From d13b461fd160535b1a074651158c7dc95e2ae1ab Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Sat, 9 May 2015 18:55:39 -0700 Subject: [PATCH 326/327] Ticket #48183 - bind on db chained to AD returns err=32 Description by rmeggins@redhat.com: bind is doing a search for the entry post bind, which fails because we don't enable password policy chaining by default. I think in this case, we should not look up password policy, because if the remote is AD or some other non-389 server, we can't use the password policy information. We should instead rely on the remote server to evaluate the password policy. The commit 4fc53e1a63222d0ff67c30a59f2cff4b535f90a8 introduced the bug. Ticket #47748 - Simultaneous adding a user and binding as the user could fail in the password policy check https://fedorahosted.org/389/ticket/48183 Revewed by nhosoi@redhat.com. (cherry picked from commit eb46e6f1975b19956bb38d5e070e6eb5159200b4) (cherry picked from commit 03bee0a0d4dbe313bca88cfafc605f6cb01b9fdc) (cherry picked from commit 46242d88b62716d99641eceac26476a9c842c149) (cherry picked from commit 164cb2460538d63ee2b2cde3e28323e51dc9741c) --- ldap/servers/slapd/bind.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index edb36c4..11ec22e 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -777,7 +777,8 @@ do_bind( Slapi_PBlock *pb ) * was in be_bind. Since be_bind returned SLAPI_BIND_SUCCESS, * the entry is in the DS. So, we need to retrieve it once more. */ - if (!bind_target_entry) { + if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA) && + !bind_target_entry) { bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn)); if (bind_target_entry) { myrc = slapi_check_account_lock(pb, bind_target_entry, -- 1.9.3