From c9fb441600acc02952372fc89097cf06a8eaca5f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 17 Sep 2019 09:48:49 +0200
Subject: [PATCH] RHEL-specific: Disable the password policies unless
 explicitly enabled

---
 nslcd/cfg.c    | 1 +
 nslcd/myldap.c | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index e11d03a..66908b2 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -136,6 +136,7 @@ static void cfg_defaults(struct ldap_config *cfg)
   parse_validnames_statement(__FILE__,__LINE__,"",
                 "/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i",cfg);
   cfg->pam_password_prohibit_message=NULL;
+  cfg->pam_authc_ppolicy = 0;
 }
 
 /* simple strdup wrapper */
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index 6eb91f8..a07829f 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -689,6 +689,14 @@ static int do_bind(MYLDAP_SESSION *session, LDAP *ld,const char *binddn,const ch
   if ((binddn!=NULL)&&(binddn[0]!='\0'))
   {
 #if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)
+    /* RHEL-specific: Don't even call into the ppolicy_bind path unless
+     * the option was set explicitly to 1 to retain backwards compatibility
+     */
+    if (nslcd_cfg->pam_authc_ppolicy == 0) {
+        log_log(LOG_DEBUG,"ldap_simple_bind_s(\"%s\",%s) (uri=\"%s\")",binddn,
+                          ((bindpw!=NULL)&&(bindpw[0]!='\0'))?"\"***\"":"\"\"",uri);
+        return ldap_simple_bind_s(ld,binddn,bindpw);
+    }
     return do_ppolicy_bind(session, ld, uri);
 #else /* no SASL, so no ppolicy */
     /* do a simple bind */
-- 
2.21.0