@ -1008,7 +1011,7 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
|
|
|
|
ret = LDAP_UNWILLING_TO_PERFORM;
|
|
|
|
- for (i = 0; i < num_keys; i++) {
|
|
+ for (size_t i = 0; i < num_keys; i++) {
|
|
char nthash[16];
|
|
krb5_enc_data cipher;
|
|
krb5_data plain;
|
|
@@ -1511,6 +1514,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
|
} else {
|
|
rc = ipapwd_check_max_pwd_len(credentials->bv_len, &errMesg);
|
|
if (rc) {
|
|
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
|
|
+ slapi_sdn_get_dn(sdn), errMesg);
|
|
goto invalid_creds;
|
|
}
|
|
}
|
|
--
|
|
2.43.0
|
|
|