From bdbdae3e5f6f15f0278f72076c5a4be65be8a210 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Sat, 20 Aug 2011 18:50:33 -0600 Subject: [PATCH] according to draft-behera, this attribute only affects password modifies by self (ITS#7021) --- servers/slapd/overlays/ppolicy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c index 6a693acde2..8889247f9e 100644 --- a/servers/slapd/overlays/ppolicy.c +++ b/servers/slapd/overlays/ppolicy.c @@ -1792,7 +1792,10 @@ ppolicy_modify( Operation *op, SlapReply *rs ) if (be_isroot( op )) goto do_modify; - if (!pp.pwdAllowUserChange) { + /* NOTE: according to draft-behera-ldap-password-policy + * pwdAllowUserChange == FALSE must only prevent pwd changes + * by the user the pwd belongs to (ITS#7021) */ + if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "User alteration of password is not allowed"; pErr = PP_passwordModNotAllowed; -- 2.47.2