← Back to branch summary

~ubuntu-branches/ubuntu/saucy/389-ds-base/saucy

« back to all changes in this revision

Viewing changes to ldap/servers/plugins/replication/windows_protocol_util.c

  • Committer: Package Import Robot
  • Author(s): Timo Aaltonen
  • Date: 2013-02-06 18:06:31 UTC
  • mfrom: (11.1.1 raring-proposed)
  • Revision ID: package-import@ubuntu.com-20130206180631-h6ldv3k506hmm46e
Tags: 1.3.0.2-0ubuntu2
debian/*: Fix time stamps due to clock skew (FTBFS).

Show diffs side-by-side

added added

removed removed

Lines of Context:
ldap/servers/plugins/replication/windows_protocol_util.c
1812
1812
        }
1813
1813
}
1814
1814
 
 
1815
/* We need to check if the first character of password_value is an 
 
1816
 * opening brace since strstr will simply return it's first argument
 
1817
 * if it is an empty string. */
 
1818
/*
 
1819
 * return code:
 
1820
 * LDAP_SUCCESS: success
 
1821
 * LDAP_PARAM_ERROR: output value core_pw is NULL
 
1822
 * LDAP_INVALID_CREDENTIALS: password is already hashed
 
1823
 */
 
1824
int
 
1825
windows_get_core_pw(const char *password_value, char **core_pw)
 
1826
{
 
1827
        int rc = LDAP_SUCCESS;
 
1828
 
 
1829
        if (NULL == core_pw) {
 
1830
                return LDAP_PARAM_ERROR;
 
1831
        }
 
1832
        *core_pw = NULL;
 
1833
 
 
1834
        if (password_value && (*password_value == '{')) {
 
1835
                if (strchr( password_value, '}' )) {
 
1836
                        /* A storage scheme is present.  
 
1837
                         * Check if it's the clear storage scheme. */
 
1838
                        if ((strlen(password_value) >= PASSWD_CLEAR_PREFIX_LEN + 1) &&
 
1839
                            (strncasecmp(password_value, PASSWD_CLEAR_PREFIX,
 
1840
                                         PASSWD_CLEAR_PREFIX_LEN) == 0)) {
 
1841
                                /* This password is in clear text.  Strip off the clear prefix
 
1842
                                 * and sync it. */
 
1843
                                *core_pw =
 
1844
                                    slapi_ch_strdup(password_value + PASSWD_CLEAR_PREFIX_LEN);
 
1845
                        } else {
 
1846
                                /* the password is already hashed. */
 
1847
                                rc = LDAP_INVALID_CREDENTIALS;
 
1848
                        }
 
1849
                } else {
 
1850
                        /* This password doesn't have a storage prefix but
 
1851
                         * just happens to start with the '{' character.  We'll
 
1852
                         * assume that it's just a cleartext password without
 
1853
                         * the proper storage prefix. */
 
1854
                        *core_pw = slapi_ch_strdup(password_value);
 
1855
                }
 
1856
        } else {
 
1857
                /* This password has no storage prefix, or the password is empty */
 
1858
                *core_pw = slapi_ch_strdup(password_value);
 
1859
        }
 
1860
        return rc;
 
1861
}
 
1862
 
1815
1863
/* 
1816
1864
 * Make a new entry suitable for the sync destination (indicated by the to_windows argument).
1817
1865
 * Returns the new entry ready to be passed to an LDAP ADD operation, either remote or local.
1838
1886
        char *remote_user_entry_template = 
1839
1887
                "dn: %s\n"
1840
1888
                "objectclass:top\n"
1841
 
                "objectclass:person\n"
 
1889
                "objectclass:person\n"
1842
1890
                "objectclass:organizationalperson\n"
1843
1891
                "objectclass:user\n"
1844
1892
                "userPrincipalName:%s\n";
1846
1894
        char *remote_group_entry_template = 
1847
1895
                "dn: %s\n"
1848
1896
                "objectclass:top\n"
1849
 
                "objectclass:group\n";
 
1897
                "objectclass:group\n";
1850
1898
 
1851
1899
        LDAPDebug( LDAP_DEBUG_TRACE, "=> windows_create_remote_entry\n", 0, 0, 0 );
1852
1900
 
