ipa/0022-Issue-9497-update-debug-logging-in-ipa-pwd-extop.patch
Florence Blanc-Renaud e57a97aa67 ipa-4.11.0-5
- Resolves: RHEL-12589 ipa: Invalid CSRF protection
- Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit
- Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca'
- Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT
- Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix
- Resolves: RHEL-21810 ipa-client-install --automount-location does not work
- Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0
- Resolves: RHEL-21812 Backport latest test fixes in ipa
- Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa
- Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing
- Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2024-01-18 17:08:12 +01:00

767 lines
30 KiB
Diff

From 3a8fe8c3a9de8d0e17ab4064ac689bce2b4b5042 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 12 Dec 2023 08:41:10 -0500
Subject: [PATCH] Issue 9497 - update debug logging in ipa-pwd-extop
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
.../ipa-slapi-plugins/ipa-pwd-extop/common.c | 25 +++--
.../ipa-pwd-extop/encoding.c | 5 +-
.../ipa-pwd-extop/ipa_pwd_extop.c | 106 ++++++++++--------
.../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 59 +++++-----
4 files changed, 105 insertions(+), 90 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 5251713c68855e10b0980af71696d944e683ae90..d30764bb2a05c7ca4a33ea114a2dc19af39e216f 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -33,7 +33,7 @@
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -81,7 +81,8 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
char **encsalts;
char **tmparray;
char *tmpstr;
- int i, ret;
+ int ret;
+ size_t i;
config = calloc(1, sizeof(struct ipapwd_krbcfg));
if (!config) {
@@ -327,7 +328,8 @@ int ipapwd_getPolicy(const char *dn,
"ipaPwdUserCheck", NULL};
Slapi_Entry **es = NULL;
Slapi_Entry *pe = NULL;
- int ret, res, scope, i;
+ int ret, res, scope;
+ size_t i;
int buffer_flags=0;
Slapi_ValueSet* results = NULL;
char *actual_type_name = NULL;
@@ -545,7 +547,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
}
sdn = slapi_sdn_new_dn_byref(dn);
if (!sdn) {
- LOG_FATAL("Unable to convert dn to sdn %s", dn ? dn : "<NULL>");
+ LOG_FATAL("Unable to convert dn to sdn %s\n", dn ? dn : "<NULL>");
*errMesg = "Internal Error";
rc = LDAP_OPERATIONS_ERROR;
goto done;
@@ -564,7 +566,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
/* get the kerberos context and master key */
*config = ipapwd_getConfig();
if (NULL == *config) {
- LOG_FATAL("Error Retrieving Master Key");
+ LOG_FATAL("Error Retrieving Master Key\n");
*errMesg = "Fatal Internal Error";
rc = LDAP_OPERATIONS_ERROR;
}
@@ -594,7 +596,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
/* Find the entry with the password policy */
ret = ipapwd_getPolicy(data->dn, data->target, &pol);
if (ret) {
- LOG_TRACE("No password policy, use defaults");
+ LOG_TRACE("No password policy, use defaults\n");
}
break;
case IPA_CHANGETYPE_ADMIN:
@@ -620,14 +622,14 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
*/
ret = ipapwd_getPolicy(data->dn, data->target, &tmppol);
if (ret) {
- LOG_TRACE("No password policy, use defaults");
+ LOG_TRACE("No password policy, use defaults\n");
} else {
pol.max_pwd_life = tmppol.max_pwd_life;
pol.history_length = tmppol.history_length;
}
break;
default:
- LOG_TRACE("Unknown password change type, use defaults");
+ LOG_TRACE("Unknown password change type, use defaults\n");
break;
}
@@ -860,7 +862,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
case IPA_CHANGETYPE_DSMGR:
