From a6b369006bacdb8133c1d6a686b23bcfd828756d Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Sat, 9 Feb 2008 00:47:10 +0000
Subject: [PATCH] ITS#5285

---
 CHANGES                          | 1 +
 servers/slapd/overlays/ppolicy.c | 5 ++---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index e50a359f56..f4646ec1bb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,7 @@ OpenLDAP 2.4.8 Engineering
 	Fixed slapd-ldif delete (ITS#5265)
 	Added slapo-autogroup contrib module (ITS#5145)
 	Added slapo-constraint cross-attribute constraints (ITS#4987)
+	Fixed slapo-ppolicy password checking when no policy required it (ITS#5285)
 	Added slapo-translucent local searching (ITS#5283)
 	Fixed test047 to skip if rwm is not available (ITS#5292)
 	Build Environment
diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index b7f32c3570..2610ea5831 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1771,7 +1771,8 @@ ppolicy_modify( Operation *op, SlapReply *rs )
 		}
 	}
 
-	if (pa) {
+	/* If pwdInHistory is zero, passwords may be reused */
+	if (pa && pp.pwdInHistory > 0) {
 		/*
 		 * Last check - the password history.
 		 */
@@ -1787,8 +1788,6 @@ ppolicy_modify( Operation *op, SlapReply *rs )
 			goto return_results;
 		}
 	
-		if (pp.pwdInHistory < 1) goto do_modify;
-	
 		/*
 		 * Iterate through the password history, and fail on any
 		 * password matches.
-- 
2.39.5