From 0734bc337379b940f7bc8e764724711d849abd6a Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Thu, 31 Jul 2025 18:57:33 +0100
Subject: [PATCH] ITS#10254 Do not trigger pwdReset when rehashing

---
 servers/slapd/overlays/ppolicy.c | 19 +++++++++++++++++++
 tests/data/ppolicy.ldif          |  1 +
 2 files changed, 20 insertions(+)

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index a0a17d8019..b5498dd62f 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -3111,6 +3111,25 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
 							"rehashing password for user %s failed: %s\n",
 							op->o_req_dn.bv_val, txt );
 				} else {
+					/*
+					 * Rehashing is a password change by an administrator, but
+					 * we don't want it to change pwdReset state.
+					 */
+					if ( ppb->pp.pwdMustChange ) {
+						/*
+						 * Earlier we chose this branch because the reset state
+						 * is not TRUE.
+						 */
+						m = ch_calloc( sizeof(Modifications), 1 );
+						m->sml_op = LDAP_MOD_REPLACE;
+						m->sml_flags = SLAP_MOD_INTERNAL;
+						m->sml_type = ad_pwdReset->ad_cname;
+						m->sml_desc = ad_pwdReset;
+						m->sml_next = mod;
+						m->sml_numvals = 0;
+						mod = m;
+					}
+
 					m = ch_calloc( sizeof(Modifications), 1 );
 					m->sml_op = LDAP_MOD_ADD;
 					m->sml_flags = SLAP_MOD_INTERNAL;
diff --git a/tests/data/ppolicy.ldif b/tests/data/ppolicy.ldif
index a13fe9b134..ef779ea94a 100644
--- a/tests/data/ppolicy.ldif
+++ b/tests/data/ppolicy.ldif
@@ -106,6 +106,7 @@ objectClass: pwdPolicy
 objectClass: pwdHashingPolicy
 cn: Hashing Policy
 pwdAttribute: 2.5.4.35
+pwdMustChange: TRUE
 pwdDefaultHash: {SHA}
 pwdRehashOnBind: TRUE
 
-- 
2.47.3