X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;ds=sidebyside;f=servers%2Fslapd%2Foverlays%2Fppolicy.c;h=e5b0045fcefc901d480b3c21054563596366c1fb;hb=a255e44bf0fcb703a3a5ac58117fd54a00727fd1;hp=64d1a3ff1695c5dba3d66ac472e8976adfe65a5a;hpb=bf82752ed2b140cc3c5bd6a618cfe5f5f9be8ac2;p=openldap

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 64d1a3ff16..e5b0045fce 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2004-2010 The OpenLDAP Foundation.
+ * Copyright 2004-2012 The OpenLDAP Foundation.
  * Portions Copyright 2004-2005 Howard Chu, Symas Corporation.
  * Portions Copyright 2004 Hewlett-Packard Company.
  * All rights reserved.
@@ -587,13 +587,15 @@ static int
 check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyError *err, Entry *e, char **txt )
 {
 	int rc = LDAP_SUCCESS, ok = LDAP_SUCCESS;
-	char *ptr = cred->bv_val;
+	char *ptr;
 	struct berval sch;
 
 	assert( cred != NULL );
 	assert( pp != NULL );
 	assert( txt != NULL );
 
+	ptr = cred->bv_val;
+
 	*txt = NULL;
 
 	if ((cred->bv_len == 0) || (pp->pwdMinLength > cred->bv_len)) {
@@ -1161,6 +1163,11 @@ locked:
 			c.ldctl_iscritical = 1;
 			c.ldctl_oid = LDAP_CONTROL_RELAX;
 		} else {
+			/* If not forwarding, don't update opattrs and don't replicate */
+			if ( SLAP_SINGLE_SHADOW( op->o_bd )) {
+				op2.orm_no_opattrs = 1;
+				op2.o_dont_replicate = 1;
+			}
 			op2.o_bd->bd_info = (BackendInfo *)on->on_info;
 		}
 		rc = op2.o_bd->be_modify( &op2, &r2 );
@@ -1781,7 +1788,10 @@ ppolicy_modify( Operation *op, SlapReply *rs )
 
 	if (be_isroot( op )) goto do_modify;
 
-	if (!pp.pwdAllowUserChange) {
+	/* NOTE: according to draft-behera-ldap-password-policy
+	 * pwdAllowUserChange == FALSE must only prevent pwd changes
+	 * by the user the pwd belongs to (ITS#7021) */
+	if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) {
 		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 		rs->sr_text = "User alteration of password is not allowed";
 		pErr = PP_passwordModNotAllowed;
@@ -1964,23 +1974,26 @@ do_modify:
 		timestamp.bv_len = sizeof(timebuf);
 		slap_timestamp( &now, &timestamp );
 
-		mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 );
-		mods->sml_desc = ad_pwdChangedTime;
+		mods = NULL;
 		if (pwmop != LDAP_MOD_DELETE) {
+			mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 );
 			mods->sml_op = LDAP_MOD_REPLACE;
 			mods->sml_numvals = 1;
 			mods->sml_values = (BerVarray) ch_malloc( 2 * sizeof( struct berval ) );
 			ber_dupbv( &mods->sml_values[0], &timestamp );
 			BER_BVZERO( &mods->sml_values[1] );
 			assert( !BER_BVISNULL( &mods->sml_values[0] ) );
-
-		} else {
+		} else if (attr_find(e->e_attrs, ad_pwdChangedTime )) {
+			mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 );
 			mods->sml_op = LDAP_MOD_DELETE;
 		}
-		mods->sml_flags = SLAP_MOD_INTERNAL;
-		mods->sml_next = NULL;
-		modtail->sml_next = mods;
-		modtail = mods;
+		if (mods) {
+			mods->sml_desc = ad_pwdChangedTime;
+			mods->sml_flags = SLAP_MOD_INTERNAL;
+			mods->sml_next = NULL;
+			modtail->sml_next = mods;
+			modtail = mods;
+		}
 
 		if (attr_find(e->e_attrs, ad_pwdGraceUseTime )) {
 			mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1 );
@@ -2230,7 +2243,7 @@ ppolicy_db_init(
 		if ( cr ){
 			snprintf( cr->msg, sizeof(cr->msg), 
 				"slapo-ppolicy cannot be global" );
-			fprintf( stderr, "%s\n", cr->msg );
+			Debug( LDAP_DEBUG_ANY, "%s\n", cr->msg, 0, 0 );
 		}
 		return 1;
 	}
@@ -2247,7 +2260,7 @@ ppolicy_db_init(
 					snprintf( cr->msg, sizeof(cr->msg), 
 						"User Schema load failed for attribute \"%s\". Error code %d: %s",
 						pwd_UsSchema[i].def, code, err );
-					fprintf( stderr, "%s\n", cr->msg );
+					Debug( LDAP_DEBUG_ANY, "%s\n", cr->msg, 0, 0 );
 				}
 				return code;
 			}
@@ -2298,6 +2311,10 @@ ppolicy_close(
 	slap_overinst *on = (slap_overinst *) be->bd_info;
 	pp_info *pi = on->on_bi.bi_private;
 
+#ifdef SLAP_CONFIG_DELETE
+	overlay_unregister_control( be, LDAP_CONTROL_PASSWORDPOLICYREQUEST );
+#endif /* SLAP_CONFIG_DELETE */
+
 	/* Perhaps backover should provide bi_destroy hooks... */
 	ov_count--;
 	if ( ov_count <=0 && pwcons ) {
@@ -2340,7 +2357,7 @@ int ppolicy_initialize()
 		SLAP_CTRL_ADD|SLAP_CTRL_BIND|SLAP_CTRL_MODIFY|SLAP_CTRL_HIDE, extops,
 		ppolicy_parseCtrl, &ppolicy_cid );
 	if ( code != LDAP_SUCCESS ) {
-		fprintf( stderr, "Failed to register control %d\n", code );
+		Debug( LDAP_DEBUG_ANY, "Failed to register control %d\n", code, 0, 0 );
 		return code;
 	}