 
1901
        if (NULL == password) {
 
1902
                retval = LDAP_PARAM_ERROR;
 
1903
                goto error;
 
1904
        }
 
1905
        *password = NULL;
 
1906
 
1853
1907
        windows_is_local_entry_user_or_group(original_entry,&is_user,&is_group);
1854
1908
 
1855
1909
        /* Create a new entry */
2000
2054
                                }
2001
2055
                                slapi_ch_free_string(&new_type);
2002
2056
                        }
 
2057
#if defined(USE_OLD_UNHASHED)
2003
2058
                        /* password mods are treated specially */
2004
2059
                        if (0 == slapi_attr_type_cmp(type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD, SLAPI_TYPE_CMP_SUBTYPE) )
2005
2060
                        {
2006
2061
                                const char *password_value = NULL;
2007
2062
                                Slapi_Value *value = NULL;
2008
 
 
2009
 
                                slapi_valueset_first_value(vs,&value);
 
2063
                                slapi_valueset_first_value(vs, &value);
2010
2064
                                password_value = slapi_value_get_string(value);
2011
 
                                /* We need to check if the first character of password_value is an 
2012
 
                                 * opening brace since strstr will simply return it's first argument
2013
 
                                 * if it is an empty string. */
2014
 
                                if (password_value && (*password_value == '{')) {
2015
 
                                        if (strchr( password_value, '}' )) {
2016
 
                                                /* A storage scheme is present.  Check if it's the
2017
 
                                                 * clear storage scheme. */
2018
 
                                                if ((strlen(password_value) >= PASSWD_CLEAR_PREFIX_LEN + 1) &&
2019
 
                                                    (strncasecmp(password_value, PASSWD_CLEAR_PREFIX, PASSWD_CLEAR_PREFIX_LEN) == 0)) {
2020
 
                                                        /* This password is in clear text.  Strip off the clear prefix
2021
 
                                                         * and sync it. */
2022
 
                                                        *password = slapi_ch_strdup(password_value + PASSWD_CLEAR_PREFIX_LEN);
2023
 
                                                } else {
2024
 
                                                        /* This password is stored in a non-cleartext format.
2025
 
                                                         * We can only sync cleartext passwords. */
2026
 
                                                        slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
2027
 
                                                                "%s: windows_create_remote_entry: "
2028
 
                                                                "Password is already hashed.  Not syncing.\n",
2029
 
                                                                agmt_get_long_name(prp->agmt));
2030
 
                                                }
2031
 
                                        } else {
2032
 
                                                /* This password doesn't have a storage prefix but
2033
 
                                                 * just happens to start with the '{' character.  We'll
2034
 
                                                 * assume that it's just a cleartext password without
2035
 
                                                 * the proper storage prefix. */
2036
 
                                                *password = slapi_ch_strdup(password_value);
 
2065
                                rc = 0;
 
2066
                                if (password_value) {
 
2067
                                        rc = windows_get_core_pw(password_value, password);
 
2068
                                        if (LDAP_INVALID_CREDENTIALS == rc) {
 
2069
                                                /* This password is stored in a non-cleartext format.
 
2070
                                                 * We can only sync cleartext passwords. */
 
2071
                                                slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
 
2072
                                                        "%s: windows_create_remote_entry: "
 
2073
                                                        "Password is already hashed.  Not syncing.\n",
 
2074
                                                        agmt_get_long_name(prp->agmt));
2037
2075
                                        }
2038
 
                                } else {
2039
 
                                        /* This password has no storage prefix, or the password is empty */
2040
 
                                        *password = slapi_ch_strdup(password_value);
 
2076
                                }
 
2077
                                if ((rc && (LDAP_INVALID_CREDENTIALS != rc)) ||
 
2078
                                    (NULL == password_value)) {
 
2079
                                        slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
 
2080
                                                "%s: windows_create_remote_entry: "
 
2081
                                                "Failed to retrieve clear text password.  "
 
2082
                                                "Not syncing.\n",
 
2083
                                                agmt_get_long_name(prp->agmt));
2041
2084
                                }
2042
2085
                        }
2043
 
 
 
