ITS#10254 Do not trigger pwdReset when rehashing

author Ondřej Kuzník <ondra@mistotebe.net>

Thu, 31 Jul 2025 17:57:33 +0000 (18:57 +0100)

committer Quanah Gibson-Mount <quanah@openldap.org>

Tue, 5 Aug 2025 15:35:34 +0000 (15:35 +0000)
author Ondřej Kuzník <ondra@mistotebe.net>
Thu, 31 Jul 2025 17:57:33 +0000 (18:57 +0100)
committer Quanah Gibson-Mount <quanah@openldap.org>
Tue, 5 Aug 2025 15:35:34 +0000 (15:35 +0000)
diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c

index a0a17d80196176e76ffc80583eb38e907257a9ae..b5498dd62fd7404408873164b39ad3665c652a81 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -3111,6 +3111,25 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
                                                         "rehashing password for user %s failed: %s\n",
                                                         op->o_req_dn.bv_val, txt );
                                 } else {
+                                       /*
+                                        * Rehashing is a password change by an administrator, but
+                                        * we don't want it to change pwdReset state.
+                                        */
+                                       if ( ppb->pp.pwdMustChange ) {
+                                               /*
+                                                * Earlier we chose this branch because the reset state
+                                                * is not TRUE.
+                                                */
+                                               m = ch_calloc( sizeof(Modifications), 1 );
+                                               m->sml_op = LDAP_MOD_REPLACE;
+                                               m->sml_flags = SLAP_MOD_INTERNAL;
+                                               m->sml_type = ad_pwdReset->ad_cname;
+                                               m->sml_desc = ad_pwdReset;
+                                               m->sml_next = mod;
+                                               m->sml_numvals = 0;
+                                               mod = m;
+                                       }
+
                                         m = ch_calloc( sizeof(Modifications), 1 );
                                         m->sml_op = LDAP_MOD_ADD;
                                         m->sml_flags = SLAP_MOD_INTERNAL;
diff --git a/tests/data/ppolicy.ldif b/tests/data/ppolicy.ldif

index a13fe9b134cae85b89c8b98b67f3e87c3dfc4d4a..ef779ea94ab2560d2b726b750e7eefd6c8780098 100644 (file)
--- a/tests/data/ppolicy.ldif
+++ b/tests/data/ppolicy.ldif
@@ -106,6 +106,7 @@ objectClass: pwdPolicy
  objectClass: pwdHashingPolicy
  cn: Hashing Policy
  pwdAttribute: 2.5.4.35
+pwdMustChange: TRUE
  pwdDefaultHash: {SHA}
  pwdRehashOnBind: TRUE
author	Ondřej Kuzník <ondra@mistotebe.net>
	Thu, 31 Jul 2025 17:57:33 +0000 (18:57 +0100)
committer	Quanah Gibson-Mount <quanah@openldap.org>
	Tue, 5 Aug 2025 15:35:34 +0000 (15:35 +0000)
servers/slapd/overlays/ppolicy.c		patch \| blob \| blame \| history
tests/data/ppolicy.ldif		patch \| blob \| blame \| history