[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6265) ppolicy: modifications in ppolicy_bind_response don't update entries' operational attributes

Full_Name: Jonathan Clarke
Version: RE24
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/jonathan-clarke-ppolicy-20090819.patch
Submission from: (NULL) (


In the password policy overlay, the function ppolicy_bind_response() contains:

                Operation op2 = *op;
                op2.orm_modlist = mod;
                rc = op2.o_bd->be_modify( &op2, &r2 );

This reuses the original Operation structure (a BIND request) to perform a
modification operation. The code changes the value orm_modlist, which is
actually in the OpRequest union. This union is thereafter referred to as
containing a req_modify_s, not a req_bind_s as before, since this is now a
modification operation.

However, other fields from req_modify_s are not updated and are interpreted with
values set by the bind operation. In particular orm_no_opattrs is set to != 0
(bv_len of the credentials, actually), which causes modifications done by the
overlay not to cause updates to operational attributes (which ultimately means
these updates are not replicated if we're on a syncrepl provider, which is how I
came across this).

Sorry for the long explanation, which may seem obvious to those familiar with
these structures.

The patch above corrects *this* issue. I'm unsure whether orm_increment should
also be reset? Probably, I'm guessing.