Full_Name: Matthew Backes Version: 2.3, 2.4, head, etc OS: all URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (67.115.65.234)

When receiving a new userPassword, slapo-ppolicy checks to see if that password matches the hash already present in userPassword, and disallows it if this is the case.

This is a sensible default for most circumstances, as otherwise the user could reset their age counters by using the same password.

Unfortunately, it also blocks arguably-legitimate password changes; e.g. when migration to SSHA from CRYPT where the first 8 chars of the new password match the old.

This patch changes this userPassword-has-changed check to only apply if there is a password policy defined which requires it; in particular, any of pwdInHistory, pwdMinAge, pwdMaxAge, pwdCheckQuality, or pwdMustChange must apply for this check to be enforced.

RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/overlays/ppolicy.c,v retrieving revision 1.110 diff -u -r1.110 ppolicy.c --- ppolicy.c 17 Nov 2007 12:39:19 -0000 1.110 +++ ppolicy.c 15 Dec 2007 03:21:27 -0000 @@ -1776,7 +1776,13 @@ * Last check - the password history. */ /* FIXME: no access checking? */ - if (slap_passwd_check( op, NULL, pa, bv, &txt ) == LDAP_SUCCESS) { + if (( pp.pwdInHistory + || pp.pwdMinAge + || pp.pwdMaxAge + || pp.pwdCheckQuality + || pp.pwdMustChange ) /* make sure we care */ + && ( slap_passwd_check( op, NULL, pa, bv, &txt ) + == LDAP_SUCCESS )) { /* * This is bad - it means that the user is attempting * to set the password to the same as the old one.