From 109d967ff266d90f393192c50f9354496e53cc17 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= Date: Tue, 23 Mar 2021 10:55:12 +0000 Subject: [PATCH] ITS#7788 Hashing should be independent of a useable policy --- servers/slapd/overlays/ppolicy.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c index 074619c486..58aacfcc9a 100644 --- a/servers/slapd/overlays/ppolicy.c +++ b/servers/slapd/overlays/ppolicy.c @@ -2182,9 +2182,7 @@ ppolicy_add( return rs->sr_err; } - if ( ppolicy_get( op, op->ora_e, &pp ) != LDAP_SUCCESS ) { - return SLAP_CB_CONTINUE; - } + ppolicy_get( op, op->ora_e, &pp ); /* * new entry contains a password - if we're not the root user @@ -2306,6 +2304,7 @@ ppolicy_modify( Operation *op, SlapReply *rs ) int got_del_grace = 0, got_del_lock = 0, got_pw = 0, got_del_fail = 0, got_del_success = 0; int got_changed = 0, got_history = 0; + int have_policy = 0; op->o_bd->bd_info = (BackendInfo *)on->on_info; rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); @@ -2458,8 +2457,9 @@ ppolicy_modify( Operation *op, SlapReply *rs ) } } - if ( ppolicy_get( op, e, &pp ) != LDAP_SUCCESS ) { - goto do_modify; + /* ppolicy_hash_cleartext depends on pwmod being determined first */ + if ( ppolicy_get( op, e, &pp ) == LDAP_SUCCESS ) { + have_policy = 1; } if ( access_allowed( op, e, pp.ad, NULL, ACL_MANAGE, NULL ) ) { @@ -2575,7 +2575,7 @@ ppolicy_modify( Operation *op, SlapReply *rs ) * the root user is bound. Root can do anything, including avoid the policies. */ - if (!pwmod) goto do_modify; + if (!have_policy || !pwmod) goto do_modify; /* * Build the password history list in ascending time order -- 2.47.3