From c5cf54dddf63e55f6c42db3f90508e6c3f635f5e Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 16 Nov 2005 18:51:56 +0000
Subject: [PATCH] Fix Add password_hash to not depend on password quality
 configuration

---
 servers/slapd/overlays/ppolicy.c | 59 ++++++++++++++++----------------
 1 file changed, 30 insertions(+), 29 deletions(-)

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 93d93c4c58..2a5568add9 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1102,38 +1102,39 @@ ppolicy_add(
 				send_ldap_error( op, rs, rc, "Password fails quality checking policy" );
 				return rs->sr_err;
 			}
-			    /*
-			     * A controversial bit. We hash cleartext
-			     * passwords provided via add and modify operations
-			     * You're not really supposed to do this, since
-			     * the X.500 model says "store attributes" as they
-			     * get provided. By default, this is what we do
-			     *
-			     * But if the hash_passwords flag is set, we hash
-			     * any cleartext password attribute values via the
-			     * default password hashing scheme.
-			     */
-			if ((pi->hash_passwords) &&
-				(password_scheme( &(pa->a_vals[0]), NULL ) != LDAP_SUCCESS)) {
-				struct berval hpw;
-
-				slap_passwd_hash( &(pa->a_vals[0]), &hpw, &txt );
-				if (hpw.bv_val == NULL) {
-				    /*
-				     * hashing didn't work. Emit an error.
-				     */
-					rs->sr_err = LDAP_OTHER;
-					rs->sr_text = txt;
-					send_ldap_error( op, rs, LDAP_OTHER, "Password hashing failed" );
-					return rs->sr_err;
-				}
+		}
+			/*
+			 * A controversial bit. We hash cleartext
+			 * passwords provided via add and modify operations
+			 * You're not really supposed to do this, since
+			 * the X.500 model says "store attributes" as they
+			 * get provided. By default, this is what we do
+			 *
+			 * But if the hash_passwords flag is set, we hash
+			 * any cleartext password attribute values via the
+			 * default password hashing scheme.
+			 */
+		if ((pi->hash_passwords) &&
+			(password_scheme( &(pa->a_vals[0]), NULL ) != LDAP_SUCCESS)) {
+			struct berval hpw;
 
-				memset( pa->a_vals[0].bv_val, 0, pa->a_vals[0].bv_len);
-				ber_memfree( pa->a_vals[0].bv_val );
-				pa->a_vals[0].bv_val = hpw.bv_val;
-				pa->a_vals[0].bv_len = hpw.bv_len;
+			slap_passwd_hash( &(pa->a_vals[0]), &hpw, &txt );
+			if (hpw.bv_val == NULL) {
+				/*
+				 * hashing didn't work. Emit an error.
+				 */
+				rs->sr_err = LDAP_OTHER;
+				rs->sr_text = txt;
+				send_ldap_error( op, rs, LDAP_OTHER, "Password hashing failed" );
+				return rs->sr_err;
 			}
+
+			memset( pa->a_vals[0].bv_val, 0, pa->a_vals[0].bv_len);
+			ber_memfree( pa->a_vals[0].bv_val );
+			pa->a_vals[0].bv_val = hpw.bv_val;
+			pa->a_vals[0].bv_len = hpw.bv_len;
 		}
+
 		/* If password aging is in effect, set the pwdChangedTime */
 		if ( pp.pwdMaxAge || pp.pwdMinAge ) {
 			struct berval timestamp;
-- 
2.39.5