[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP_EXOP_X_MODIFY_PASSWD does not adhere to backend security checks (ITS#1781)



Full_Name: Darin S. Broady
Version: 2.0.23, 2.1.1beta & HEAD
OS: Irix 6.5.10, 6.5.15 & Solaris 8
URL: 
Submission from: (NULL) (192.146.101.11)


Using ldappasswd to change a user's password via the extended password change
mechanism, LDAP_EXOP_X_MODIFY_PASSWORD, the LDAP daemon, in the passwd_extop()
function in servers/slapd/passwd.c does not check to see if the connection is
using enough security strength for the database that it is updating.  We want
all updates to be processed at a certain security level, and all modifies
except
for LDAP_EXOP_X_MODIFY_PASSWORD were calling   backend_check_restrictions()  to
make sure that the security strength factor on the connection was what is
required
by the database.

To fix this, I have included the following patch to add
backend_check_restrictions()  to passwd_extop().




servers/slapd/passwd.c.diff
----------------------------------------
--- openldap-2.0.23-orig/servers/slapd/passwd.c Fri Jan  4 15:38:29 2002
+++ openldap-2.0.23-irix-n32/servers/slapd/passwd.c     Fri Apr 26 08:16:58
2002
@@ -43,6 +43,15 @@
                        *text = "authorization database is read only";
                        rc = LDAP_UNWILLING_TO_PERFORM;
 
+               } else if ((rc = backend_check_restrictions(
conn->c_authz_backend, conn, op,
+                                                           
LDAP_EXOP_X_MODIFY_PASSWD, text )) != LDAP_SUCCESS) {
+                       /****************************************************
+                        * The operation doesn't have enough SSL strength   *
+                        * for the backend to permit the operation.         *
+                        *                                                  *
+                        * NOTE:  text is assigned a "<string>".  Do not    *
+                        *        free it.                                  *
+                        ***************************************************/
                } else if( conn->c_authz_backend->be_update_ndn != NULL ) {
                        /* we SHOULD return a referral in this case */
                        *refs = conn->c_authz_backend->be_update_refs;







Copyright Notification for the patch above
---------------------------------------------
     Copyright 2002, Darin Broady, All rights reserved.
     This software is not subject to any license of Lexmark International, Inc.

     This is free software; you can redistribute and use it
     under the same terms as OpenLDAP itself.