From: Pierangelo Masarati <ando@OpenLDAP.org>
Date: Sun, 21 Aug 2011 00:50:33 +0000 (-0600)
Subject: according to draft-behera, this attribute only affects password modifies by self... 
X-Git-Tag: OPENLDAP_REL_ENG_2_5_0ALPHA~1282
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bdbdae3e5f6f15f0278f72076c5a4be65be8a210;p=thirdparty%2Fopenldap.git

according to draft-behera, this attribute only affects password modifies by self (ITS#7021)
---

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index 6a693acde2..8889247f9e 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1792,7 +1792,10 @@ ppolicy_modify( Operation *op, SlapReply *rs )
 
 	if (be_isroot( op )) goto do_modify;
 
-	if (!pp.pwdAllowUserChange) {
+	/* NOTE: according to draft-behera-ldap-password-policy
+	 * pwdAllowUserChange == FALSE must only prevent pwd changes
+	 * by the user the pwd belongs to (ITS#7021) */
+	if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) {
 		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 		rs->sr_text = "User alteration of password is not allowed";
 		pErr = PP_passwordModNotAllowed;