diff options
author | Volker Lendecke <vlendec@samba.org> | 2004-09-25 10:12:34 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:52:48 -0500 |
commit | a9a4f22958a872ccb92596679787ba9afdbbb5af (patch) | |
tree | 3d1e9f88a47bec62a51e59a40e39fd7f66015944 /source3 | |
parent | 17ab9e8db1ddad310d7e2e565a9109d9a83cce72 (diff) | |
download | samba-a9a4f22958a872ccb92596679787ba9afdbbb5af.tar.gz samba-a9a4f22958a872ccb92596679787ba9afdbbb5af.tar.bz2 samba-a9a4f22958a872ccb92596679787ba9afdbbb5af.zip |
r2619: Only issue the ldap extended password change operation if the ldap server
supports it. This might be a fix for bugs 1823 and 1545, notifying both.
Also ignore object class violation errors from the extended operation. We
don't have the userPassword field in sambaSamAccount, and if we have such
broken setup with user in /etc/passwd and only samba attribs in ldap, we fail
this :-)
Volker
(This used to be commit a32ea3bc881f516fb733cb4767ae5cf22d658b12)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/passdb/pdb_ldap.c | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index 454aa8d870..60312d265f 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -1404,6 +1404,66 @@ static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT return NT_STATUS_OK; } +static BOOL ldapsam_can_pwchange_exop(struct smbldap_state *ldap_state) +{ + LDAPMessage *msg = NULL; + LDAPMessage *entry = NULL; + char **values = NULL; + char *attrs[] = { "supportedExtension", NULL }; + int rc, num_result, num_values, i; + BOOL result = False; + + rc = smbldap_search(ldap_state, "", LDAP_SCOPE_BASE, "(objectclass=*)", + attrs, 0, &msg); + + if (rc != LDAP_SUCCESS) { + DEBUG(3, ("Could not search rootDSE\n")); + return False; + } + + num_result = ldap_count_entries(ldap_state->ldap_struct, msg); + + if (num_result != 1) { + DEBUG(3, ("Expected one rootDSE, got %d\n", num_result)); + goto done; + } + + entry = ldap_first_entry(ldap_state->ldap_struct, msg); + + if (entry == NULL) { + DEBUG(3, ("Could not retrieve rootDSE\n")); + goto done; + } + + values = ldap_get_values(ldap_state->ldap_struct, entry, + "supportedExtension"); + + if (values == NULL) { + DEBUG(9, ("LDAP Server does not support any extensions\n")); + goto done; + } + + num_values = ldap_count_values(values); + + if (num_values == 0) { + DEBUG(9, ("LDAP Server does not support any extensions\n")); + goto done; + } + + for (i=0; i<num_values; i++) { + if (strcmp(values[i], LDAP_EXOP_MODIFY_PASSWD) == 0) + result = True; + } + + done: + if (values != NULL) + ldap_value_free(values); + if (msg != NULL) + ldap_msgfree(msg); + + return result; +} + /******************************************************************** Do the actual modification - also change a plaintext passord if it it set. @@ -1467,6 +1527,12 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, char *utf8_password; char *utf8_dn; + if (!ldapsam_can_pwchange_exop(ldap_state->smbldap_state)) { + DEBUG(2, ("ldap password change requested, but LDAP " + "server does not support it -- ignoring\n")); + return NT_STATUS_OK; + } + if (push_utf8_allocate(&utf8_password, pdb_get_plaintext_passwd(newpwd)) == (size_t)-1) { return NT_STATUS_NO_MEMORY; } @@ -1503,6 +1569,15 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, bv, NULL, NULL, &retoid, &retdata)) != LDAP_SUCCESS) { char *ld_error = NULL; + + if (rc == LDAP_OBJECT_CLASS_VIOLATION) { + DEBUG(3, ("Could not set userPassword " + "attribute due to an objectClass " + "violation -- ignoring\n")); + ber_bvfree(bv); + return NT_STATUS_OK; + } + ldap_get_option(ldap_state->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error); DEBUG(0,("ldapsam_modify_entry: LDAP Password could not be changed for user %s: %s\n\t%s\n", |