Ticket #142 - [RFE] Default password syntax settings don't work with fine-grained policies

Description: When a fine-grained password syntax is not set, there is no
syntax restriction for the passwords to be added or modified even though
the global password syntax is configured.

This patch introducing a config parameter:
  cn=config.
  nsslapd-pwpolicy-inherit-global: on | off
If on, the fine-grained password syntax inherits the global password
syntax if the global one is configured.
If off, the inheritance does not occur.  This is the current behaviour.
By default, it is off.

https://fedorahosted.org/389/ticket/142

Reviewed by [email protected] (Thank you, William!!)

ldap/servers/plugins/cos/cos_cache.c

@@ -2329,7 +2329,7 @@ static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context,
 		/* now for the tests */
 
 		/* would we be allowed to supply this attribute if we had one? */
-		if(entry_has_value && pAttr->attr_override == 0 && pAttr->attr_operational == 0)
+		if (entry_has_value && !pAttr->attr_override && !pAttr->attr_operational && !pAttr->attr_operational_default)
 		{
 			/* answer: no, move on to the next attribute */
 			attr_index++;

ldap/servers/slapd/libglobs.c

@@ -186,6 +186,7 @@ slapi_onoff_t init_csnlogging;
 slapi_onoff_t init_pw_unlock;
 slapi_onoff_t init_pw_must_change;
 slapi_onoff_t init_pwpolicy_local;
+slapi_onoff_t init_pwpolicy_inherit_global;
 slapi_onoff_t init_pw_lockout;
 slapi_onoff_t init_pw_history;
 slapi_onoff_t init_pw_is_global_policy;
@@ -406,6 +407,10 @@ static struct config_get_and_set {
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.pwpolicy_local,
 		CONFIG_ON_OFF, NULL, &init_pwpolicy_local},
+	{CONFIG_PWPOLICY_INHERIT_GLOBAL_ATTRIBUTE, config_set_pwpolicy_inherit_global,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.pwpolicy_inherit_global,
+		CONFIG_ON_OFF, NULL, &init_pwpolicy_inherit_global},
 	{CONFIG_AUDITLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,
 		log_set_maxdiskspace, SLAPD_AUDIT_LOG,
 		(void**)&global_slapdFrontendConfig.auditlog_maxdiskspace,
@@ -1506,6 +1511,7 @@ FrontendConfig_init () {
 
   init_readonly = cfg->readonly = LDAP_OFF;
   init_pwpolicy_local = cfg->pwpolicy_local = LDAP_OFF;
+  init_pwpolicy_inherit_global = cfg->pwpolicy_inherit_global = LDAP_OFF;
   init_pw_change = cfg->pw_policy.pw_change = LDAP_ON;
   init_pw_must_change = cfg->pw_policy.pw_must_change = LDAP_OFF;
   init_allow_hashed_pw = cfg->allow_hashed_pw = LDAP_OFF;
@@ -2581,7 +2587,6 @@ config_set_pw_history( const char *attrname, char *value, char *errorbuf, int ap
 }
 
 
-
 int
 config_set_pw_must_change( const char *attrname, char *value, char *errorbuf, int apply ) {
   int retVal = LDAP_SUCCESS;
@@ -2618,6 +2623,23 @@ config_set_pwpolicy_local( const char *attrname, char *value, char *errorbuf, in
   return retVal;
 }
 
+
+int
+config_set_pwpolicy_inherit_global(const char *attrname, char *value, char *errorbuf, int apply)
+{
+  int retVal = LDAP_SUCCESS;
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+  retVal = config_set_onoff (attrname,
+                             value,
+                             &(slapdFrontendConfig->pwpolicy_inherit_global),
+                             errorbuf,
+                             apply);
+
+  return retVal;
+}
+
+
 int
 config_set_allow_hashed_pw( const char *attrname, char *value, char *errorbuf, int apply ) {
   int retVal = LDAP_SUCCESS;
@@ -5711,6 +5733,16 @@ config_get_pw_warning() {
   return retVal;
 }
 
