Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody

Wednesday, 17 August 2011

...
 masarati(a)aero.polimi.it wrote:
> OTOH, by strictly interpreting the way its use is discussed in the
> draft,
> it should only apply to attempts by "self" to modify the password, so a
> modification performed by a different identity (provided ACLs permit it)
> should not be affected.

 Yes, that's my understanding too. 
Then the patch is trivial:

diff --git a/servers/slapd/overlays/ppolicy.c
b/servers/slapd/overlays/ppolicy.c
index 6a693ac..d9afac9 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1792,7 +1792,10 @@ ppolicy_modify( Operation *op, SlapReply *rs )

        if (be_isroot( op )) goto do_modify;

-       if (!pp.pwdAllowUserChange) {
+       /* NOTE: according to draft-behera-ldap-password-policy
+        * pwdAllowUserChange == FALSE only prevents pwd changes
+        * by the user the pwd belongs to (ITS#7021) */
+       if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn,
&op->o_ndn)) {
                rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                rs->sr_text = "User alteration of password is not allowed";
                pErr = PP_passwordModNotAllowed;

If there's consensus, I'll commit it.

p.




    

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006