From 6a6a18307477865c3f6c99158bf91d4816a0bc2b Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Wed, 11 Jul 2007 19:50:27 +0000
Subject: [PATCH] Update the bind processing code so that the ClientConnection.bindInProgress flag will not be unset between stages of a multi-stage SASL bind.
---
opends/resource/schema/02-config.ldif | 9 +++-
opends/src/server/org/opends/server/core/BindOperationBasis.java | 13 ++++--
opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml | 53 ++++++++++++++++++++++++++
opends/src/server/org/opends/server/core/PasswordPolicy.java | 24 ++++++++++++
4 files changed, 91 insertions(+), 8 deletions(-)
diff --git a/opends/resource/schema/02-config.ldif b/opends/resource/schema/02-config.ldif
index 201b264..d3f874a 100644
--- a/opends/resource/schema/02-config.ldif
+++ b/opends/resource/schema/02-config.ldif
@@ -1475,6 +1475,9 @@
NAME 'ds-cfg-strip-syntax-minimum-upper-bound'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE
X-ORIGIN 'OpenDS Directory Server' )
+attributeTypes: ( 1.3.6.1.4.1.26027.1.1.443
+ NAME 'ds-cfg-state-update-failure-policy'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDS Directory Server' )
objectClasses: ( 1.3.6.1.4.1.26027.1.2.1
NAME 'ds-cfg-access-control-handler' SUP top STRUCTURAL
MUST ( cn $ ds-cfg-acl-handler-class $ ds-cfg-acl-handler-enabled )
@@ -1602,7 +1605,7 @@
X-ORIGIN 'OpenDS Directory Server' )
objectClasses: ( 1.3.6.1.4.1.26027.1.2.23 NAME 'ds-cfg-access-logger'
SUP ds-cfg-logger
- STRUCTURAL MAY ( ds-cfg-suppress-internal-operations $
+ STRUCTURAL MAY ( ds-cfg-suppress-internal-operations $
ds-cfg-suppress-synchronization-operations )
X-ORIGIN 'OpenDS Directory Server' )
objectClasses: ( 1.3.6.1.4.1.26027.1.2.24 NAME 'ds-cfg-error-logger'
@@ -1803,8 +1806,8 @@
ds-cfg-password-validator-dn $ ds-cfg-previous-last-login-time-format $
ds-cfg-require-change-by-time $ ds-cfg-require-secure-authentication $
ds-cfg-require-secure-password-changes $
- ds-cfg-skip-validation-for-administrators )
- X-ORIGIN 'OpenDS Directory Server' )
+ ds-cfg-skip-validation-for-administrators $
+ ds-cfg-state-update-failure-policy ) X-ORIGIN 'OpenDS Directory Server' )
objectClasses: ( 1.3.6.1.4.1.26027.1.2.63 NAME
'ds-cfg-jmx-connection-handler' SUP ds-cfg-connection-handler
STRUCTURAL MUST ( ds-cfg-listen-port $ ds-cfg-ssl-cert-nickname $
diff --git a/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml b/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml
index 70a2c3d..933f525 100644
--- a/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml
+++ b/opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml
@@ -944,4 +944,57 @@
</ldap:attribute>
</adm:profile>
</adm:property>
+
+ <adm:property name="state-update-failure-policy" mandatory="false"
+ multi-valued="false">
+ <adm:synopsis>
+ Specifies how the server should deal with the inability to update password
+ policy state information during an authentication attempt. In particular,
+ it may be used to control whether an otherwise successful bind operation
+ should fail if a failure occurs while attempting to update password policy
+ state information (e.g., to clear a record of previous authentication
+ failures or to update the last login time), or even whether to reject a
+ bind request if it is known aheaed of time that it will not be possible to
+ update the authentication failure times in the event of an unsuccessful
+ bind attempt (e.g., if the backend writability mode is disabled).
+ </adm:synopsis>
+ <adm:default-behavior>
+ <adm:defined>
+ <adm:value>reactive</adm:value>
+ </adm:defined>
+ </adm:default-behavior>
+ <adm:syntax>
+ <adm:enumeration>
+ <adm:value name="ignore">
+ <adm:synopsis>
+ If a bind attempt would otherwise be successful, then do not reject
+ it if a problem occurs while attempting to update the password
+ policy state information for the user.
