s3:pdb_ldap: change LDAP password before samba password hashes

this way we can catch up with password change refuses from ldap password policy overlays and abort the password change early. Thanks to Andy Hanton <andyhanton@gmail.com> for the initial patch.
author: Björn Jacke <bj@sernet.de> 2010-07-06 18:39:26 +0200
committer: Björn Jacke <bj@sernet.de> 2010-07-06 18:50:01 +0200
commit: a679319192a50f8115c830ceabe33010d584e3c9 (patch)
tree: ff58c65aee91b3602279106073f48ecd148094c0 /source3/passdb
parent: 44d8c8dbb721eadface3785cee135b2912ca00e7 (diff)
download: samba-a679319192a50f8115c830ceabe33010d584e3c9.tar.gz
samba-a679319192a50f8115c830ceabe33010d584e3c9.tar.xz
samba-a679319192a50f8115c830ceabe33010d584e3c9.zip
1 files changed, 34 insertions, 33 deletions
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index f4c8dbe516..2e48023d8b 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -1737,39 +1737,6 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	if (!mods) {
-		DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
-		/* may be password change below however */
-	} else {
-		switch(ldap_op) {
-			case LDAP_MOD_ADD:
-				if (ldap_state->is_nds_ldap) {
-					smbldap_set_mod(&mods, LDAP_MOD_ADD, 
-							"objectclass", 
-							"inetOrgPerson");
-				} else {
-					smbldap_set_mod(&mods, LDAP_MOD_ADD, 
-							"objectclass", 
-							LDAP_OBJ_ACCOUNT);
-				}
-				rc = smbldap_add(ldap_state->smbldap_state, 
-						 dn, mods);
-				break;
-			case LDAP_MOD_REPLACE: 
-				rc = smbldap_modify(ldap_state->smbldap_state, 
-						    dn ,mods);
-				break;
-			default: 	
-				DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n", 
-					 ldap_op));
-				return NT_STATUS_INVALID_PARAMETER;
-		}
-
-		if (rc!=LDAP_SUCCESS) {
-			return NT_STATUS_UNSUCCESSFUL;
-		}  
-	}
-
 	if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
 			(lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
 			need_update(newpwd, PDB_PLAINTEXT_PW) &&
@@ -1895,6 +1862,40 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
 		}
 		ber_bvfree(bv);
 	}
+
+	if (!mods) {
+		DEBUG(5,("ldapsam_modify_entry: mods is empty: nothing to modify\n"));
+		/* may be password change below however */
+	} else {
+		switch(ldap_op) {
+			case LDAP_MOD_ADD:
+				if (ldap_state->is_nds_ldap) {
+					smbldap_set_mod(&mods, LDAP_MOD_ADD,
+							"objectclass",
+							"inetOrgPerson");
+				} else {
+					smbldap_set_mod(&mods, LDAP_MOD_ADD,
+							"objectclass",
+							LDAP_OBJ_ACCOUNT);
+				}
+				rc = smbldap_add(ldap_state->smbldap_state,
+						 dn, mods);
+				break;
+			case LDAP_MOD_REPLACE:
+				rc = smbldap_modify(ldap_state->smbldap_state,
+						    dn ,mods);
+				break;
+			default:
+				DEBUG(0,("ldapsam_modify_entry: Wrong LDAP operation type: %d!\n",
+					 ldap_op));
+				return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		if (rc!=LDAP_SUCCESS) {
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+	}
+
 	return NT_STATUS_OK;
 }
author	Björn Jacke <bj@sernet.de>	2010-07-06 18:39:26 +0200
committer	Björn Jacke <bj@sernet.de>	2010-07-06 18:50:01 +0200
commit	a679319192a50f8115c830ceabe33010d584e3c9 (patch)
tree	ff58c65aee91b3602279106073f48ecd148094c0 /source3/passdb
parent	44d8c8dbb721eadface3785cee135b2912ca00e7 (diff)
download	samba-a679319192a50f8115c830ceabe33010d584e3c9.tar.gz samba-a679319192a50f8115c830ceabe33010d584e3c9.tar.xz samba-a679319192a50f8115c830ceabe33010d584e3c9.zip