Bug 612264 - ACI issue with (targetattr='userPassword')

If an ACI has a targetattr of userPassword and uses the USERDN
keyword, the ACI may not be evaluated correctly for password
change operations.  This is caused by the fact that we use a
dummy target entry to check if the pasword change is allowed early
in the operation.  This dummy entry will not have any attributes
that the ACI may use.

The fix is to actually fetch the target entry with all of it's
attributes.  We still create a dummy entry if the target doesn't
exist to prevent returning a no such entry error  when we should be
returning an access denied or insufficient access error.

1 files changed, 10 insertions, 5 deletions

diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 55308a30..3e5b19e3 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -978,11 +978,16 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old
 		mods[0] = mod;
 		mods[1] = NULL;
 
-		/* Create a bogus entry with just the target dn.  This will
-		 * only be used for checking the ACIs. */
-		e = slapi_entry_alloc();
-		slapi_entry_init( e, NULL, NULL );
-		slapi_sdn_set_dn_byref(slapi_entry_get_sdn(e), dn);
+		/* We need to actually fetch the target here to use for ACI checking. */
+		slapi_search_internal_get_entry(&sdn, NULL, &e, (void *)plugin_get_default_component_id());
+
+		/* Create a bogus entry with just the target dn if we were unable to 
+		 * find the actual entry.  This will only be used for checking the ACIs. */
+		if (e == NULL) {
+			e = slapi_entry_alloc();
+			slapi_entry_init( e, NULL, NULL );
+			slapi_sdn_set_dn_byref(slapi_entry_get_sdn(e), dn);
+		}
 
 		/* Set the backend in the pblock.  The slapi_access_allowed function
 		 * needs this set to work properly. */