[Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on all connections with SSF>1

Wed Oct 5 14:41:00 UTC 2011

On 5.10.2011 16:36, Sumit Bose wrote:
> On Wed, Oct 05, 2011 at 03:06:19PM +0200, Jan Cholasta wrote:
>> On 5.10.2011 11:58, Sumit Bose wrote:
>>> On Tue, Oct 04, 2011 at 11:15:04AM +0200, Jan Cholasta wrote:
>>>> On 27.9.2011 10:15, Sumit Bose wrote:
>>>>> Hi,
>>>>>
>>>>> currently the change password plugin does not check if the connection is
>>>>> coming from a local LDAPI socket and denies password change requests via
>>>>> LDAPI. This patch changes the check to just look at the overall SSF of
>>>>> the connection which covers all types of connection.
>>>>>
>>>>> There is a similar check in ipa_enrollment.c. But I think enrollments via
>>>>> LDAPI does not make much sense so it does not need to be changed.
>>>>
>>>> IMHO it should be changed anyway, for the sake of consistency.
>>>>
>>>>>
>>>>> This patch should fix https://fedorahosted.org/freeipa/ticket/1877.
>>>>>
>>>>> bye,
>>>>> Sumit
>>>>>
>>>>
>>>> The patch has trailing whitespace on lines 20 and 32-35 and needs to
>>>> be rebased.
>>>>
>>>> Tested the patch with ldappasswd over ldap/ldaps/ldapi - works as expected.
>>>
>>> Thank you for the review. I have changed ipa_enrollment.c accordingly
>>> and checked that the patch applies against master as well as against
>>> ipa-2-1 and that git does not complain about trailing whitespace. New
>>> version attached.
>>>
>>> bye,
>>> Sumit
>>
>> "git apply" still complains about the patch:
>>
>> $ git status -sb
>> ## ipa-2-1
>>
>> $ git apply freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
>>
>> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:23:
>> trailing whitespace.
>>      int ssf;
>> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:39:
>> trailing whitespace.
>>      /* Allow password modify on all connections with a Security Strength
>> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:40:
>> trailing whitespace.
>>       * Factor (SSF) higher than 1 */
>> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:41:
>> trailing whitespace.
>>      if (slapi_pblock_get(pb, SLAPI_OPERATION_SSF,&ssf) != 0) {
>> ../../patch/freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch:42:
>> trailing whitespace.
>>          LOG_TRACE("Could not get SSF from connection\n");
>> error: patch failed:
>> daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:80
>> error: daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:
>> patch does not apply
>> error: patch failed:
>> daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:615
>> error: daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c:
>> patch does not apply
>>
>>
>> It can be applied with "patch", but it complains too:
>>
>> $ patch -p1 --no-backup-if-mismatch<freeipa-sbose-0007-2-ipa-pwd-extop-allow-password-change-on-all-connectio.patch
>>
>> (Stripping trailing CRs from patch.)
>> patching file daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
>> (Stripping trailing CRs from patch.)
>> patching file daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
>>
>>
>> The comment in ipa-enrollment.c should be changed from "Allow
>> password modify on ..." to "Allow enrollment on ...".
>
> I changed the comment and send the patch not in base64.
>
> bye,
> Sumit

Thank you, ACK.

Honza

>
>>
>> Honza
>>
>>>
>>>>
>>>> Honza
>>>>
>>>> --
>>>> Jan Cholasta
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>> --
>> Jan Cholasta
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel

-- 
Jan Cholasta