(ITS#5285) password policy checks userPassword hash even without policies

[mbackes@symas.com]

Full_Name: Matthew Backes
Version: 2.3, 2.4, head, etc
OS: all
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (67.115.65.234)


When receiving a new userPassword, slapo-ppolicy checks to see if that password
matches the hash already present in userPassword, and disallows it if this is
the case.

This is a sensible default for most circumstances, as otherwise the user could
reset their age counters by using the same password.

Unfortunately, it also blocks arguably-legitimate password changes; e.g. when
migration to SSHA from CRYPT where the first 8 chars of the new password match
the old.

This patch changes this userPassword-has-changed check to only apply if there is
a password policy defined which requires it; in particular, any of pwdInHistory,
pwdMinAge, pwdMaxAge, pwdCheckQuality, or pwdMustChange must apply for this
check to be enforced.

RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/overlays/ppolicy.c,v
retrieving revision 1.110
diff -u -r1.110 ppolicy.c
--- ppolicy.c   17 Nov 2007 12:39:19 -0000      1.110
+++ ppolicy.c   15 Dec 2007 03:21:27 -0000
@@ -1776,7 +1776,13 @@
                 * Last check - the password history.
                 */
                /* FIXME: no access checking? */
-               if (slap_passwd_check( op, NULL, pa, bv, &txt ) == LDAP_SUCCESS)
{
+               if (( pp.pwdInHistory 
+                     || pp.pwdMinAge 
+                     || pp.pwdMaxAge
+                     || pp.pwdCheckQuality
+                     || pp.pwdMustChange ) /* make sure we care */
+                   && ( slap_passwd_check( op, NULL, pa, bv, &txt ) 
+                        == LDAP_SUCCESS )) {
                        /*
                         * This is bad - it means that the user is attempting
                         * to set the password to the same as the old one.