2086
#endif
2044
2087
                }
2045
2088
                if (vs) 
2046
2089
                {
2048
2091
                        vs = NULL;
2049
2092
                }
2050
2093
        }
 
2094
 
 
2095
        if (NULL == *password) {/* If the OLD_UNHASHED code fails to get password */
 
2096
                char *password_value = NULL;
 
2097
                /* Unhashed passwords are now stashed in the entry extension */
 
2098
                password_value = slapi_get_first_clear_text_pw(original_entry);
 
2099
                rc = 0;
 
2100
                if (password_value) {
 
2101
                        rc = windows_get_core_pw(password_value, password);
 
2102
                        if (LDAP_INVALID_CREDENTIALS == rc) {
 
2103
                                /* This password is stored in a non-cleartext format.
 
2104
                                 * We can only sync cleartext passwords. */
 
2105
                                slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
 
2106
                                                        "%s: windows_create_remote_entry: "
 
2107
                                                        "Password is already hashed.  Not syncing.\n",
 
2108
                                                        agmt_get_long_name(prp->agmt));
 
2109
                        }
 
2110
                        slapi_ch_free_string(&password_value);
 
2111
                }
 
2112
                if ((rc && (LDAP_INVALID_CREDENTIALS != rc)) || (NULL == *password)) {
 
2113
                        slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
 
2114
                                                "%s: windows_create_remote_entry: "
 
2115
                                                "Failed to retrieve clear text password.  "
 
2116
                                                "Not syncing.\n",
 
2117
                                                agmt_get_long_name(prp->agmt));
 
2118
                }
 
2119
        }
2051
2120
        /* NT4 must have the groupType attribute set for groups.  If it is not present, we will
2052
2121
         * add it here with a value of 2 (global group).
2053
2122
         */
2686
2755
                                                                /* This password is stored in a non-cleartext format.
2687
2756
                                                                 * We can only sync cleartext passwords. */
2688
2757
                                                                slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
2689
 
                                                                        "%s: windows_create_remote_entry: "
 
2758
                                                                        "%s: windows_map_mods_for_replay: "
2690
2759
                                                                        "Password is already hashed.  Not syncing.\n",
2691
2760
                                                                        agmt_get_long_name(prp->agmt));
2692
2761
                                                        }
2844
2913
        char *filter = NULL;
2845
2914
        const char *searchbase = NULL;
2846
2915
        Slapi_Entry *found_entry = NULL;
2847
 
        char *filter_escaped_value = NULL;
2848
 
        size_t vallen = 0;
2849
2916
 
2850
 
        vallen = value ? strlen(value) : 0;
2851
 
        filter_escaped_value = slapi_ch_calloc(sizeof(char), vallen*3+1);
2852
2917
        /* should not have to escape attribute names */
2853
 
        filter = PR_smprintf("(%s=%s)",attribute,escape_filter_value(value, vallen, filter_escaped_value));
2854
 
        slapi_ch_free_string(&filter_escaped_value);
 
2918
        filter = slapi_filter_sprintf("(%s=%s%s)",attribute, ESC_NEXT_VAL, value);
2855
2919
        searchbase = slapi_sdn_get_dn(windows_private_get_windows_subtree(prp->agmt));
2856
2920
        cres = windows_search_entry(prp->conn, (char*)searchbase, filter, &found_entry);
2857
2921
        if (cres)
2866
2930
        }
2867
2931
        if (filter)
2868
2932
        {
2869
 
                PR_smprintf_free(filter);
 
2933
                slapi_ch_free_string(&filter);
2870
2934
                filter = NULL;
2871
2935
        }
2872
2936
        return retval;
2966
3030
{
2967
3031
    Slapi_PBlock *pb = slapi_pblock_new();
2968
3032
    Slapi_Entry **entries = NULL, **ep = NULL;
2969
 
        Slapi_Entry *entry_found = NULL;
 
3033
    Slapi_Entry *entry_found = NULL;
 
3034
    LDAPControl **server_controls = NULL;
 
3035
    const char *subtree_dn = NULL;
 
3036
    char *subtree_dn_copy = NULL;
 
