From 50820f80c2da853c29962485b5e9806e68d5aece Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Sep 30 2014 19:07:53 +0000 Subject: Ticket 47900 - Adding an entry with an invalid password as rootDN is incorrectly rejected Bug Description: Root DN and password administrators should bypass all password restrictions and syntax checks, but on ADD operations the password checks were still be applied to root/password admins. Fix Description: Do not check the password syntax if the bind DN is a rootDN/password admin. https://fedorahosted.org/389/ticket/47900 Reviewed by: nhosoi(Thanks!) --- diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c index 875ad22..2a89358 100644 --- a/ldap/servers/slapd/add.c +++ b/ldap/servers/slapd/add.c @@ -456,12 +456,14 @@ static void op_shared_add (Slapi_PBlock *pb) int proxy_err = LDAP_SUCCESS; char *errtext = NULL; Slapi_DN *sdn = NULL; + passwdPolicy *pwpolicy; slapi_pblock_get (pb, SLAPI_OPERATION, &operation); slapi_pblock_get (pb, SLAPI_ADD_ENTRY, &e); slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op); slapi_pblock_get (pb, SLAPI_IS_LEGACY_REPLICATED_OPERATION, &legacy_op); internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL); + pwpolicy = new_passwdPolicy(pb, slapi_entry_get_dn(e)); /* target spec is used to decide which plugins are applicable for the operation */ operation_set_target_spec (operation, slapi_entry_get_sdn (e)); @@ -577,9 +579,12 @@ static void op_shared_add (Slapi_PBlock *pb) goto done; } - /* check password syntax */ + /* + * Check password syntax, unless this is a pwd admin/rootDN + */ present_values = attr_get_present_values(attr); - if (check_pw_syntax(pb, slapi_entry_get_sdn_const(e), + if (!pw_is_pwp_admin(pb, pwpolicy) && + check_pw_syntax(pb, slapi_entry_get_sdn_const(e), present_values, NULL, e, 0) != 0) { /* error result is sent from check_pw_syntax */ goto done;