Bug 829213 - unhashed#user#password visible after changing password https://bugzilla.redhat.com/show_bug.cgi?id=829213

Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001

Bug Description: Deref still retrieved unhashed password.

Fix Description: Added code to Deref plugin to check the deref attribute.
If it is unhashed password, skip it.
(cherry picked from commit 26b5121d84232cf453fa917f11ba6518a40358ea)
(cherry picked from commit 9e15a73380e32947f08e2d8cc3bce87f467fab80)

ldap/servers/plugins/deref/deref.c

@@ -632,6 +632,12 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
                     int needpartialattr = 1; /* need PartialAttribute sequence? */
                     int needvalsset = 1;
 
+                    if (is_type_forbidden(retattrs[ii])) {
+                        slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
+                            "skip forbidden attribute [%s]\n", derefdn);
+                        continue;
+                    }
+
                     deref_get_values(entries[0], retattrs[ii], &results, &type_name_disposition,
                                      &actual_type_name, flags, &buffer_flags);
 

ldap/servers/slapd/proto-slap.h

@@ -639,7 +639,7 @@ int is_rootdse( const char *dn );
 int get_entry_object_type();
 int entry_computed_attr_init();
 void send_referrals_from_entry(Slapi_PBlock *pb, Slapi_Entry *referral);
-
+int is_type_forbidden(const char *type);
 
 /*
  * dse.c

ldap/servers/slapd/slapi-private.h

@@ -331,7 +331,6 @@ int entry_next_deleted_attribute( const Slapi_Entry *e, Slapi_Attr **a);
 /* entry.c */
 int entry_apply_mods( Slapi_Entry *e, LDAPMod **mods );
 int is_type_protected(const char *type);
-int is_type_forbidden(const char *type);
 
 int slapi_entries_diff(Slapi_Entry **old_entries, Slapi_Entry **new_entries, int testall, const char *logging_prestr, const int force_update, void *plg_id);