ITS#9343 Allow Compare to check pwdPolicySubentry

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 60dde82ee3c87cc9875f48b62f8adce9d1aa9c4f..1815837aa7f0cec426ad2c005f7f4ee700f7c92a 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -2453,6 +2453,36 @@ ppolicy_compare(
                        return rs->sr_err;
                }
        }
+
+       if ( op->orc_ava->aa_desc == ad_pwdPolicySubentry ) {
+               BerVarray vals = NULL;
+               int rc;
+
+               rc = backend_attribute( op, NULL, &op->o_req_ndn,
+                               ad_pwdPolicySubentry, &vals, ACL_COMPARE );
+
+               if ( rc != LDAP_SUCCESS ) {
+                       /* Defer to the DB */
+                       return SLAP_CB_CONTINUE;
+               }
+
+               if ( value_find_ex( ad_pwdPolicySubentry,
+                                       SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
+                                       SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
+                                       vals, &op->orc_ava->aa_value, op->o_tmpmemctx ) == 0 )
+               {
+                       rc = LDAP_COMPARE_TRUE;
+               } else {
+                       rc = LDAP_COMPARE_FALSE;
+               }
+
+               if ( vals ) {
+                       ber_bvarray_free_x( vals, op->o_tmpmemctx );
+               }
+               send_ldap_error( op, rs, rc, NULL );
+               return rs->sr_err;
+       }
+
        return SLAP_CB_CONTINUE;
 }
 

diff --git a/tests/scripts/test022-ppolicy b/tests/scripts/test022-ppolicy
index 2b2c8887de98c7f7b8242fe52e39696fc4893ae3..7ed9c7683a9d5ec09f05490e615f86130209f607 100755 (executable)
--- a/tests/scripts/test022-ppolicy
+++ b/tests/scripts/test022-ppolicy
@@ -496,6 +496,16 @@ if test $RC != 0 ; then
        exit $RC
 fi
 
+$LDAPCOMPARE -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+       "$USER" "pwdPolicySubentry:cn=Idle Expiration Policy, ou=Policies, dc=example, dc=com" \
+       >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 6 ; then
+       echo "ldapcompare failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit 1
+fi
+
 $LDAPSEARCH -e ppolicy -H $URI1 -D "$USER" -w $PASS \
        -b "$BASEDN" -s base > $SEARCHOUT 2>&1
 
@@ -532,6 +542,16 @@ if test $RC != 0 ; then
        exit $RC
 fi
 
+$LDAPCOMPARE -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+       "$USER" "pwdPolicySubentry:cn=Standard Policy, ou=Policies, dc=example, dc=com" \
+       >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 6 ; then
+       echo "ldapcompare failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit 1
+fi
+
 if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno"  ; then 
 echo ""
 echo "Setting up policy state forwarding test..."
@@ -720,6 +740,16 @@ if test $RC != 0 ; then
        exit $RC
 fi
 
+$LDAPCOMPARE -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+       "$USER" "pwdPolicySubentry:cn=Stricter Policy, ou=Policies, dc=example, dc=com" \
+       >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 6 ; then
+       echo "ldapcompare failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit 1
+fi
+
 $LDAPMODIFY -v -D cn=config -H $URI2 -y $CONFIGPWF >> \
        $TESTOUT 2>&1 << EOMODS
 dn: olcOverlay={0}ppolicy,olcDatabase={1}$BACKEND,cn=config
@@ -736,6 +766,16 @@ if test $RC != 0 ; then
        exit $RC
 fi
 
+$LDAPCOMPARE -D "$MANAGERDN" -H $URI2 -w $PASSWD \
+       "$USER" "pwdPolicySubentry:cn=Stricter Policy, ou=Policies, dc=example, dc=com" \
+       >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 6 ; then
+       echo "ldapcompare failed ($RC)!"
+       test $KILLSERVERS != no && kill -HUP $KILLPIDS
+       exit 1
+fi
+
 OLDPASS=$PASS
 PASS=newpass
 $LDAPPASSWD -H $URI1 \