[Emacs-diffs] master 4a77d69 14/17: ldap-password-read: Validate passwor

emacs-diffs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Emacs-diffs] master 4a77d69 14/17: ldap-password-read: Validate passwor

From:	Stefan Monnier
Subject:	[Emacs-diffs] master 4a77d69 14/17: ldap-password-read: Validate password before caching it
Date:	Fri, 23 Jan 2015 22:20:35 +0000

branch: master
commit 4a77d69746d1d7d5ae32782075dcac1b6ed9f774
Author: Thomas Fitzsimmons <address@hidden>
Commit: Thomas Fitzsimmons <address@hidden>

    ldap-password-read: Validate password before caching it
    
    * net/ldap.el (ldap-password-read): Validate password before
    caching it.
    (ldap-search-internal): Handle ldapsearch error conditions.
---
 lisp/ChangeLog   |    6 +++++
 lisp/net/ldap.el |   65 ++++++++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 57 insertions(+), 14 deletions(-)

diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index 9748fe1..e602c1f 100644
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -1,5 +1,11 @@
 2014-11-13  Thomas Fitzsimmons  <address@hidden>
 
+       * net/ldap.el (ldap-password-read): Validate password before
+       caching it.
+       (ldap-search-internal): Handle ldapsearch error conditions.
+
+2014-11-13  Thomas Fitzsimmons  <address@hidden>
+
        * net/ldap.el (ldap-password-read): Handle password-cache being
        nil.
 
diff --git a/lisp/net/ldap.el b/lisp/net/ldap.el
index 477c21b..dfa66f1 100644
--- a/lisp/net/ldap.el
+++ b/lisp/net/ldap.el
@@ -486,17 +486,44 @@ Additional search parameters can be specified through
 (defun ldap-password-read (host)
   "Read LDAP password for HOST.  If the password is cached, it is
 read from the cache, otherwise the user is prompted for the
-password and the password is cached.  The cache can be cleared
-with the `password-reset' function and the
-`password-cache-expiry' variable controls how long the password
-is cached for."
-  (password-read-and-add
-   (format "Enter LDAP Password%s: "
-                               (if (equal host "")
-                                   ""
-                                 (format " for %s" host)))
-   ;; Add ldap: namespace to allow empty string for default host.
-   (concat "ldap:" host)))
+password.  If `password-cache' is non-nil the password is
+verified and cached.  The `password-cache-expiry' variable
+controls for how long the password is cached.
+
+This function can be specified for the `passwd' property in
+`ldap-host-parameters-alist' when interactive password prompting
+is desired for HOST."
+  ;; Add ldap: namespace to allow empty string for default host.
+  (let* ((host-key (concat "ldap:" host))
+        (password (password-read
+                   (format "Enter LDAP Password%s: "
+                           (if (equal host "")
+                               ""
+                             (format " for %s" host)))
+                   host-key)))
+    (when (and password-cache
+              (not (password-in-cache-p host-key))
+              ;; Confirm the password is valid before adding it to
+              ;; the password cache.  ldap-search-internal will throw
+              ;; an error if the password is invalid.
+              (not (ldap-search-internal
+                    `(host ,host
+                           ;; Specify an arbitrary filter that should
+                           ;; produce no results, since only
+                           ;; authentication success is of interest.
+                           filter "emacs-test-password="
+                           attributes nil
+                           attrsonly nil
+                           withdn nil
+                           ;; Preempt passwd ldap-password-read
+                           ;; setting in ldap-host-parameters-alist.
+                           passwd ,password
+                           ,@(cdr
+                              (assoc
+                               host
+                               ldap-host-parameters-alist))))))
+      (password-cache-add host-key password))
+    password))
 
 (defun ldap-search-internal (search-plist)
   "Perform a search on a LDAP server.
@@ -620,10 +647,11 @@ an alist of attribute/value pairs."
          (setq arglist (nconc arglist (list (format "-z%s" sizelimit)))))
       (if passwd
          (let* ((process-connection-type nil)
+                (proc-args (append arglist ldap-ldapsearch-args
+                                   filter))
                 (proc (apply #'start-process "ldapsearch" buf
                              ldap-ldapsearch-prog
-                             (append arglist ldap-ldapsearch-args
-                                     filter))))
+                             proc-args)))
            (while (null (progn
                           (goto-char (point-min))
                           (re-search-forward
@@ -633,7 +661,16 @@ an alist of attribute/value pairs."
            (process-send-string proc passwd)
            (process-send-string proc "\n")
            (while (not (memq (process-status proc) '(exit signal)))
-             (sit-for 0.1)))
+             (sit-for 0.1))
+           (let ((status (process-exit-status proc)))
+             (when (not (eq status 0))
+               ;; Handle invalid credentials exit status specially
+               ;; for ldap-password-read.
+               (if (eq status 49)
+                   (error "Incorrect LDAP password")
+                 (error "Failed ldapsearch invocation: %s \"%s\""
+                        ldap-ldapsearch-prog
+                        (mapconcat 'identity proc-args "\" \""))))))
        (apply #'call-process ldap-ldapsearch-prog
               ;; Ignore stderr, which can corrupt results
               nil (list buf nil) nil

[Prev in Thread]

Current Thread

[Next in Thread]

[Emacs-diffs] master 6dda29f 03/17: Improve eudc-inline-query-format's default value, (continued)
- [Emacs-diffs] master 6dda29f 03/17: Improve eudc-inline-query-format's default value, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master c8d2553 05/17: Ignore text properties in eudc-expand-inline, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master b7d2dfa 06/17: Change eudc-expansion-overwrites-query default to nil, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master 6a3a3b0 09/17: Downcase field names in LDAP results, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master 87ff9ae 07/17: Add password-cache support to ldap.el, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master ea0ea90 08/17: ldap-search-internal: Send password to ldapsearch through a pipe, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master 1e1f5b9 10/17: Append LDAP wildcard character to end of search string, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master 81d0909 12/17: Restore former eudc-expand-inline settings after a nonlocal exit, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master 7860227 11/17: Do not ask the user for an LDAP base if a default has been provided, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master 9006ccd 13/17: Handle nil password-cache in ldap-password-read, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master 4a77d69 14/17: ldap-password-read: Validate password before caching it, Stefan Monnier <=
- [Emacs-diffs] master e56e1b9 16/17: Mention binddn in LDAP credentials error message, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master a6d4651 15/17: Update LDAP configuration section of EUDC manual, Stefan Monnier, 2015/01/23
- [Emacs-diffs] master ac5475d 17/17: lisp/net/{eudc, ldap}: Merge branch streamline-eudc-configuration, Stefan Monnier, 2015/01/23

Prev by Date: [Emacs-diffs] master 9006ccd 13/17: Handle nil password-cache in ldap-password-read
Next by Date: [Emacs-diffs] master e56e1b9 16/17: Mention binddn in LDAP credentials error message
Previous by thread: [Emacs-diffs] master 9006ccd 13/17: Handle nil password-cache in ldap-password-read
Next by thread: [Emacs-diffs] master e56e1b9 16/17: Mention binddn in LDAP credentials error message
Index(es):
- Date
- Thread