Ticket 47900 - Adding an entry with an invalid password as rootDN is incorrectly rejected

Bug Description:  Root DN and password administrators should bypass all password
                  restrictions and syntax checks, but on ADD operations the password
                  checks were still be applied to root/password admins.

Fix Description:  Do not check the password syntax if the bind DN is a rootDN/password admin.

https://fedorahosted.org/389/ticket/47900

Reviewed by: nhosoi(Thanks!)

ldap/servers/slapd/add.c

@@ -456,12 +456,14 @@ static void op_shared_add (Slapi_PBlock *pb)
 	int proxy_err = LDAP_SUCCESS;
 	char *errtext = NULL;
 	Slapi_DN *sdn = NULL;
+	passwdPolicy *pwpolicy;
 
 	slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
 	slapi_pblock_get (pb, SLAPI_ADD_ENTRY, &e);
 	slapi_pblock_get (pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);	
 	slapi_pblock_get (pb, SLAPI_IS_LEGACY_REPLICATED_OPERATION, &legacy_op);
 	internal_op= operation_is_flag_set(operation, OP_FLAG_INTERNAL);
+	pwpolicy = new_passwdPolicy(pb, slapi_entry_get_dn(e));
 
 	/* target spec is used to decide which plugins are applicable for the operation */
 	operation_set_target_spec (operation, slapi_entry_get_sdn (e));
@@ -577,9 +579,12 @@ static void op_shared_add (Slapi_PBlock *pb)
 					goto done;
 				}
 
-				/* check password syntax */
+				/*
+				 * Check password syntax, unless this is a pwd admin/rootDN
+				 */
 				present_values = attr_get_present_values(attr);
-				if (check_pw_syntax(pb, slapi_entry_get_sdn_const(e),
+				if (!pw_is_pwp_admin(pb, pwpolicy) &&
+				    check_pw_syntax(pb, slapi_entry_get_sdn_const(e),
 				                    present_values, NULL, e, 0) != 0) {
 					/* error result is sent from check_pw_syntax */
 					goto done;