according to draft-behera, this attribute only affects password modifies by self (ITS#7021)

b6ec428a · Pierangelo Masarati · Quanah Gibson-Mount · 42314730 · b6ec428a
Commit b6ec428a authored Aug 20, 2011 by Pierangelo Masarati Committed by Quanah Gibson-Mount Oct 06, 2011
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1788,7 +1788,10 @@ ppolicy_modify( Operation *op, SlapReply *rs )

 	if (be_isroot( op )) goto do_modify;

-	if (!pp.pwdAllowUserChange) {
+	/* NOTE: according to draft-behera-ldap-password-policy
+	 * pwdAllowUserChange == FALSE must only prevent pwd changes
+	 * by the user the pwd belongs to (ITS#7021) */
+	if (!pp.pwdAllowUserChange && dn_match(&op->o_req_ndn, &op->o_ndn)) {
 		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 		rs->sr_text = "User alteration of password is not allowed";
 		pErr = PP_passwordModNotAllowed;