Merge remote branch 'origin/mdb.master' into OPENLDAP_REL_ENG_2_4

[openldap] / servers / slapd / overlays / ppolicy.c

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 4064d003a2c7cbef877790a122e0207aca58381f..fad06485802d5b3f80679b5a27c7db77f1ec04b9 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2010 The OpenLDAP Foundation.
+ * Copyright 2004-2011 The OpenLDAP Foundation.
  * Portions Copyright 2004-2005 Howard Chu, Symas Corporation.
  * Portions Copyright 2004 Hewlett-Packard Company.
  * All rights reserved.
@@ -587,13 +587,15 @@ static int
 check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyError *err, Entry *e, char **txt )
 {
        int rc = LDAP_SUCCESS, ok = LDAP_SUCCESS;
-       char *ptr = cred->bv_val;
+       char *ptr;
        struct berval sch;
 
        assert( cred != NULL );
        assert( pp != NULL );
        assert( txt != NULL );
 
+       ptr = cred->bv_val;
+
        *txt = NULL;
 
        if ((cred->bv_len == 0) || (pp->pwdMinLength > cred->bv_len)) {
@@ -1786,7 +1788,10 @@ ppolicy_modify( Operation *op, SlapReply *rs )
 
        if (be_isroot( op )) goto do_modify;
 
-       if (!pp.pwdAllowUserChange) {
+       /* NOTE: according to draft-behera-ldap-password-policy
+        * pwdAllowUserChange == FALSE must only prevent pwd changes
+        * by the user the pwd belongs to (ITS#7021) */
+       if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) {
                rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                rs->sr_text = "User alteration of password is not allowed";
                pErr = PP_passwordModNotAllowed;
@@ -1969,23 +1974,26 @@ do_modify:
                timestamp.bv_len = sizeof(timebuf);
                slap_timestamp( &now, &timestamp );
 
-               mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 );
-               mods->sml_desc = ad_pwdChangedTime;
+               mods = NULL;
                if (pwmop != LDAP_MOD_DELETE) {
+                       mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 );
                        mods->sml_op = LDAP_MOD_REPLACE;
                        mods->sml_numvals = 1;
                        mods->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
                        ber_dupbv( &mods->sml_values[0], &timestamp );
                        BER_BVZERO( &mods->sml_values[1] );
                        assert( !BER_BVISNULL( &mods->sml_values[0] ) );
-
-               } else {
+               } else if (attr_find(e->e_attrs, ad_pwdChangedTime )) {
+                       mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 );
                        mods->sml_op = LDAP_MOD_DELETE;
                }
-               mods->sml_flags = SLAP_MOD_INTERNAL;
-               mods->sml_next = NULL;
-               modtail->sml_next = mods;
-               modtail = mods;
+               if (mods) {
+                       mods->sml_desc = ad_pwdChangedTime;
+                       mods->sml_flags = SLAP_MOD_INTERNAL;
+                       mods->sml_next = NULL;
+                       modtail->sml_next = mods;
+                       modtail = mods;
+               }
 
                if (attr_find(e->e_attrs, ad_pwdGraceUseTime )) {
                        mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 );