]> git.sur5r.net Git - openldap/blobdiff - contrib/slapd-modules/nssov/pam.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
ITS#8080 nssov: require old password unless pwdmgr
[openldap] / contrib / slapd-modules / nssov / pam.c
diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c
index 7e1c4d7aaf495fad3401cd9cf1ed494fe39109c9..487e1930601a3e5ac34db570329fcd6ef1ff6716 100644 (file)
--- a/contrib/slapd-modules/nssov/pam.c
+++ b/contrib/slapd-modules/nssov/pam.c
@@ -780,6 +780,14 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
                }
        }
 
+       if (!pi.ispwdmgr && BER_BVISEMPTY(&pi.pwd)) {
+               Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), %s\n",
+                       "not pwdmgr and old pwd empty", 0, 0);
+               ber_str2bv("must provide old password", 0, 0, &pi.msg);
+               rc = NSLCD_PAM_PERM_DENIED;
+               goto done;
+       }
+
        BerElementBuffer berbuf;
        BerElement *ber = (BerElement *)&berbuf;
        struct berval bv;
@@ -792,7 +800,7 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
                ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_ID,
                        &pi.dn);
        /* supply old pwd only when end-user changing pwd */
-       if (!BER_BVISEMPTY(&pi.pwd) && pi.ispwdmgr == 0)
+       if (pi.ispwdmgr == 0)
                ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_OLD,
                        &pi.pwd);
        if (!BER_BVISEMPTY(&npw))
Cloned from git://git.openldap.org/openldap.git