case IPA_CHANGETYPE_ADMIN:
/* Mark as administratively reset which will unlock acct */
- ret = ipapwd_setdate(data->target, smods,
+ ret = ipapwd_setdate(data->target, smods,
"krbLastAdminUnlock",
data->timeNow, false);
if (ret != LDAP_SUCCESS)
@@ -951,7 +953,7 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods,
char **new_pwd_history = NULL;
int n = 0;
int ret;
- int i;
+ size_t i;
pwd_history = slapi_entry_attr_get_charray(data->target,
"passwordHistory");
@@ -1083,10 +1085,9 @@ int ipapwd_set_extradata(const char *dn,
void ipapwd_free_slapi_value_array(Slapi_Value ***svals)
{
Slapi_Value **sv = *svals;
- int i;
if (sv) {
- for (i = 0; sv[i]; i++) {
+ for (size_t i = 0; sv[i]; i++) {
slapi_value_free(&sv[i]);
}
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
index 7b2f341229b4f3bf48105c3856c0d6778da154a5..43ae6f0a645c8f3ff0fa2d147891f93efff0eb20 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
@@ -33,7 +33,7 @@
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -231,7 +231,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
if (!*svals) {
/* errMesg should have been set in encrypt_encode_key() */
- LOG_FATAL("key encryption/encoding failed\n");
+ LOG_FATAL("key encryption/encoding failed (%s)\n", *errMesg);
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
@@ -267,6 +267,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
}
(*ntvals)[0] = slapi_value_new();
if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) {
+ LOG("Failed to set value for nt_key");
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 0d630ca04c38b739bb0d8bf22c162af9d3e15566..43c31becae45c1c91c7c2adf498aedbd05af9a69 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -33,7 +33,7 @@
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -108,7 +108,7 @@ static void filter_keys(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_keyset *kset,
bool allow_nthash)
{
- int i, j;
+ size_t i, j;
for (i = 0; i < kset->num_keys; i++) {
for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
@@ -151,11 +151,11 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
bool allow_nthash)
{
/* first filter for duplicates */
- for (int i = 0; i + 1 < *num_kenctypes; i++) {
- for (int j = i + 1; j < *num_kenctypes; j++) {
+ for (size_t i = 0; i + 1 < *num_kenctypes; i++) {
+ for (size_t j = i + 1; j < *num_kenctypes; j++) {
if (kenctypes[i].ks_enctype == kenctypes[j].ks_enctype) {
/* duplicate, filter out */
- for (int k = j; k + 1 < *num_kenctypes; k++) {
+ for (size_t k = j; k + 1 < *num_kenctypes; k++) {
kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
}
@@ -166,8 +166,8 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
}
/* then filter for supported */
- for (int i = 0; i < *num_kenctypes; i++) {
- int j;
+ for (size_t i = 0; i < *num_kenctypes; i++) {
+ size_t j;
/* Check if supported */
for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
@@ -184,7 +184,7 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
}
if (j == krbcfg->num_supp_encsalts) {
/* Unsupported, filter out */
- for (int k = i; k + 1 < *num_kenctypes; k++) {
+ for (size_t k = i; k + 1 < *num_kenctypes; k++) {
kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
}
@@ -344,6 +344,8 @@ parse_req_done:
rc = ipapwd_check_max_pwd_len(strlen(newPasswd), &errMesg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ bindDN, errMesg);
goto free_and_return;
}
@@ -456,7 +458,7 @@ parse_req_done:
char *cur_pw;
if (oldPasswd == NULL || *oldPasswd == '\0') {
- LOG_FATAL("Old password was not provided!\n");
+ LOG_FATAL("Old password was not provided for '%s'!\n", dn);
rc = LDAP_INVALID_CREDENTIALS;
