(ITS#6620) ppolicy: pwdChangedTime/userPassword delete issue. - openldap-bugs

11 Aug 2010

Full_Name: Martin Evans
Version: 2.4.20
OS: CentOS 5.X
URL: 
Submission from: (NULL) (138.37.8.59)
I've attached a proposed patch to fix an error that sometimes occurs when
attempting to delete a userPassword attribute from an entry whilst the ppolicy
overlay is active.
The OL 2.4.20 code seems to assume that this operational attribute
always exists (but it clearly cannot always exist otherwise the error
would not occur). I think it can be reproduced by adding a fresh entry that
contains a userPassword. Then simply deleting the userPassword fails resulting
in:
ldap_modify: No such attribute (16)
        additional info: modify/delete: pwdChangedTime: no such attribute
Further experiments show that if the userPassword is modified before then
deleted the error does not occur (presumably because something else sets
pwdChangedTime on a mod operation but not when the attribute is added in an
entire new entry).
I've modified our OL 2.4.20 test systems with the patch below and the problem
goes away:
Cheerio!
Martin.
-bash-3.2# diff -u servers/slapd/overlays/ppolicy.c.0
servers/slapd/overlays/ppolicy.c

--- servers/slapd/overlays/ppolicy.c.0  2009-08-26 00:07:41.000000000 +0100
+++ servers/slapd/overlays/ppolicy.c    2010-08-11 14:28:53.000000000 +0100
@@ -1880,22 +1880,31 @@
                slap_timestamp( &now, &timestamp );
mods = (Modifications *) ch_calloc( sizeof( Modifications ), 1
);
-               mods->sml_desc = ad_pwdChangedTime;
+
+               /* MDTE PATCH 20100811: modify to not do delete non existing
pwdChangedTime */
                if (pwmop != LDAP_MOD_DELETE) {
+                       mods->sml_desc = ad_pwdChangedTime;
                        mods->sml_op = LDAP_MOD_REPLACE;
                        mods->sml_numvals = 1;
                        mods->sml_values = (BerVarray) ch_malloc( 2 * sizeof(
struct berval ) );
                        ber_dupbv( &mods->sml_values[0], &timestamp );
                        BER_BVZERO( &mods->sml_values[1] );
                        assert( !BER_BVISNULL( &mods->sml_values[0] ) );
-
+                       mods->sml_flags = SLAP_MOD_INTERNAL;
+                       mods->sml_next = NULL;
+                       modtail->sml_next = mods;
+                       modtail = mods;
                } else {
-                       mods->sml_op = LDAP_MOD_DELETE;
+                       if (attr_find(e->e_attrs, ad_pwdChangedTime )) {
+                               mods->sml_desc = ad_pwdChangedTime;
+                               mods->sml_op = LDAP_MOD_DELETE;
+                               mods->sml_flags = SLAP_MOD_INTERNAL;
+                               mods->sml_next = NULL;
+                               modtail->sml_next = mods;
+                               modtail = mods;
+                       }
                }
-               mods->sml_flags = SLAP_MOD_INTERNAL;
-               mods->sml_next = NULL;
-               modtail->sml_next = mods;
-               modtail = mods;
+               /* END OF MDTE PATCH */
if (attr_find(e->e_attrs, ad_pwdGraceUseTime )) {
                        mods = (Modifications *) ch_calloc( sizeof(
Modifications ), 1 );

    