[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6265) ppolicy: modifications in ppolicy_bind_response don't update entries' operational attributes

To: openldap-its@OpenLDAP.org
Subject: (ITS#6265) ppolicy: modifications in ppolicy_bind_response don't update entries' operational attributes
From: jonathan@phillipoux.net
Date: Wed, 19 Aug 2009 16:21:32 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Jonathan Clarke
Version: RE24
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/jonathan-clarke-ppolicy-20090819.patch
Submission from: (NULL) (82.67.204.30)


Hi,

In the password policy overlay, the function ppolicy_bind_response() contains:

                Operation op2 = *op;
                [...]
                op2.orm_modlist = mod;
                [...]
                rc = op2.o_bd->be_modify( &op2, &r2 );

This reuses the original Operation structure (a BIND request) to perform a
modification operation. The code changes the value orm_modlist, which is
actually in the OpRequest union. This union is thereafter referred to as
containing a req_modify_s, not a req_bind_s as before, since this is now a
modification operation.

However, other fields from req_modify_s are not updated and are interpreted with
values set by the bind operation. In particular orm_no_opattrs is set to != 0
(bv_len of the credentials, actually), which causes modifications done by the
overlay not to cause updates to operational attributes (which ultimately means
these updates are not replicated if we're on a syncrepl provider, which is how I
came across this).

Sorry for the long explanation, which may seem obvious to those familiar with
these structures.

The patch above corrects *this* issue. I'm unsure whether orm_increment should
also be reset? Probably, I'm guessing.

Regards,
Jonathan

Prev by Date: (ITS#6264) (docs) Admin guide: bad link in password policy overlay section
Next by Date: Re: (ITS#6247)
Index(es):
- Chronological
- Thread