From b3d231fbe692fe7dbe68821a08341d16a75e383b Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Mon, 8 Oct 2012 15:35:58 -0700 Subject: [PATCH] Trac Ticket #455 - Insufficient rights to unhashed#user#password when user deletes his password https://fedorahosted.org/389/ticket/455 Bug Description: Setting CLEAR to the passwordStrageScheme, then deleting a userpassword with the value fails due to the lack of right to delete the corresponding pseudo attribute. Fix Description: Skip evaluating the aci of the pseudo attribute in the deletion as being done in the replacement. --- ldap/servers/plugins/acl/acl.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c index 3389404..a5884fb 100644 --- a/ldap/servers/plugins/acl/acl.c +++ b/ldap/servers/plugins/acl/acl.c @@ -1361,6 +1361,10 @@ acl_check_mods( switch (mod->mod_op & ~LDAP_MOD_BVALUES ) { case LDAP_MOD_DELETE: + if (strcmp (mod->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD) == 0) { + /* skip pseudo attr(s) */ + continue; + } if (mod->mod_bvalues != NULL ) { break; } @@ -1368,7 +1372,7 @@ acl_check_mods( /* * Here, check that we have the right to delete all * the values of the attribute in the entry. - */ + */ case LDAP_MOD_REPLACE: if ( !lastmod ) { @@ -1385,6 +1389,7 @@ acl_check_mods( strcmp (mod->mod_type, "modifytimestamp")== 0 || strcmp (mod->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)== 0) ) { + /* skip pseudo attr(s) */ continue; } -- 1.7.7.6