From 0780e46fc13dbafa177525164997cd204cc50b51 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 8 Jan 2013 15:20:45 -0500
Subject: Allow principals to refer to nonexistent policies

Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.

In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.

ticket: 7385
---
 src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 -------
 1 file changed, 7 deletions(-)

(limited to 'src/plugins')

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
index e955f8e404..011b2a04e0 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
@@ -384,13 +384,6 @@ krb5_ldap_delete_password_policy(krb5_context context, char *policy)
     if (st != 0)
         goto cleanup;
 
-    st = krb5_ldap_get_reference_count(context, policy_dn,
-                                       "krbPwdPolicyReference", &refcount, ld);
-    if (st == 0 && refcount != 0)
-        st = KRB5_KDB_POLICY_REF;
-    if (st != 0)
-        goto cleanup;
-
     /* Ensure that the object is a password policy */
     if ((st=checkattributevalue(ld, policy_dn, "objectclass", class, &mask)) != 0)
         goto cleanup;
-- 
cgit