Merge remote-tracking branch 'origin/mdb.master'

[openldap] / servers / slapd / overlays / ppolicy.c

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index a550387b44cb355a84b7408e77da483d4e2cbff5..546756de71959ed6cdb81a50baaecb97f51d3fde 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2010 The OpenLDAP Foundation.
+ * Copyright 2004-2012 The OpenLDAP Foundation.
  * Portions Copyright 2004-2005 Howard Chu, Symas Corporation.
  * Portions Copyright 2004 Hewlett-Packard Company.
  * All rights reserved.
@@ -591,13 +591,15 @@ static int
 check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyError *err, Entry *e, char **txt )
 {
        int rc = LDAP_SUCCESS, ok = LDAP_SUCCESS;
-       char *ptr = cred->bv_val;
+       char *ptr;
        struct berval sch;
 
        assert( cred != NULL );
        assert( pp != NULL );
        assert( txt != NULL );
 
+       ptr = cred->bv_val;
+
        *txt = NULL;
 
        if ((cred->bv_len == 0) || (pp->pwdMinLength > cred->bv_len)) {
@@ -1790,7 +1792,10 @@ ppolicy_modify( Operation *op, SlapReply *rs )
 
        if (be_isroot( op )) goto do_modify;
 
-       if (!pp.pwdAllowUserChange) {
+       /* NOTE: according to draft-behera-ldap-password-policy
+        * pwdAllowUserChange == FALSE must only prevent pwd changes
+        * by the user the pwd belongs to (ITS#7021) */
+       if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) {
                rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                rs->sr_text = "User alteration of password is not allowed";
                pErr = PP_passwordModNotAllowed;