From: Howard Chu <hyc@openldap.org>
Date: Tue, 20 Jul 2021 18:27:45 +0000 (+0100)
Subject: ITS#8775 for passwordMod, pass real DN thru
X-Git-Tag: OPENLDAP_REL_ENG_2_6_0~167
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=81076a7f7c30888da29cf66e11f3194277110948;p=thirdparty%2Fopenldap.git

ITS#8775 for passwordMod, pass real DN thru

Since conn->c_dn is the real DN, need to see real DN for <self>
ACLs to work.
---

diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
index 7b0768d539..7ba80103b9 100644
--- a/servers/slapd/overlays/rwm.c
+++ b/servers/slapd/overlays/rwm.c
@@ -867,6 +867,8 @@ rwm_entry_release_rw( Operation *op, Entry *e, int rw )
 	return SLAP_CB_CONTINUE;
 }
 
+static struct berval *passwd_oid;
+
 static int
 rwm_entry_get_rw( Operation *op, struct berval *ndn,
 	ObjectClass *oc, AttributeDescription *at, int rw, Entry **ep )
@@ -884,6 +886,11 @@ rwm_entry_get_rw( Operation *op, struct berval *ndn,
 		return SLAP_CB_CONTINUE;
 	}
 
+	/* If we're fetching the target of a password mod, must let real DNs thru */
+	if ( op->o_tag == LDAP_REQ_EXTENDED && bvmatch( passwd_oid, &op->oq_extended.rs_reqoid ) ) {
+		return SLAP_CB_CONTINUE;
+	}
+
 	/* massage DN */
 	op2.o_tag = LDAP_REQ_SEARCH;
 	op2 = *op;
@@ -1116,6 +1123,8 @@ static struct exop {
 	{ BER_BVNULL, NULL }
 };
 
+static struct berval *passwd_oid = &exop_table[0].oid;
+
 static int
 rwm_extended( Operation *op, SlapReply *rs )
 {