+ </adm:synopsis>
+ </adm:value>
+ <adm:value name="reactive">
+ <adm:synopsis>
+ Even if a bind attempt would otherwise be successful, reject it if a
+ problem occurs while attempting to update the password policy state
+ information for the user.
+ </adm:synopsis>
+ </adm:value>
+ <adm:value name="proactive">
+ <adm:synopsis>
+ Proactively reject any bind attempt if it is known ahead of time
+ that it would not be possible to update the user's password policy
+ state information.
+ </adm:synopsis>
+ </adm:value>
+ </adm:enumeration>
+ </adm:syntax>
+ <adm:profile name="ldap">
+ <ldap:attribute>
+ <ldap:oid>1.3.6.1.4.1.26027.1.1.443</ldap:oid>
+ <ldap:name>ds-cfg-state-update-failure-policy</ldap:name>
+ </ldap:attribute>
+ </adm:profile>
+ </adm:property>
+
</adm:managed-object>
+
diff --git a/opends/src/server/org/opends/server/core/BindOperationBasis.java b/opends/src/server/org/opends/server/core/BindOperationBasis.java
index 541d04a..72f04e8 100644
--- a/opends/src/server/org/opends/server/core/BindOperationBasis.java
+++ b/opends/src/server/org/opends/server/core/BindOperationBasis.java
@@ -827,6 +827,7 @@
logBindRequest(this);
logBindResponse(this);
+ clientConnection.setBindInProgress(false);
return;
}
else if (preParseResult.sendResponseImmediately())
@@ -884,14 +885,16 @@
setProcessingStopTime();
logBindResponse(this);
invokePostResponsePlugins();
+ clientConnection.setBindInProgress(false);
return;
}
- // Unset the "bind in progress" flag to allow other operations to be
- // processed.
- // FIXME -- Make sure this also gets unset at every possible point at which
- // the bind could fail and this method could return early.
- clientConnection.setBindInProgress(false);
+ // If the bind processing is finished, then unset the "bind in progress"
+ // flag to allow other operations to be processed on the connection.
+ if (getResultCode() != ResultCode.SASL_BIND_IN_PROGRESS)
+ {
+ clientConnection.setBindInProgress(false);
+ }
// Stop the processing timer.
setProcessingStopTime();
diff --git a/opends/src/server/org/opends/server/core/PasswordPolicy.java b/opends/src/server/org/opends/server/core/PasswordPolicy.java
index 14fea7d..6e5eb90 100644
--- a/opends/src/server/org/opends/server/core/PasswordPolicy.java
+++ b/opends/src/server/org/opends/server/core/PasswordPolicy.java
@@ -39,6 +39,7 @@
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.concurrent.CopyOnWriteArraySet;
+import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn;
import org.opends.server.admin.std.server.PasswordPolicyCfg;
import org.opends.server.admin.std.server.PasswordValidatorCfg;
import org.opends.server.api.AccountStatusNotificationHandler;
@@ -215,6 +216,11 @@
private CopyOnWriteArrayList<String> previousLastLoginTimeFormats =
new CopyOnWriteArrayList<String>();
+ // The state update failure policy.
+ private PasswordPolicyCfgDefn.StateUpdateFailurePolicy
+ stateUpdateFailurePolicy =
+ PasswordPolicyCfgDefn.StateUpdateFailurePolicy.REACTIVE;
+
/**
@@ -801,6 +807,11 @@
// Get the idle lockout duration.
this.idleLockoutInterval = (int) configuration.getIdleLockoutInterval();
+
+ // Get the state update failure policy.
+ this.stateUpdateFailurePolicy = configuration.getStateUpdateFailurePolicy();
+
+
/*
* Holistic validation.
*/
@@ -1448,6 +1459,19 @@
/**
+ * Retrieves the state update failure policy for this password policy.
+ *
+ * @return The state update failure policy for this password policy.
+ */
+ public PasswordPolicyCfgDefn.StateUpdateFailurePolicy
+ getStateUpdateFailurePolicy()
+ {
+ return stateUpdateFailurePolicy;
+ }
+
+
+
+ /**
* Retrieves a string representation of this password policy.
*
* @return A string representation of this password policy.
--
Gitblit v1.10.0