From 285e376f613360129c022b6a9d3cec80544ac85c Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Sat, 30 Jul 2016 16:56:57 -0700 Subject: [PATCH] Ticket #48943 - When fine-grained policy is applied, a sub-tree has a priority over a user while changing password Description: If the user entry has a pwdpolicysubentry, the configuration in the pwpolicy should be the strongest and respected. If the entry does not have it, it retrieves the pwpolicy from the CoS Cache, which is the current behaviour. --- ldap/servers/slapd/pw.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c index 498afd4..6b865ec 100644 --- a/ldap/servers/slapd/pw.c +++ b/ldap/servers/slapd/pw.c @@ -1777,9 +1777,17 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) attribute in the target entry itself. */ } else { if ( (e = get_entry( pb, dn )) != NULL ) { - rc = slapi_vattr_values_get(e, "pwdpolicysubentry", &values, - &type_name_disposition, &actual_type_name, - SLAPI_VIRTUALATTRS_REQUEST_POINTERS, &attr_free_flags); + Slapi_Attr* attr = NULL; + rc = slapi_entry_attr_find(e, "pwdpolicysubentry", &attr); + if (attr && (0 == rc)) { + /* If the entry has pwdpolicysubentry, use the PwPolicy. */ + values = valueset_dup(&attr->a_present_values); + } else { + /* Otherwise, retrieve the policy from CoS Cache */ + rc = slapi_vattr_values_get(e, "pwdpolicysubentry", &values, + &type_name_disposition, &actual_type_name, + SLAPI_VIRTUALATTRS_REQUEST_POINTERS, &attr_free_flags); + } if (rc) { values = NULL; } -- 2.4.11