[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP_EXOP_X_MODIFY_PASSWD does not adhere to backend security checks (ITS#1781)
Full_Name: Darin S. Broady
Version: 2.0.23, 2.1.1beta & HEAD
OS: Irix 6.5.10, 6.5.15 & Solaris 8
URL:
Submission from: (NULL) (192.146.101.11)
Using ldappasswd to change a user's password via the extended password change
mechanism, LDAP_EXOP_X_MODIFY_PASSWORD, the LDAP daemon, in the passwd_extop()
function in servers/slapd/passwd.c does not check to see if the connection is
using enough security strength for the database that it is updating. We want
all updates to be processed at a certain security level, and all modifies
except
for LDAP_EXOP_X_MODIFY_PASSWORD were calling backend_check_restrictions() to
make sure that the security strength factor on the connection was what is
required
by the database.
To fix this, I have included the following patch to add
backend_check_restrictions() to passwd_extop().
servers/slapd/passwd.c.diff
----------------------------------------
--- openldap-2.0.23-orig/servers/slapd/passwd.c Fri Jan 4 15:38:29 2002
+++ openldap-2.0.23-irix-n32/servers/slapd/passwd.c Fri Apr 26 08:16:58
2002
@@ -43,6 +43,15 @@
*text = "authorization database is read only";
rc = LDAP_UNWILLING_TO_PERFORM;
+ } else if ((rc = backend_check_restrictions(
conn->c_authz_backend, conn, op,
+
LDAP_EXOP_X_MODIFY_PASSWD, text )) != LDAP_SUCCESS) {
+ /****************************************************
+ * The operation doesn't have enough SSL strength *
+ * for the backend to permit the operation. *
+ * *
+ * NOTE: text is assigned a "<string>". Do not *
+ * free it. *
+ ***************************************************/
} else if( conn->c_authz_backend->be_update_ndn != NULL ) {
/* we SHOULD return a referral in this case */
*refs = conn->c_authz_backend->be_update_refs;
Copyright Notification for the patch above
---------------------------------------------
Copyright 2002, Darin Broady, All rights reserved.
This software is not subject to any license of Lexmark International, Inc.
This is free software; you can redistribute and use it
under the same terms as OpenLDAP itself.