202872 - Allow password modify extended operation when using SASL privacy layer

ldap/servers/slapd/passwd_extop.c

@@ -197,12 +197,12 @@ passwd_modify_extop( Slapi_PBlock *pb )
 {
 	char		*oid = NULL;
 	char 		*bindDN = NULL;
-    char        *authmethod = NULL;
+	char		*authmethod = NULL;
 	char		*dn = NULL;
 	char		*oldPasswd = NULL;
 	char		*newPasswd = NULL;
 	char		*errMesg = NULL;
-	int             ret=0, rc=0;
+	int             ret=0, rc=0, sasl_ssf=0;
 	unsigned long	tag=0, len=-1;
 	struct berval *extop_value = NULL;
 	BerElement	*ber = NULL;
@@ -248,9 +248,19 @@ passwd_modify_extop( Slapi_PBlock *pb )
 	/* Now , at least we know that the request was indeed a Password Modify one. */
 
 #ifdef LDAP_EXTOP_PASSMOD_CONN_SECURE
-	/* Allow password modify only for SSL/TLS established connections */
+	/* Allow password modify only for SSL/TLS established connections and
+	 * connections using SASL privacy layers */
 	conn = pb->pb_conn;
-	if ( (conn->c_flags & CONN_FLAG_SSL) != CONN_FLAG_SSL) {
+	if ( slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
+		errMesg = "Could not get SASL SSF from connection\n";
+		rc = LDAP_OPERATIONS_ERROR;
+		slapi_log_error( SLAPI_LOG_PLUGIN, "passwd_modify_extop",
+				 errMesg );
+		goto free_and_return;
+	}
+
+	if ( ((conn->c_flags & CONN_FLAG_SSL) != CONN_FLAG_SSL) &&
+	      (sasl_ssf <= 1) ) {
 		errMesg = "Operation requires a secure connection.\n";
 		rc = LDAP_CONFIDENTIALITY_REQUIRED;
 		goto free_and_return;

ldap/servers/slapd/pblock.c

@@ -323,6 +323,16 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value )
 		(*(int *)value) = pblock->pb_conn->c_flags & CONN_FLAG_SSL;
 		PR_Unlock( pblock->pb_conn->c_mutex );
 		break;
+	case SLAPI_CONN_SASL_SSF:
+		if (pblock->pb_conn == NULL) {
+			LDAPDebug( LDAP_DEBUG_ANY,
+			  "Connection is NULL and hence cannot access SLAPI_CONN_SASL_SSF \n", 0, 0, 0 );
+			return (-1);
+		}
+		PR_Lock( pblock->pb_conn->c_mutex );
+		(*(int *)value) = pblock->pb_conn->c_sasl_ssf;
+		PR_Unlock( pblock->pb_conn->c_mutex );
+		break;
 	case SLAPI_CONN_CERT:
 		if (pblock->pb_conn == NULL) {
 			LDAPDebug( LDAP_DEBUG_ANY,

ldap/servers/slapd/sasl_io.c

@@ -149,6 +149,7 @@ sasl_io_cleanup(Connection *c)
         c->c_sasl_io_private = NULL;
         c->c_enable_sasl_io = 0;
         c->c_sasl_io = 0;
+        c->c_sasl_ssf = 0;
     }
     return ret;
 }

ldap/servers/slapd/saslbind.c

@@ -705,6 +705,7 @@ void ids_sasl_server_new(Connection *conn)
     }
     
     conn->c_sasl_conn = sasl_conn;
+    conn->c_sasl_ssf = 0;
 
     LDAPDebug( LDAP_DEBUG_TRACE, "<= ids_sasl_server_new\n", 0, 0, 0 );
 
@@ -986,6 +987,8 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
                                  "failed to enable sasl i/o",
                                  0, NULL);
                 }
+	        /* Set the SSF in the connection */
+	        pb->pb_conn->c_sasl_ssf = (unsigned)*ssfp;
             }
         }
 

ldap/servers/slapd/slap.h

@@ -1252,6 +1252,7 @@ typedef struct conn {
     sasl_io_private *c_sasl_io_private; /* Private data for SASL I/O Layer */
     int				c_enable_sasl_io; /* Flag to tell us to enable SASL I/O on the next read */
     int				c_sasl_io; /* Flag to tell us to enable SASL I/O on the next read */
+    int				c_sasl_ssf; /* flag to tell us the SASL SSF */
 } Connection;
 #define CONN_FLAG_SSL	1	/* Is this connection an SSL connection or not ? 
 							 * Used to direct I/O code when SSL is handled differently 

ldap/servers/slapd/slapi-plugin.h

@@ -1294,6 +1294,7 @@ int slapi_reslimit_get_integer_limit( Slapi_Connection *conn, int handle,
 #define SLAPI_CONN_IS_SSL_SESSION 	747
 #define SLAPI_CONN_CERT				743
 #define SLAPI_CONN_AUTHMETHOD			746
+#define SLAPI_CONN_SASL_SSF			748
 
 /* 
  * Types of authentication for SLAPI_CONN_AUTHMETHOD