goto free_and_return;
}
@@ -466,7 +468,7 @@ parse_req_done:
cur_pw = slapi_entry_attr_get_charptr(targetEntry,
"userPassword");
if (!cur_pw) {
- LOG_FATAL("User has no current password?\n");
+ LOG_FATAL("User '%s' does not have a current password?\n", dn);
rc = LDAP_UNWILLING_TO_PERFORM;
goto free_and_return;
}
@@ -485,7 +487,7 @@ parse_req_done:
slapi_value_free(&pw);
if (ret != 0) {
- LOG_TRACE("Invalid password!\n");
+ LOG_TRACE("Invalid password for '%s'!\n", dn);
rc = LDAP_INVALID_CREDENTIALS;
goto free_and_return;
}
@@ -579,11 +581,9 @@ parse_req_done:
/* special cases */
if ((strcasecmp(dn, bindDN) != 0) &&
(strcasecmp(ipa_changepw_principal_dn, bindDN) != 0)) {
- int i;
-
pwdata.changetype = IPA_CHANGETYPE_ADMIN;
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
pwdata.changetype = IPA_CHANGETYPE_DSMGR;
break;
@@ -606,6 +606,8 @@ parse_req_done:
errMesg = ipapwd_error2string(ret);
ret = ipapwd_to_ldap_pwpolicy_error(ret);
slapi_pwpolicy_make_response_control(pb, -1, -1, ret);
+ LOG_PWDPOLICY("Failed to set password credentials for"
+ " '%s': %s\n", dn, errMesg);
rc = LDAP_CONSTRAINT_VIOLATION;
goto free_and_return;
}
@@ -666,7 +668,7 @@ free_and_return:
if (targetEntry) slapi_entry_free(targetEntry);
if (ber) ber_free(ber, 1);
- LOG("%s", errMesg ? errMesg : "success");
+ LOG("%s\n", errMesg ? errMesg : "success");
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
@@ -732,7 +734,8 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
"krbCanonicalName",
"enrolledBy", NULL };
Slapi_Entry **es = NULL;
- int res, ret, i;
+ int res, ret;
+ size_t i;
Slapi_Entry *entry = NULL;
/* Find ancestor base DN */
@@ -774,7 +777,7 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
/* if there is none or more than one, freak out */
if (i != 1) {
- LOG_TRACE("Too many entries, or entry no found (%d)", i);
+ LOG_TRACE("Too many entries, or entry no found (%ld)\n", i);
goto free_and_return;
}
entry = slapi_entry_dup(es[0]);
@@ -809,7 +812,7 @@ static bool is_allowed_to_access_attr(Slapi_PBlock *pb, char *bindDN,
*/
be = get_realm_backend();
if (!be) {
- LOG_FATAL("Could not fetch REALM backend!");
+ LOG_FATAL("Could not fetch REALM backend!\n");
return false;
}
if (slapi_pblock_set(pb, SLAPI_BACKEND, be)) {
@@ -868,7 +871,8 @@ static void remove_user_password(Slapi_Mods *smods,
if ((NULL != pw) && (NULL == krbLastPwdChange)) {
slapi_mods_add_mod_values(smods, LDAP_MOD_DELETE,
"userPassword", NULL);
- LOG_TRACE("Removing userPassword from host entry\n");
+ LOG_TRACE("Removing userPassword from host entry '%s'\n",
+ slapi_entry_get_dn_const(targetEntry));
}
}
if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange);
@@ -891,8 +895,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
rc = set_krbLastPwdChange(smods, time_now);
if (rc) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to set krbLastPwdChange");
- err_msg = "Internal error while storing keytab data\n";
+ LOG_FATAL("Failed to set krbLastPwdChange for target '%s'\n",
+ slapi_entry_get_dn_const(target));
+ err_msg = "Internal error while storing keytab data";
goto done;
}
@@ -905,8 +910,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
rc = ipapwd_apply_mods(slapi_entry_get_dn_const(target), smods);
if (rc != LDAP_SUCCESS) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to apply mods");
- err_msg = "Internal error while saving keys\n";
+ LOG_FATAL("Failed to apply mods to target '%s'\n",
+ slapi_entry_get_dn_const(target));
+ err_msg = "Internal error while saving keys";
goto done;
}
@@ -914,8 +920,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn,
svcname, time_now);
