ppolicy fix

diff --git a/CHANGES b/CHANGES
index 123fe7c6eafcd71037e6bf0858948cc4929b0703..c908386efe5f2d7e13e0566948e02a42b71515c3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -27,6 +27,7 @@ OpenLDAP 2.3.12 Release
        Fixed slapd-meta per-target retry (ITS#4150)
        Fixed slapd-meta size/time limit handling (ITS#4145)
        Fixed slapo-ppolicy pwdFailureTIme after bind success issue (ITS#4134)
+       Fixed slapo-ppolicy add passord_hash quality config dependency
        Fixed slapo-syncprov LDAP response types (ITS#4183)
        Fixed slapd spurious defer message (ITS#3850)
        Fixed slapd attribute SYNTAX OIDM issue (ITS#4116)

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 93d93c4c584d495315554a913a98d38bcebd7c7f..2a5568add9ed8b9372b3cf2b66725c2d329e894d 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1102,38 +1102,39 @@ ppolicy_add(
                                send_ldap_error( op, rs, rc, "Password fails quality checking policy" );
                                return rs->sr_err;
                        }
-                           /*
-                            * A controversial bit. We hash cleartext
-                            * passwords provided via add and modify operations
-                            * You're not really supposed to do this, since
-                            * the X.500 model says "store attributes" as they
-                            * get provided. By default, this is what we do
-                            *
-                            * But if the hash_passwords flag is set, we hash
-                            * any cleartext password attribute values via the
-                            * default password hashing scheme.
-                            */
-                       if ((pi->hash_passwords) &&
-                               (password_scheme( &(pa->a_vals[0]), NULL ) != LDAP_SUCCESS)) {
-                               struct berval hpw;
-
-                               slap_passwd_hash( &(pa->a_vals[0]), &hpw, &txt );
-                               if (hpw.bv_val == NULL) {
-                                   /*
-                                    * hashing didn't work. Emit an error.
-                                    */
-                                       rs->sr_err = LDAP_OTHER;
-                                       rs->sr_text = txt;
-                                       send_ldap_error( op, rs, LDAP_OTHER, "Password hashing failed" );
-                                       return rs->sr_err;
-                               }
+               }
+                       /*
+                        * A controversial bit. We hash cleartext
+                        * passwords provided via add and modify operations
+                        * You're not really supposed to do this, since
+                        * the X.500 model says "store attributes" as they
+                        * get provided. By default, this is what we do
+                        *
+                        * But if the hash_passwords flag is set, we hash
+                        * any cleartext password attribute values via the
+                        * default password hashing scheme.
+                        */
+               if ((pi->hash_passwords) &&
+                       (password_scheme( &(pa->a_vals[0]), NULL ) != LDAP_SUCCESS)) {
+                       struct berval hpw;
 
-                               memset( pa->a_vals[0].bv_val, 0, pa->a_vals[0].bv_len);
-                               ber_memfree( pa->a_vals[0].bv_val );
-                               pa->a_vals[0].bv_val = hpw.bv_val;
-                               pa->a_vals[0].bv_len = hpw.bv_len;
+                       slap_passwd_hash( &(pa->a_vals[0]), &hpw, &txt );
+                       if (hpw.bv_val == NULL) {
+                               /*
+                                * hashing didn't work. Emit an error.
+                                */
+                               rs->sr_err = LDAP_OTHER;
+                               rs->sr_text = txt;
+                               send_ldap_error( op, rs, LDAP_OTHER, "Password hashing failed" );
+                               return rs->sr_err;
                        }
+
+                       memset( pa->a_vals[0].bv_val, 0, pa->a_vals[0].bv_len);
+                       ber_memfree( pa->a_vals[0].bv_val );
+                       pa->a_vals[0].bv_val = hpw.bv_val;
+                       pa->a_vals[0].bv_len = hpw.bv_len;
                }
+
                /* If password aging is in effect, set the pwdChangedTime */
                if ( pp.pwdMaxAge || pp.pwdMinAge ) {
                        struct berval timestamp;