[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody
From: masarati@aero.polimi.it
Date: Wed, 17 Aug 2011 22:38:21 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

> masarati@aero.polimi.it wrote:
>> OTOH, by strictly interpreting the way its use is discussed in the
>> draft,
>> it should only apply to attempts by "self" to modify the password, so a
>> modification performed by a different identity (provided ACLs permit it)
>> should not be affected.
>
> Yes, that's my understanding too.

Then the patch is trivial:

diff --git a/servers/slapd/overlays/ppolicy.c
b/servers/slapd/overlays/ppolicy.c
index 6a693ac..d9afac9 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1792,7 +1792,10 @@ ppolicy_modify( Operation *op, SlapReply *rs )

        if (be_isroot( op )) goto do_modify;

-       if (!pp.pwdAllowUserChange) {
+       /* NOTE: according to draft-behera-ldap-password-policy
+        * pwdAllowUserChange == FALSE only prevents pwd changes
+        * by the user the pwd belongs to (ITS#7021) */
+       if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) {
                rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                rs->sr_text = "User alteration of password is not allowed";
                pErr = PP_passwordModNotAllowed;

If there's consensus, I'll commit it.

p.

Prev by Date: Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody
Next by Date: Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody
Index(es):
- Chronological
- Thread