/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2004-2011 The OpenLDAP Foundation.
+ * Copyright 2004-2012 The OpenLDAP Foundation.
* Portions Copyright 2004-2005 Howard Chu, Symas Corporation.
* Portions Copyright 2004 Hewlett-Packard Company.
* All rights reserved.
if (be_isroot( op )) goto do_modify;
- if (!pp.pwdAllowUserChange) {
+ /* NOTE: according to draft-behera-ldap-password-policy
+ * pwdAllowUserChange == FALSE must only prevent pwd changes
+ * by the user the pwd belongs to (ITS#7021) */
+ if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "User alteration of password is not allowed";
pErr = PP_passwordModNotAllowed;