From c9561cbb81fe1504a5741df44dd8c1103134c065 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Sat, 30 Jul 2016 16:56:57 -0700 Subject: [PATCH 24/29] Ticket #48943 - When fine-grained policy is applied, a sub-tree has a priority over a user while changing password Description: If the user entry has a pwdpolicysubentry, the configuration in the pwpolicy should be the strongest and respected. If the entry does not have it, it retrieves the pwpolicy from the CoS Cache, which is the current behaviour. https://fedorahosted.org/389/ticket/48943 Reviewed by wibrown@redhat.com (Thank you, William!!) (cherry picked from commit 802224f2846900c870a780fe7608782792806d85) --- ldap/servers/slapd/pw.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c index 498afd4..6b865ec 100644 --- a/ldap/servers/slapd/pw.c +++ b/ldap/servers/slapd/pw.c @@ -1777,9 +1777,17 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) attribute in the target entry itself. */ } else { if ( (e = get_entry( pb, dn )) != NULL ) { - rc = slapi_vattr_values_get(e, "pwdpolicysubentry", &values, - &type_name_disposition, &actual_type_name, - SLAPI_VIRTUALATTRS_REQUEST_POINTERS, &attr_free_flags); + Slapi_Attr* attr = NULL; + rc = slapi_entry_attr_find(e, "pwdpolicysubentry", &attr); + if (attr && (0 == rc)) { + /* If the entry has pwdpolicysubentry, use the PwPolicy. */ + values = valueset_dup(&attr->a_present_values); + } else { + /* Otherwise, retrieve the policy from CoS Cache */ + rc = slapi_vattr_values_get(e, "pwdpolicysubentry", &values, + &type_name_disposition, &actual_type_name, + SLAPI_VIRTUALATTRS_REQUEST_POINTERS, &attr_free_flags); + } if (rc) { values = NULL; } -- 2.4.11