ITS#5285

diff --git a/CHANGES b/CHANGES
index e50a359f5653d391d2f3dc37ab91e3ac06e5d643..f4646ec1bbc7edba5d71cf52840592b02d8fc6ee 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,7 @@ OpenLDAP 2.4.8 Engineering
        Fixed slapd-ldif delete (ITS#5265)
        Added slapo-autogroup contrib module (ITS#5145)
        Added slapo-constraint cross-attribute constraints (ITS#4987)
+       Fixed slapo-ppolicy password checking when no policy required it (ITS#5285)
        Added slapo-translucent local searching (ITS#5283)
        Fixed test047 to skip if rwm is not available (ITS#5292)
        Build Environment

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index b7f32c3570d57d2162ee4615d3b0a52f5c891a4e..2610ea5831abf02fcb7ef3a1892452d0ccc688f5 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1771,7 +1771,8 @@ ppolicy_modify( Operation *op, SlapReply *rs )
                }
        }
 
-       if (pa) {
+       /* If pwdInHistory is zero, passwords may be reused */
+       if (pa && pp.pwdInHistory > 0) {
                /*
                 * Last check - the password history.
                 */
@@ -1787,8 +1788,6 @@ ppolicy_modify( Operation *op, SlapReply *rs )
                        goto return_results;
                }
        
-               if (pp.pwdInHistory < 1) goto do_modify;
-       
                /*
                 * Iterate through the password history, and fail on any
                 * password matches.