"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
"SINGLE-VALUE "
#if 0
- /* Not until MANAGEDIT control is released */
+ /* Not until Relax control is released */
"NO-USER-MODIFICATION "
#endif
"USAGE directoryOperation )",
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
"SINGLE-VALUE "
#if 0
- /* Not until MANAGEDIT control is released */
+ /* Not until Relax control is released */
"NO-USER-MODIFICATION "
#endif
"USAGE directoryOperation )",
{
slap_overinst *on = (slap_overinst *)c->bi;
pp_info *pi = (pp_info *)on->on_bi.bi_private;
- BackendDB *be = (BackendDB *)c->be;
- const char *text;
int rc = ARG_BAD_CONF;
assert ( c->type == PPOLICY_DEFAULT );
memset( pp, 0, sizeof(PassPolicy) );
+ pp->ad = slap_schema.si_ad_userPassword;
+
/* Users can change their own password by default */
pp->pwdAllowUserChange = 1;
#if 0 /* Only worry about userPassword for now */
if ((a = attr_find( pe->e_attrs, ad_pwdAttribute )))
slap_bv2ad( &a->a_vals[0], &pp->ad, &text );
-#else
- pp->ad = slap_schema.si_ad_userPassword;
#endif
if ( ( a = attr_find( pe->e_attrs, ad_pwdMinAge ) )
return;
defaultpol:
- Debug( LDAP_DEBUG_ANY,
+ Debug( LDAP_DEBUG_TRACE,
"ppolicy_get: using default policy\n", 0, 0, 0 );
return;
}
if (cred->bv_val[e]) {
int rc;
rc = lutil_passwd_scheme( cred->bv_val );
- if (rc && sch) {
- sch->bv_val = cred->bv_val;
- sch->bv_len = e;
+ if (rc) {
+ if (sch) {
+ sch->bv_val = cred->bv_val;
+ sch->bv_len = e;
+ }
return LDAP_SUCCESS;
}
}
if ((pa = attr_find( op->oq_add.rs_e->e_attrs,
slap_schema.si_ad_userPassword )))
{
+ assert( pa->a_vals );
+ assert( !BER_BVISNULL( &pa->a_vals[ 0 ] ) );
+
+ if ( !BER_BVISNULL( &pa->a_vals[ 1 ] ) ) {
+ send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, "Password policy only allows one password value" );
+ return rs->sr_err;
+ }
+
/*
* new entry contains a password - if we're not the root user
* then we need to check that the password fits in with the
pwmod = 1;
pwmop = ml->sml_op;
if ((deladd == 0) && (ml->sml_op == LDAP_MOD_DELETE) &&
- (ml->sml_values) && (ml->sml_values[0].bv_val != NULL)) {
+ (ml->sml_values) && !BER_BVISNULL( &ml->sml_values[0] ))
+ {
deladd = 1;
delmod = ml;
}
if ((deladd == 1) && ((ml->sml_op == LDAP_MOD_ADD) ||
- (ml->sml_op == LDAP_MOD_REPLACE)))
+ (ml->sml_op == LDAP_MOD_REPLACE)))
+ {
deladd = 2;
+ }
if ((ml->sml_op == LDAP_MOD_ADD) ||
(ml->sml_op == LDAP_MOD_REPLACE))
+ {
addmod = ml;
+
+ /* FIXME: there's no easy way to ensure
+ * that add does not cause multiple
+ * userPassword values; one way (that
+ * would be consistent with the single
+ * password constraint) would be to turn
+ * add into replace); another would be
+ * to disallow add.
+ *
+ * Let's check at least that a single value
+ * is being added
+ */
+ assert( addmod->sml_values != NULL );
+ assert( !BER_BVISNULL( &addmod->sml_values[ 0 ] ) );
+ if ( !BER_BVISNULL( &addmod->sml_values[ 1 ] ) ) {
+ rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
+ rs->sr_text = "Password policy only allows one password value";
+ goto return_results;
+ }
+ }
+
} else if (! is_at_operational( ml->sml_desc->ad_type )) {
mod_pw_only = 0;
/* modifying something other than password */
rs->sr_text = "passwordPolicyRequest control value not empty";
return LDAP_PROTOCOL_ERROR;
}
- if ( ctrl->ldctl_iscritical ) {
- rs->sr_text = "passwordPolicyRequest control invalid criticality";
- return LDAP_PROTOCOL_ERROR;
- }
- op->o_ctrlflag[ppolicy_cid] = SLAP_CONTROL_NONCRITICAL;
+ op->o_ctrlflag[ppolicy_cid] = ctrl->ldctl_iscritical
+ ? SLAP_CONTROL_CRITICAL
+ : SLAP_CONTROL_NONCRITICAL;
return LDAP_SUCCESS;
}