masarati@aero.polimi.it wrote:
OTOH, by strictly interpreting the way its use is discussed in the draft, it should only apply to attempts by "self" to modify the password, so a modification performed by a different identity (provided ACLs permit it) should not be affected.
Yes, that's my understanding too.
Then the patch is trivial:
diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c index 6a693ac..d9afac9 100644 --- a/servers/slapd/overlays/ppolicy.c +++ b/servers/slapd/overlays/ppolicy.c @@ -1792,7 +1792,10 @@ ppolicy_modify( Operation *op, SlapReply *rs )
if (be_isroot( op )) goto do_modify;
- if (!pp.pwdAllowUserChange) { + /* NOTE: according to draft-behera-ldap-password-policy + * pwdAllowUserChange == FALSE only prevents pwd changes + * by the user the pwd belongs to (ITS#7021) */ + if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "User alteration of password is not allowed"; pErr = PP_passwordModNotAllowed;
If there's consensus, I'll commit it.
p.
-
masaratiļ¼ aero.polimi.it