if (rc != LDAP_SUCCESS) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to set extradata");
- err_msg = "Internal error while saving keytab extradata\n";
+ LOG_FATAL("Failed to set extradata for target '%s'\n",
+ slapi_entry_get_dn_const(target));
+ err_msg = "Internal error while saving keytab extradata";
goto done;
}
@@ -1003,7 +1010,7 @@ static int decode_setkeytab_request(krb5_context krbctx,
kset->mkvno = mkvno;
rtag = ber_peek_tag(ber, &tlen);
- for (int i = 0; rtag == LBER_SEQUENCE; i++) {
+ for (size_t i = 0; rtag == LBER_SEQUENCE; i++) {
krb5_key_data *newset;
ber_tag_t ctag;
ber_int_t type;
@@ -1181,29 +1188,29 @@ static int encode_setkeytab_reply(struct ipapwd_keyset *kset,
rc = ber_printf(ber, "{i{", (ber_int_t)kset->keys[0].key_data_kvno);
if (rc == -1) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to ber_printf the kvno");
+ LOG_FATAL("Failed to ber_printf the kvno\n");
goto done;
}
- for (int i = 0; i < kset->num_keys; i++) {
+ for (size_t i = 0; i < kset->num_keys; i++) {
rc = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].key_data_type[0]);
if (rc == -1) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to ber_printf the enctype");
+ LOG_FATAL("Failed to ber_printf the enctype\n");
goto done;
}
}
rc = ber_printf(ber, "}}");
if (rc == -1) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to ber_printf the termination");
+ LOG_FATAL("Failed to ber_printf the termination\n");
goto done;
}
rc = ber_flatten(ber, &bvp);
if (rc == -1) {
rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to ber_flatten the buffer");
+ LOG_FATAL("Failed to ber_flatten the buffer\n");
goto done;
}
@@ -1306,7 +1313,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* get next kvno for entry (will be 1 if this is new) and fix keyset */
kvno = ipapwd_get_cur_kvno(targetEntry) + 1;
- for (int i = 0; i < kset->num_keys; i++) {
+ for (size_t i = 0; i < kset->num_keys; i++) {
kset->keys[i].key_data_kvno = kvno;
}
@@ -1352,7 +1359,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
rc = encode_setkeytab_reply(kset, &bvp);
if (rc) {
- errMesg = "Internal Error.\n";
+ errMesg = "Internal Error.";
goto free_and_return;
}
@@ -1372,7 +1379,7 @@ free_and_return:
if (targetEntry) slapi_entry_free(targetEntry);
if (svals) {
- for (int i = 0; svals[i]; i++) {
+ for (size_t i = 0; svals[i]; i++) {
slapi_value_free(&svals[i]);
}
free(svals);
@@ -1382,7 +1389,7 @@ free_and_return:
if (rc == LDAP_SUCCESS)
errMesg = NULL;
- LOG("%s", errMesg ? errMesg : "success");
+ LOG("%s\n", errMesg ? errMesg : "success");
slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
@@ -1403,7 +1410,6 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
krb5_key_salt_tuple *enctypes = NULL;
bool newkt;
bool ret;
- int i;
ret = ipaasn1_dec_getkt(extop->bv_val, extop->bv_len, &newkt,
&svcname, &password, &etypes, &numtypes);
@@ -1423,7 +1429,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
goto done;
}
- for (i = 0; i < numtypes; i++) {
+ for (size_t i = 0; i < numtypes; i++) {
enctypes[i].ks_enctype = etypes[i];
enctypes[i].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
}
@@ -1466,7 +1472,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
/* uses last key kvno */
kvno = keys[num_keys-1].key_data_kvno;
- for (int i = 0; i < num_keys; i++) {
+ for (size_t i = 0; i < num_keys; i++) {
krb5_enc_data cipher = { 0 };
krb5_data plain = { 0 };
krb5_int16 plen;
@@ -1516,7 +1522,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
rc = LDAP_SUCCESS;
done:
- for (int i = 0; i < ksc.nkeys; i ++) {
+ for (size_t i = 0; i < ksc.nkeys; i++) {
