Sync with HEAD

[openldap] / servers / slapd / overlays / ppolicy.c

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index aa343a1946535c26228134d229f6bacaaee6b337..cc5066ffa7042c7fc93de43953114d1668585cbf 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -416,6 +416,8 @@ ppolicy_get( Operation *op, Entry *e, PassPolicy *pp )
 
        memset( pp, 0, sizeof(PassPolicy) );
 
+       pp->ad = slap_schema.si_ad_userPassword;
+
        /* Users can change their own password by default */
        pp->pwdAllowUserChange = 1;
 
@@ -444,8 +446,6 @@ ppolicy_get( Operation *op, Entry *e, PassPolicy *pp )
 #if 0  /* Only worry about userPassword for now */
        if ((a = attr_find( pe->e_attrs, ad_pwdAttribute )))
                slap_bv2ad( &a->a_vals[0], &pp->ad, &text );
-#else
-       pp->ad = slap_schema.si_ad_userPassword;
 #endif
 
        if ( ( a = attr_find( pe->e_attrs, ad_pwdMinAge ) )
@@ -501,7 +501,7 @@ ppolicy_get( Operation *op, Entry *e, PassPolicy *pp )
        return;
 
 defaultpol:
-       Debug( LDAP_DEBUG_ANY,
+       Debug( LDAP_DEBUG_TRACE,
                "ppolicy_get: using default policy\n", 0, 0, 0 );
        return;
 }
@@ -525,9 +525,11 @@ password_scheme( struct berval *cred, struct berval *sch )
        if (cred->bv_val[e]) {
                int rc;
                rc = lutil_passwd_scheme( cred->bv_val );
-               if (rc && sch) {
-                       sch->bv_val = cred->bv_val;
-                       sch->bv_len = e;
+               if (rc) {
+                       if (sch) {
+                               sch->bv_val = cred->bv_val;
+                               sch->bv_len = e;
+                       }
                        return LDAP_SUCCESS;
                }
        }
@@ -1276,6 +1278,19 @@ ppolicy_add(
        return SLAP_CB_CONTINUE;
 }
 
+static int
+ppolicy_mod_cb( Operation *op, SlapReply *rs )
+{
+       slap_callback *sc = op->o_callback;
+       op->o_callback = sc->sc_next;
+       if ( rs->sr_err == LDAP_SUCCESS ) {
+               ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
+               BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
+       }
+       op->o_tmpfree( sc, op->o_tmpmemctx );
+       return SLAP_CB_CONTINUE;
+}
+
 static int
 ppolicy_modify( Operation *op, SlapReply *rs )
 {
@@ -1673,7 +1688,23 @@ do_modify:
                struct berval timestamp;
                char timebuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
                time_t now = slap_get_time();
-               
+
+               /* If the conn is restricted, set a callback to clear it
+                * if the pwmod succeeds
+                */
+               if (!BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) {
+                       slap_callback *sc = op->o_tmpcalloc( 1, sizeof( slap_callback ),
+                               op->o_tmpmemctx );
+                       sc->sc_next = op->o_callback;
+                       /* Must use sc_response to insure we reset on success, before
+                        * the client sees the response. Must use sc_cleanup to insure
+                        * that it gets cleaned up if sc_response is not called.
+                        */
+                       sc->sc_response = ppolicy_mod_cb;
+                       sc->sc_cleanup = ppolicy_mod_cb;
+                       op->o_callback = sc;
+               }
+
                /*
                 * keep the necessary pwd.. operational attributes
                 * up to date.
@@ -1897,11 +1928,9 @@ ppolicy_parseCtrl(
                rs->sr_text = "passwordPolicyRequest control value not empty";
                return LDAP_PROTOCOL_ERROR;
        }
-       if ( ctrl->ldctl_iscritical ) {
-               rs->sr_text = "passwordPolicyRequest control invalid criticality";
-               return LDAP_PROTOCOL_ERROR;
-       }
-       op->o_ctrlflag[ppolicy_cid] = SLAP_CONTROL_NONCRITICAL;
+       op->o_ctrlflag[ppolicy_cid] = ctrl->ldctl_iscritical
+               ? SLAP_CONTROL_CRITICAL
+               : SLAP_CONTROL_NONCRITICAL;
 
        return LDAP_SUCCESS;
 }