Resolves: 201332

Summary: Allow password modify extop when password reset is needed.

ldap/servers/slapd/connection.c

@@ -449,7 +449,7 @@ connection_need_new_password(const Connection *conn, const Operation *op, Slapi_
 
 	if ( conn->c_needpw && op->o_tag != LDAP_REQ_MODIFY &&
 		op->o_tag != LDAP_REQ_BIND && op->o_tag != LDAP_REQ_UNBIND && 
-		op->o_tag != LDAP_REQ_ABANDON )
+		op->o_tag != LDAP_REQ_ABANDON && op->o_tag != LDAP_REQ_EXTENDED)
 	{
 		slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);	
 		slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d %s\n",

ldap/servers/slapd/extendop.c

@@ -295,6 +295,22 @@ do_extended( Slapi_PBlock *pb )
 		goto free_and_return;
 	}
 
+	/* If a password change is required, only allow the password
+	 * modify extended operation */
+	if (!pb->pb_conn->c_isreplication_session &&
+                pb->pb_conn->c_needpw && (strcmp(extoid, EXTOP_PASSWD_OID) != 0))
+	{
+		char *dn = NULL;
+		slapi_pblock_get(pb, SLAPI_CONN_DN, &dn);
+
+		(void)slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0);
+		op_shared_log_error_access (pb, "EXT", dn ? dn : "", "need new password");
+		send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, NULL, 0, NULL );
+
+		slapi_ch_free_string(&dn);
+		goto free_and_return;
+	}
+
 	slapi_pblock_set( pb, SLAPI_EXT_OP_REQ_OID, extoid );
 	slapi_pblock_set( pb, SLAPI_EXT_OP_REQ_VALUE, &extval );
 	rc = plugin_call_exop_plugins( pb, extoid );

ldap/servers/slapd/passwd_extop.c

@@ -82,9 +82,6 @@
 /* number of random bytes needed to generate password */
 #define LDAP_EXTOP_PASSMOD_RANDOM_BYTES	6
 
-/* OID of the extended operation handled by this plug-in */
-#define EXOP_PASSWD_OID	"1.3.6.1.4.1.4203.1.11.1"
-
 
 Slapi_PluginDesc passwdopdesc = { "passwd_modify_plugin", "Fedora", "0.1",
 	"Password Modify extended operation plugin" };
@@ -450,7 +447,7 @@ passwd_modify_extop( Slapi_PBlock *pb )
 
 	/* Before going any further, we'll make sure that the right extended operation plugin
 	 * has been called: i.e., the OID shipped whithin the extended operation request must 
-	 * match this very plugin's OID: EXOP_PASSWD_OID. */
+	 * match this very plugin's OID: EXTOP_PASSWD_OID. */
 	if ( slapi_pblock_get( pb, SLAPI_EXT_OP_REQ_OID, &oid ) != 0 ) {
 		errMesg = "Could not get OID value from request.\n";
 		rc = LDAP_OPERATIONS_ERROR;
@@ -462,7 +459,7 @@ passwd_modify_extop( Slapi_PBlock *pb )
 				 "Received extended operation request with OID %s\n", oid );
 	}
 	
-	if ( strcasecmp( oid, EXOP_PASSWD_OID ) != 0) {
+	if ( strcasecmp( oid, EXTOP_PASSWD_OID ) != 0) {
 	        errMesg = "Request OID does not match Passwd OID.\n";
 		rc = LDAP_OPERATIONS_ERROR;
 		goto free_and_return;
@@ -783,7 +780,7 @@ parse_req_done:
 
 
 static char *passwd_oid_list[] = {
-	EXOP_PASSWD_OID,
+	EXTOP_PASSWD_OID,
 	NULL
 };
 
@@ -812,9 +809,9 @@ int passwd_modify_init( Slapi_PBlock *pb )
 
 	/* Compare the OID specified in the configuration file against the Passwd OID. */
 
-	if ( argv == NULL || strcmp( argv[0], EXOP_PASSWD_OID ) != 0 ) {
+	if ( argv == NULL || strcmp( argv[0], EXTOP_PASSWD_OID ) != 0 ) {
 		slapi_log_error( SLAPI_LOG_PLUGIN, "passwd_modify_init", 
-				 "OID is missing or is not %s\n", EXOP_PASSWD_OID );
+				 "OID is missing or is not %s\n", EXTOP_PASSWD_OID );
 		return( -1 );
 	} else {
 		oid = slapi_ch_strdup( argv[0] );

ldap/servers/slapd/slap.h

@@ -540,6 +540,7 @@ typedef int (*SyntaxEnumFunc)(char **names, Slapi_PluginDesc *plugindesc,
 /* extended operations supported by the server */
 #define EXTOP_BULK_IMPORT_START_OID     "2.16.840.1.113730.3.5.7"
 #define EXTOP_BULK_IMPORT_DONE_OID      "2.16.840.1.113730.3.5.8"
+#define EXTOP_PASSWD_OID		"1.3.6.1.4.1.4203.1.11.1"
 
 /* 
  * Represents a Distinguished Name of an entry