Merge remote branch 'origin/mdb.master' into OPENLDAP_REL_ENG_2_4

[openldap] / servers / slapd / overlays / ppolicy.c

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 43cc345d3ee9bf150cdf1ca4ad08f7ed0e3a49a5..fad06485802d5b3f80679b5a27c7db77f1ec04b9 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1788,7 +1788,10 @@ ppolicy_modify( Operation *op, SlapReply *rs )
 
        if (be_isroot( op )) goto do_modify;
 
-       if (!pp.pwdAllowUserChange) {
+       /* NOTE: according to draft-behera-ldap-password-policy
+        * pwdAllowUserChange == FALSE must only prevent pwd changes
+        * by the user the pwd belongs to (ITS#7021) */
+       if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) {
                rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                rs->sr_text = "User alteration of password is not allowed";
                pErr = PP_passwordModNotAllowed;