Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6019

Backport OPENDJ-4674: Rest2ldap update request which includes same password fails

    Details

    • Type: Bug
    • Status: QA Backlog
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.5.3
    • Fix Version/s: 3.5.4
    • Component/s: common-repo, rest
    • Labels:
      None
    • Story Points:
      1

      Description

      When a rest2ldap request is made using the "update" API (via HTTP PUT), the request will incorrectly fail when the request includes the cleartext version of the existing password value.

      Consider this basic setup:

      User entry:

      dn: uid=jdoe,ou=People,dc=example,dc=com
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      objectClass: top
      givenName: John
      uid: jdoe
      cn: John Doe
      telephoneNumber: 1-415-599-1100
      sn: Doe
      mail: jdoe@example.com
      userPassword: Passw0rd
      

      rest2ldap conifg:

          "resourceTypes": {
              "example-v1": {
                  "subResources": {
                      "users": {
                          "type": "collection",
                          "dnTemplate": "ou=People,dc=example,dc=com",
                          "resource": "frapi:opendj:rest2ldap:user:1.0",
                          "namingStrategy": {
                              "type": "clientDnNaming",
                              "dnAttribute": "uid"
                          }
                      }
                  }
              },
      ...
                  "properties": {
                      "_id": {
                          "type": "simple",
                          "ldapAttribute": "uid",
                          "writability": "createOnly"
                      },
                      "cn": {
                          "type": "simple",
                          "ldapAttribute": "cn"
                      },
                      "givenName": {
                          "type": "simple",
                          "ldapAttribute": "givenName"
                      },
                      "sn": {
                          "type": "simple",
                          "ldapAttribute": "sn"
                      },
                      "userPassword": {
                          "type": "simple",
                          "ldapAttribute": "userPassword"
                      }
                  }
      

      REST calls:

      # read the user:
      export JDOE=`curl -u "Directory Manager:password" http://localhost:8080/rest2ldap/api/users/jdoe`
      
      # get the current rev:
      export JDOE_REV=`echo $JDOE | jq -r ._rev`
      
      # perform a no-op update call; expected to return successfully with no change:
      curl -u "Directory Manager:password" http://localhost:8080/rest2ldap/api/users/jdoe -X PUT -H 'Content-type:application/json' --data "$JDOE" -H "If-Match: $JDOE_REV"
      
      # change the hashed password response value into the same cleartext value:
      export JDOE_MODIFIED=`echo $JDOE | sed 's/"userPassword":".*"/"userPassword":"Passw0rd"/'`
      
      # attempt to update jdoe:
      curl -u "Directory Manager:password" http://localhost:8080/rest2ldap/api/users/jdoe -X PUT -H 'Content-type:application/json' --data "$JDOE_MODIFIED" -H "If-Match: $JDOE_REV"
      

      Expected result: 200 response. Revision updated, password re-hashed.
      Actual result:

      {"code":400,"reason":"Bad Request","message":"Attribute or Value Exists: The specified password value already exists in the user entry"}
      

      Note that if a similar change is made using PATCH, the request succeeds:

      curl -u "Directory Manager:password" http://localhost:8080/rest2ldap/api/users/jdoe -X PATCH -H 'Content-type:application/json' --data '[{"operation": "replace", "field": "/userPassword", "value": "Passw0rd"}]' -H "If-Match: $JDOE_REV"
      
      # successful response with updated user
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                cjr Chris Ridd
                Dev Assignee:
                Chris Ridd
                QA Assignee:
                Ondrej Fuchsik
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: