according to draft-behera, this attribute only affects password modifies by self...

author Pierangelo Masarati <ando@OpenLDAP.org>

Sun, 21 Aug 2011 00:50:33 +0000 (18:50 -0600)

committer Pierangelo Masarati <ando@OpenLDAP.org>

Sun, 21 Aug 2011 00:52:54 +0000 (18:52 -0600)
author Pierangelo Masarati <ando@OpenLDAP.org>
Sun, 21 Aug 2011 00:50:33 +0000 (18:50 -0600)
committer Pierangelo Masarati <ando@OpenLDAP.org>
Sun, 21 Aug 2011 00:52:54 +0000 (18:52 -0600)
diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c

index 6a693acde27f51c711048e67d7c1a87ab9293803..8889247f9eda6d2bc2776c08bdba2a40027106f9 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1792,7 +1792,10 @@ ppolicy_modify( Operation *op, SlapReply *rs )
  
         if (be_isroot( op )) goto do_modify;
  
-       if (!pp.pwdAllowUserChange) {
+       /* NOTE: according to draft-behera-ldap-password-policy
+        * pwdAllowUserChange == FALSE must only prevent pwd changes
+        * by the user the pwd belongs to (ITS#7021) */
+       if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) {
                 rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                 rs->sr_text = "User alteration of password is not allowed";
                 pErr = PP_passwordModNotAllowed;
author	Pierangelo Masarati <ando@OpenLDAP.org>
	Sun, 21 Aug 2011 00:50:33 +0000 (18:50 -0600)
committer	Pierangelo Masarati <ando@OpenLDAP.org>
	Sun, 21 Aug 2011 00:52:54 +0000 (18:52 -0600)