3037
    char **attrs = NULL;
2970
3038
    char *query = NULL;
2971
 
        int found_or_not = ENTRY_NOTFOUND;
2972
 
        int rval = 0;
2973
 
        const char *subtree_dn = NULL;
2974
 
        int not_unique = 0;
2975
 
        char *subtree_dn_copy = NULL;
2976
 
        int scope = LDAP_SCOPE_SUBTREE;
2977
 
        char **attrs = NULL;
2978
 
        LDAPControl **server_controls = NULL;
2979
 
        char *filter_escaped_value = NULL;
2980
 
        size_t vallen = 0;
 
3039
    int found_or_not = ENTRY_NOTFOUND;
 
3040
    int scope = LDAP_SCOPE_SUBTREE;
 
3041
    int not_unique = 0;
 
3042
    int rval = 0;
2981
3043
 
2982
3044
    if (pb == NULL)
2983
3045
        goto done;
2984
3046
 
2985
 
    vallen = value ? strlen(value) : 0;
2986
 
    filter_escaped_value = slapi_ch_calloc(sizeof(char), vallen*3+1);
2987
3047
    /* should not have to escape attribute names */
2988
 
    query = slapi_ch_smprintf("(%s=%s)", attribute, escape_filter_value(value, vallen, filter_escaped_value));
2989
 
    slapi_ch_free_string(&filter_escaped_value);
 
3048
    query = slapi_filter_sprintf("(%s=%s%s)", attribute, ESC_NEXT_VAL, value);
2990
3049
 
2991
3050
    if (query == NULL)
2992
 
                goto done;
 
3051
            goto done;
2993
3052
 
2994
 
        subtree_dn = slapi_sdn_get_dn(windows_private_get_directory_subtree(ra));
2995
 
        subtree_dn_copy = slapi_ch_strdup(subtree_dn);
 
3053
    subtree_dn = slapi_sdn_get_dn(windows_private_get_directory_subtree(ra));
 
3054
    subtree_dn_copy = slapi_ch_strdup(subtree_dn);
2996
3055
 
2997
3056
    winsync_plugin_call_pre_ds_search_entry_cb(ra, NULL, &subtree_dn_copy, &scope, &query,
2998
3057
                                               &attrs, &server_controls);
3010
3069
 
3011
3070
    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rval);
3012
3071
    if (rval != LDAP_SUCCESS)
3013
 
        {
3014
 
                goto done;
3015
 
        }
 
3072
    {
 
3073
        goto done;
 
3074
    }
3016
3075
 
3017
3076
    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
3018
3077
    if ((entries == NULL) || (entries[0] == NULL))
3019
 
        {
3020
 
                goto done;
3021
 
        }
3022
 
        entry_found = entries[0];
3023
 
        for (ep = entries; *ep; ep++) {
3024
 
                if (not_unique)
3025
 
                {
3026
 
                        found_or_not = ENTRY_NOT_UNIQUE;
3027
 
                }
3028
 
                not_unique = 1;
3029
 
        }
 
3078
    {
 
3079
        goto done;
 
3080
    }
 
3081
    entry_found = entries[0];
 
3082
    for (ep = entries; *ep; ep++) {
 
3083
        if (not_unique)
 
3084
        {
 
3085
            found_or_not = ENTRY_NOT_UNIQUE;
 
3086
        }
 
3087
        not_unique = 1;
 
3088
    }
3030
3089
done:
3031
 
        if (entry_found && (found_or_not != ENTRY_NOT_UNIQUE))
3032
 
        {
3033
 
                found_or_not = 0;
3034
 
                *e = slapi_entry_dup(entry_found);
3035
 
        }
3036
 
        if (pb)
3037
 
        {
3038
 
                slapi_free_search_results_internal(pb);
3039
 
                slapi_pblock_destroy(pb);
3040
 
        }
3041
 
        return found_or_not;
 
3090
    if (entry_found && (found_or_not != ENTRY_NOT_UNIQUE))
 
3091
    {
 
3092
        found_or_not = 0;
 
3093
        *e = slapi_entry_dup(entry_found);
 
3094
    }
 
3095
    if (pb)
 
3096
    {
 
3097
        slapi_free_search_results_internal(pb);
 
3098
        slapi_pblock_destroy(pb);
 
3099
    }
 
3100
    return found_or_not;
3042
3101
}
3043
3102
 
3044
3103
static int