]> git.sur5r.net Git - openldap/commitdiff
projects / openldap / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 05ea787)
ITS#8080 nssov: require old password unless pwdmgr
authorRyan Tandy <ryan@nardis.ca>
Mon, 16 Mar 2015 05:58:02 +0000 (05:58 +0000)
committerHoward Chu <hyc@openldap.org>
Wed, 18 Mar 2015 20:47:32 +0000 (20:47 +0000)
contrib/slapd-modules/nssov/pam.c patch | blob | history

diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c
index 7e1c4d7aaf495fad3401cd9cf1ed494fe39109c9..487e1930601a3e5ac34db570329fcd6ef1ff6716 100644 (file)
--- a/contrib/slapd-modules/nssov/pam.c
+++ b/contrib/slapd-modules/nssov/pam.c
@@ -780,6 +780,14 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
                }
        }
 
+       if (!pi.ispwdmgr && BER_BVISEMPTY(&pi.pwd)) {
+               Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), %s\n",
+                       "not pwdmgr and old pwd empty", 0, 0);
+               ber_str2bv("must provide old password", 0, 0, &pi.msg);
+               rc = NSLCD_PAM_PERM_DENIED;
+               goto done;
+       }
+
        BerElementBuffer berbuf;
        BerElement *ber = (BerElement *)&berbuf;
        struct berval bv;
@@ -792,7 +800,7 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
                ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_ID,
                        &pi.dn);
        /* supply old pwd only when end-user changing pwd */
-       if (!BER_BVISEMPTY(&pi.pwd) && pi.ispwdmgr == 0)
+       if (pi.ispwdmgr == 0)
                ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_OLD,
                        &pi.pwd);
        if (!BER_BVISEMPTY(&npw))
Cloned from git://git.openldap.org/openldap.git