From 44e7c30eb285d757a2f390d1482ae38afef5988f Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Mon, 16 Mar 2015 05:58:02 +0000
Subject: [PATCH] ITS#8080 nssov: require old password unless pwdmgr

---
 contrib/slapd-modules/nssov/pam.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c
index 7e1c4d7aaf..487e193060 100644
--- a/contrib/slapd-modules/nssov/pam.c
+++ b/contrib/slapd-modules/nssov/pam.c
@@ -780,6 +780,14 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
 		}
 	}
 
+	if (!pi.ispwdmgr && BER_BVISEMPTY(&pi.pwd)) {
+		Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(), %s\n",
+			"not pwdmgr and old pwd empty", 0, 0);
+		ber_str2bv("must provide old password", 0, 0, &pi.msg);
+		rc = NSLCD_PAM_PERM_DENIED;
+		goto done;
+	}
+
 	BerElementBuffer berbuf;
 	BerElement *ber = (BerElement *)&berbuf;
 	struct berval bv;
@@ -792,7 +800,7 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
 		ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_ID,
 			&pi.dn);
 	/* supply old pwd only when end-user changing pwd */
-	if (!BER_BVISEMPTY(&pi.pwd) && pi.ispwdmgr == 0)
+	if (pi.ispwdmgr == 0)
 		ber_printf(ber, "tO", LDAP_TAG_EXOP_MODIFY_PASSWD_OLD,
 			&pi.pwd);
 	if (!BER_BVISEMPTY(&npw))
-- 
GitLab