avoid potential deadlock related to ACLs checking

diff --git a/servers/slapd/passwd.c b/servers/slapd/passwd.c
index a262a9911aa74009a485b084d9ad4139f9e2d982..265681c4a4aa34e303646cf56642dadc6bbccd94 100644 (file)
--- a/servers/slapd/passwd.c
+++ b/servers/slapd/passwd.c
@@ -415,33 +415,37 @@ slap_passwd_check(
        struct berval           *bv;
        AccessControlState      acl_state = ACL_STATE_INIT;
 
-#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
-       ldap_pvt_thread_mutex_lock( &passwd_mutex );
-#ifdef SLAPD_SPASSWD
-       lutil_passwd_sasl_conn = op->o_conn->c_sasl_authctx;
-#endif
-#endif
-
        for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
+               int     rc;
+
                /* if e is provided, check access */
                if ( e && access_allowed( op, e, a->a_desc, bv,
                                        ACL_AUTH, &acl_state ) == 0 )
                {
                        continue;
                }
-               
-               if ( !lutil_passwd( bv, cred, NULL, text ) ) {
-                       result = 0;
-                       break;
-               }
-       }
 
 #if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
+               ldap_pvt_thread_mutex_lock( &passwd_mutex );
 #ifdef SLAPD_SPASSWD
-       lutil_passwd_sasl_conn = NULL;
+               lutil_passwd_sasl_conn = op->o_conn->c_sasl_authctx;
 #endif
-       ldap_pvt_thread_mutex_unlock( &passwd_mutex );
 #endif
+       
+               rc = lutil_passwd( bv, cred, NULL, text );
+
+#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
+#ifdef SLAPD_SPASSWD
+               lutil_passwd_sasl_conn = NULL;
+#endif
+               ldap_pvt_thread_mutex_unlock( &passwd_mutex );
+#endif
+
+               if ( !rc ) {
+                       result = 0;
+                       break;
+               }
+       }
 
        return result;
 }