Initial implementation of policies support.

This patch uses the kerberos schema policy, this is the same policy used by
kadmin.
While this patch allows for krbPwdPolicy objects anywhere the kldap module
will make the kdc fail to provide tickets if the "krbPwdPolicyReference"
points to any object that is not a child of cn=<REALM>,cn=kerberos,dc=....
To let us set policies anywhere in the tree I enabled the code to actually
look at parent entries and the user entry itself and specify policies directly
on these objects by adding the krbPwdPolicy objectclass to them (I know its
structural but DS seem to allow multiple Structural classes on the same
entry).
The only side effect is that kadmin will not understand this, but we don't
want to use kadmin anyway as it does not understand way too many things about the
directory.

I've tested a few scenarios and all seem working as expected, but further
testing is welcome of course.

1 files changed, 5 insertions, 1 deletions

diff --git a/ipa-server/ipa-kpasswd/ipa_kpasswd.c b/ipa-server/ipa-kpasswd/ipa_kpasswd.c
index f5540b74c..fdaa8197c 100644
--- a/ipa-server/ipa-kpasswd/ipa_kpasswd.c
+++ b/ipa-server/ipa-kpasswd/ipa_kpasswd.c
@@ -399,7 +399,11 @@ int ldap_pwd_change(char *client_name, char *realm_name, krb5_data pwd)
 	if (ret != LDAP_SUCCESS) {
 		syslog(LOG_ERR, "Search for %s failed with error %d",
 			filter, ret);
-		ret = KRB5_KPASSWD_HARDERROR;
+		if (ret == LDAP_CONSTRAINT_VIOLATION) {
+			ret = KRB5_KPASSWD_SOFTERROR;
+		} else {
+			ret = KRB5_KPASSWD_HARDERROR;
+		}
 		goto done;
 	}
 	free(filter);