[389-commits] Branch '389-ds-base-1.2.11' - ldap/servers

Tue Sep 30 19:19:09 UTC 2014

ldap/servers/slapd/add.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

New commits:
commit 950390bb09512a033a25f40e4f61f7346321a19a
Author: Mark Reynolds <mreynolds at redhat.com>
Date:   Tue Sep 30 15:18:37 2014 -0400

     Ticket 47900 - Adding an entry with an invalid password as
     rootDN is incorrectly rejected
    
    Bug Description:  Root DN and password administrators should bypass all password
                      restrictions and syntax checks, but on ADD operations the password
                      checks were still be applied to root/password admins.
    
    Fix Description:  Do not check the password syntax if the bind DN is a rootDN/password admin.
    
    https://fedorahosted.org/389/ticket/47900
    
    Reviewed by: nhosoi(Thanks!)

diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
index 1ce975a..9b549c3 100644
--- a/ldap/servers/slapd/add.c
+++ b/ldap/servers/slapd/add.c
@@ -457,12 +457,14 @@ static void op_shared_add (Slapi_PBlock *pb)
 	int proxy_err = LDAP_SUCCESS;
 	char *errtext = NULL;
 	Slapi_DN *sdn = NULL;
+	passwdPolicy *pwpolicy;
 
 	slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
 	slapi_pblock_get (pb, SLAPI_ADD_ENTRY, &e);
 	slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);	
 	slapi_pblock_get (pb, SLAPI_IS_LEGACY_REPLICATED_OPERATION, &legacy_op);
 	internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
+	pwpolicy = new_passwdPolicy(pb, slapi_entry_get_dn(e));
 
 	/* target spec is used to decide which plugins are applicable for the operation */
 	operation_set_target_spec (operation, slapi_entry_get_sdn (e));
@@ -559,7 +561,8 @@ static void op_shared_add (Slapi_PBlock *pb)
 			}
 
 			/* check password syntax */
-			if (check_pw_syntax(pb, slapi_entry_get_sdn_const(e), present_values, NULL, e, 0) == 0)
+			if (!pw_is_pwp_admin(pb, pwpolicy) &&
+			    check_pw_syntax(pb, slapi_entry_get_sdn_const(e), present_values, NULL, e, 0) == 0)
 			{
 				Slapi_Value **vals= NULL;
 				valuearray_add_valuearray(&unhashed_password_vals, present_values, 0);


