From b6ec428a7bfe1b9e310a5a15529fd1d1d909bf8f Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Sat, 20 Aug 2011 18:50:33 -0600 Subject: [PATCH] according to draft-behera, this attribute only affects password modifies by self (ITS#7021) --- servers/slapd/overlays/ppolicy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c index 43cc345d3e..fad0648580 100644 --- a/servers/slapd/overlays/ppolicy.c +++ b/servers/slapd/overlays/ppolicy.c @@ -1788,7 +1788,10 @@ ppolicy_modify( Operation *op, SlapReply *rs ) if (be_isroot( op )) goto do_modify; - if (!pp.pwdAllowUserChange) { + /* NOTE: according to draft-behera-ldap-password-policy + * pwdAllowUserChange == FALSE must only prevent pwd changes + * by the user the pwd belongs to (ITS#7021) */ + if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "User alteration of password is not allowed"; pErr = PP_passwordModNotAllowed; -- 2.39.5