+int
+config_get_pwpolicy_inherit_global()
+{
+  slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+  int retVal;
+
+  retVal = slapdFrontendConfig->pwpolicy_inherit_global;
+  return retVal;
+}
+
 int
 config_get_errorlog_level(){
   slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();

ldap/servers/slapd/proto-slap.h

@@ -301,6 +301,7 @@ int config_set_pw_change(const char *attrname,  char *value, char *errorbuf, int
 int config_set_pw_must_change(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_pwpolicy_local(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_allow_hashed_pw( const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_pwpolicy_inherit_global(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_pw_syntax(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_pw_minlength(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_pw_mindigits(const char *attrname,  char *value, char *errorbuf, int apply );
@@ -444,6 +445,7 @@ int config_get_pw_exp();
 int config_get_pw_unlock();
 int config_get_pw_lockout();
 int config_get_pw_gracelimit();
+int config_get_pwpolicy_inherit_global();
 int config_get_lastmod();
 int config_get_nagle();
 int config_get_accesscontrol();

ldap/servers/slapd/pw.c

@@ -853,7 +853,7 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
 		}
 	}
 
-	if ( pwpolicy->pw_syntax == 1 ) {
+	if ( pwpolicy->pw_syntax == LDAP_ON ) {
 		for ( i = 0; vals[ i ] != NULL; ++i ) {
 			int syntax_violation = 0;
 			int num_digits = 0;
@@ -1057,7 +1057,7 @@ retry:
 	}
 
 	/* check for trivial words if syntax checking is enabled */
-	if ( pwpolicy->pw_syntax == 1 ) {
+	if ( pwpolicy->pw_syntax == LDAP_ON ) {
 		/* e is null if this is an add operation*/
 		if ( check_trivial_words ( pb, e, vals, "uid", pwpolicy->pw_mintokenlength, smods ) == 1 ||
 			check_trivial_words ( pb, e, vals, "cn", pwpolicy->pw_mintokenlength, smods ) == 1 ||
@@ -1999,7 +1999,28 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
 			if (pw_entry) {
 				slapi_entry_free(pw_entry);
 			}
-			if(pb){
+			if (LDAP_ON != pwdpolicy->pw_syntax) {
+				passwdPolicy *g_pwdpolicy = &(slapdFrontendConfig->pw_policy);
+				/* 
+				 * When the fine-grained password policy does not set the
+				 * password syntax, get the syntax from the global
+				 * policy if nsslapd-pwpolicy-inherit-global is on.
+				 */
+				if ((LDAP_ON == g_pwdpolicy->pw_syntax) && config_get_pwpolicy_inherit_global()) {
+					pwdpolicy->pw_minlength = g_pwdpolicy->pw_minlength;
+					pwdpolicy->pw_mindigits = g_pwdpolicy->pw_mindigits;
+					pwdpolicy->pw_minalphas = g_pwdpolicy->pw_minalphas;
+					pwdpolicy->pw_minuppers = g_pwdpolicy->pw_minuppers;
+					pwdpolicy->pw_minlowers = g_pwdpolicy->pw_minlowers;
+					pwdpolicy->pw_minspecials = g_pwdpolicy->pw_minspecials;
+					pwdpolicy->pw_min8bit = g_pwdpolicy->pw_min8bit;
+					pwdpolicy->pw_maxrepeats = g_pwdpolicy->pw_maxrepeats;
+					pwdpolicy->pw_mincategories = g_pwdpolicy->pw_mincategories;
+					pwdpolicy->pw_mintokenlength = g_pwdpolicy->pw_mintokenlength;
+					pwdpolicy->pw_syntax = LDAP_ON; /* Need to enable it to apply the default values */
+				}
+			}
+			if (pb) {
 				pb->pwdpolicy = pwdpolicy;
 			}
 			return pwdpolicy;

ldap/servers/slapd/slap.h

@@ -2013,6 +2013,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_GROUPEVALNESTLEVEL_ATTRIBUTE "nsslapd-groupevalnestlevel"
 #define CONFIG_NAGLE_ATTRIBUTE "nsslapd-nagle"
 #define CONFIG_PWPOLICY_LOCAL_ATTRIBUTE "nsslapd-pwpolicy-local"
+#define CONFIG_PWPOLICY_INHERIT_GLOBAL_ATTRIBUTE "nsslapd-pwpolicy-inherit-global"
 #define CONFIG_ALLOW_HASHED_PW_ATTRIBUTE "nsslapd-allow-hashed-passwords"
 #define CONFIG_PW_CHANGE_ATTRIBUTE "passwordChange"
 #define CONFIG_PW_MUSTCHANGE_ATTRIBUTE "passwordMustChange"
@@ -2229,8 +2230,10 @@ typedef struct _slapdFrontendConfig {
 
   slapi_onoff_t pwpolicy_local;
   slapi_onoff_t pw_is_global_policy;
+  slapi_onoff_t pwpolicy_inherit_global;
   slapi_onoff_t allow_hashed_pw;
   passwdPolicy pw_policy;
+  slapi_onoff_t pw_policy_inherit_global;
 
   /* ACCESS LOG */
   slapi_onoff_t accesslog_logging_enabled;