Branch '389-ds-base-1.3.2' - ldap/servers - 389-commits - Fedora mailing-lists

30 Sep 2014

ldap/servers/slapd/add.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
New commits:
commit 99b24d4f4ce21be57ef4814f714690a724e863d2
Author: Mark Reynolds mreynolds@redhat.com
Date:   Tue Sep 30 10:07:33 2014 -0400
Ticket 47900 - Adding an entry with an invalid password as rootDN is incorrectly rejected
Bug Description:  Root DN and password administrators should bypass all password
                      restrictions and syntax checks, but on ADD operations the password
                      checks were still be applied to root/password admins.
Fix Description:  Do not check the password syntax if the bind DN is a rootDN/password admin.
https://fedorahosted.org/389/ticket/47900
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 50820f80c2da853c29962485b5e9806e68d5aece)

diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
index 875ad22..2a89358 100644
--- a/ldap/servers/slapd/add.c
+++ b/ldap/servers/slapd/add.c
@@ -456,12 +456,14 @@ static void op_shared_add (Slapi_PBlock *pb)
    int proxy_err = LDAP_SUCCESS;
    char *errtext = NULL;
    Slapi_DN *sdn = NULL;
+	passwdPolicy *pwpolicy;
slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
    slapi_pblock_get (pb, SLAPI_ADD_ENTRY, &e);
    slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);	
    slapi_pblock_get (pb, SLAPI_IS_LEGACY_REPLICATED_OPERATION, &legacy_op);
    internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
+	pwpolicy = new_passwdPolicy(pb, slapi_entry_get_dn(e));
/* target spec is used to decide which plugins are applicable for the operation */
    operation_set_target_spec (operation, slapi_entry_get_sdn (e));
@@ -577,9 +579,12 @@ static void op_shared_add (Slapi_PBlock *pb)
    				goto done;
    			}
-				/* check password syntax */
+				/*
+				 * Check password syntax, unless this is a pwd admin/rootDN
+				 */
    			present_values = attr_get_present_values(attr);
-				if (check_pw_syntax(pb, slapi_entry_get_sdn_const(e),
+				if (!pw_is_pwp_admin(pb, pwpolicy) &&
+				    check_pw_syntax(pb, slapi_entry_get_sdn_const(e),
    			                    present_values, NULL, e, 0) != 0) {
    				/* error result is sent from check_pw_syntax */
    				goto done;

    