free(ksc.ksdata[i].key.contents);
}
if (rc != LDAP_SUCCESS) {
@@ -1632,7 +1638,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
* this operation. */
if (bind_dn == NULL || *bind_dn == '\0') {
/* Refuse the operation because they're bound anonymously */
- err_msg = "Anonymous Binds are not allowed.\n";
+ err_msg = "Anonymous Binds are not allowed.";
rc = LDAP_INSUFFICIENT_ACCESS;
goto free_and_return;
}
@@ -1648,7 +1654,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value);
if (!extop_value) {
LOG_FATAL("Failed to retrieve extended op value from pblock\n");
- err_msg = "Failed to retrieve extended operation value\n";
+ err_msg = "Failed to retrieve extended operation value";
rc = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
@@ -1674,7 +1680,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* get Entry by krbPrincipalName */
target_entry = get_entry_by_principal(service_name);
if (!target_entry) {
- err_msg = "PrincipalName not found.\n";
+ err_msg = "PrincipalName not found.";
rc = LDAP_NO_SUCH_OBJECT;
goto free_and_return;
}
@@ -1690,7 +1696,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
if (!acl_ok) {
LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n",
service_name, bind_dn);
- err_msg = "Insufficient access rights\n";
+ err_msg = "Insufficient access rights";
rc = LDAP_INSUFFICIENT_ACCESS;
goto free_and_return;
}
@@ -1701,6 +1707,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
/* if password was passed-in, check its length */
rc = ipapwd_check_max_pwd_len(strlen(password), &err_msg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ bind_dn, err_msg);
goto free_and_return;
}
}
@@ -1712,7 +1720,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
if (!acl_ok) {
LOG_FATAL("Not allowed to set keytab on [%s]!\n",
service_name);
- err_msg = "Insufficient access rights\n";
+ err_msg = "Insufficient access rights";
rc = LDAP_INSUFFICIENT_ACCESS;
goto free_and_return;
}
@@ -1745,7 +1753,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
if (!svals) {
rc = LDAP_OPERATIONS_ERROR;
LOG_FATAL("encrypt_encode_keys failed!\n");
- err_msg = "Internal error while encrypting keys\n";
+ err_msg = "Internal error while encrypting keys";
goto free_and_return;
}
@@ -1765,7 +1773,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
rc = encode_getkeytab_reply(krbctx, krbcfg->kmkey, mkvno,
keys, num_keys, &bvp);
if (rc != LDAP_SUCCESS) {
- err_msg = "Internal Error.\n";
+ err_msg = "Internal Error.";
goto free_and_return;
}
@@ -1776,7 +1784,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
free_and_return:
if (rc == LDAP_SUCCESS) err_msg = NULL;
- LOG("%s", err_msg ? err_msg : "success");
+ LOG("%s\n", err_msg ? err_msg : "success");
slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL);
/* Free anything that we allocated above */
@@ -1787,7 +1795,7 @@ free_and_return:
if (target_entry) slapi_entry_free(target_entry);
if (keys) ipa_krb5_free_key_data(keys, num_keys);
if (svals) {
- for (int i = 0; svals[i]; i++) {
+ for (size_t i = 0; svals[i]; i++) {
slapi_value_free(&svals[i]);
}
free(svals);
@@ -2031,7 +2039,7 @@ int ipapwd_init( Slapi_PBlock *pb )
"ipapwd_post_init_betxn", ipapwd_post_init_betxn,
"IPA pwd post ops betxn", NULL,
ipapwd_plugin_id);
- }
+ }
slapi_register_plugin("preoperation", 1,
"ipapwd_pre_init", ipapwd_pre_init,
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 45626523ffa1030cdff4f3e0ccdfa1618a51ccaf..6898e6596e1cbbb2cc69ba592401619ce86899d8 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -33,7 +33,7 @@
* Authors:
* Simo Sorce <ssorce@redhat.com>
*
- * Copyright (C) 2007-2010 Red Hat, Inc.
