ldap/servers/slapd/modify.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)

New commits: commit b18d6e580f16eb03e92713749a80dd07616fd40c Author: Mark Reynolds mreynolds@redhat.com Date: Fri Oct 4 10:58:30 2013 -0400

Ticket 47522 - Password adminstrators should be able to voilate password policy

Bug Description: Password administrators are still bound by the password syntax rules. Password admins should b eable violate htese rules, just like AD allows.

Fix Description: If the authenticated user is a password admin, just skip all password syntax checking.

https://fedorahosted.org/389/ticket/47522

Reviewed by: nkinder(Thanks!)

diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c index 2e9da0e..79e7c7c 100644 --- a/ldap/servers/slapd/modify.c +++ b/ldap/servers/slapd/modify.c @@ -1251,9 +1251,9 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old goto done; }

- /* internal operation has root permisions for subtrees it is allowed to access */ + /* internal operation has root permissions for subtrees it is allowed to access */ if (!internal_op) - { + { /* slapi_acl_check_mods needs an array of LDAPMods, but * we're really only interested in the one password mod. */ LDAPMod *mods[2]; @@ -1296,9 +1296,18 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old goto done; }

+ /* + * If this mod is being performed by a password administrator/rootDN, + * just return success. + */ + if(pw_is_pwp_admin(pb, pwpolicy)){ + rc = 1; + goto done; + } + /* Check if password policy allows users to change their passwords.*/ if (!pb->pb_op->o_isroot && slapi_sdn_compare(&sdn, &pb->pb_op->o_sdn)==0 && - !pb->pb_conn->c_needpw && !pwpolicy->pw_change && !pw_is_pwp_admin(pb, pwpolicy)) + !pb->pb_conn->c_needpw && !pwpolicy->pw_change) { if ( pwresponse_req == 1 ) { slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_PWDMODNOTALLOWED );