+ * Copyright (C) 2007-2023 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
@@ -248,6 +248,13 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
return 0;
}
+ /* Get target DN */
+ ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+ if (ret) {
+ rc = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
/* Ok this is interesting,
* Check this is a clear text password, or refuse operation */
if ('{' == userpw[0]) {
@@ -280,6 +287,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
} else {
rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ slapi_sdn_get_dn(sdn), errMesg);
goto done;
}
userpw = slapi_ch_strdup(userpw_clear);
@@ -329,13 +338,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
goto done;
}
- /* Get target DN */
- ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
- if (ret) {
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
/* time to get the operation handler */
ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op);
if (ret != 0) {
@@ -359,7 +361,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
} else {
char *binddn;
- int i;
pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN;
@@ -367,7 +368,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn);
/* if it is a passsync manager we also need to skip resets */
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) {
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
break;
@@ -385,6 +386,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) &&
(ret != 0) ) {
errMesg = ipapwd_error2string(ret);
+ LOG_PWDPOLICY("Failed to add password credentials for '%s': %s\n",
+ slapi_sdn_get_dn(sdn), errMesg);
rc = LDAP_CONSTRAINT_VIOLATION;
goto done;
}
@@ -507,6 +510,13 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
goto done;
}
+ /* Get target DN */
+ ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+ if (ret) {
+ rc = LDAP_OPERATIONS_ERROR;
+ goto done;
+ }
+
/* grab the mods - we'll put them back later with
* our modifications appended
*/
@@ -568,6 +578,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
rc = ipapwd_check_max_pwd_len(bv->bv_len, &errMesg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ slapi_sdn_get_dn(sdn), errMesg);
goto done;
}
slapi_ch_free_string(&unhashedpw);
@@ -591,14 +603,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
/* OK we have something interesting here, start checking for
* pre-requisites */
-
- /* Get target DN */
- ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
- if (ret) {
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
tmp_sdn = slapi_sdn_dup(sdn);
if (tmp_sdn) {
/* xxxPAR: Ideally SLAPI_MODIFY_EXISTING_ENTRY should be
@@ -795,6 +799,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
const char *userpw_clear = &userpw[strlen("{CLEAR}")];
rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ slapi_sdn_get_dn(sdn), errMesg);
goto done;
}
unhashedpw = slapi_ch_strdup(userpw_clear);
@@ -806,9 +812,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
slapi_ch_free_string(&userpw);
} else if (slapi_is_encoded(userpw)) {
-
- LOG("Pre-Encoded passwords are not valid\n");
- errMesg = "Pre-Encoded passwords are not valid\n";
+ errMesg = "Pre-Encoded passwords are not valid";
+ LOG("%s (%s)\n", errMesg, slapi_sdn_get_dn(sdn));
rc = LDAP_CONSTRAINT_VIOLATION;
goto done;
}
@@ -843,7 +848,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
} else {
char *binddn;
Slapi_DN *bdn, *tdn;
- int i;
/* Check Bind DN */
slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn);
@@ -857,18 +861,16 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN;
/* if it is a passsync manager we also need to skip resets */
- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) {
if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) {
pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR;
break;
}
}
-
}
slapi_sdn_free(&bdn);
slapi_sdn_free(&tdn);
-
}
pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
@@ -884,6 +886,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) &&
(ret != 0)) {
errMesg = ipapwd_error2string(ret);
+ LOG_PWDPOLICY("Check Password Policy failed for (%s) - %s/n",
+ pwdop->pwdata.dn, errMesg);
rc = LDAP_CONSTRAINT_VIOLATION;
goto done;
}
@@ -976,7 +980,6 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
int num_keys;
int mkvno;
int ret;
- int i;
ret = slapi_entry_attr_find(entry, "ipaNTHash", &attr);
if (ret == 0) {
@@ -1008,7 +1011,7 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods,
ret = LDAP_UNWILLING_TO_PERFORM;
- for (i = 0; i < num_keys; i++) {
+ for (size_t i = 0; i < num_keys; i++) {
char nthash[16];
krb5_enc_data cipher;
krb5_data plain;
@@ -1511,6 +1514,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
} else {
rc = ipapwd_check_max_pwd_len(credentials->bv_len, &errMesg);
if (rc) {
+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n",
+ slapi_sdn_get_dn(sdn), errMesg);
goto invalid_creds;
}
}
--
2.43.0