From 0e6c3ac53a325051ef2d2478bfaff44c46cd39f0 Mon Sep 17 00:00:00 2001

From: Nathan Kinder <nkinder@redhat.com>

Date: Mon, 17 Mar 2014 19:34:45 -0700

Subject: [PATCH 304/305] Ticket 47752 - Don't add unhashed password mod if we

 don't have an unhashed value

When performing a modify operation to replace the userpassword with a pre-hashed

value, the modify code adds a LDAPMod that replaces the "unhashed#user#password"

attribute with no values. While this doesn't cause any harm inside DS itself, it

is not the correct behavior. We should only add a LDAPMod for the unhashed password

if we actually have an unhashed value available.

https://fedorahosted.org/389/ticket/47752

Reviewed by mreynold@redhat.com

(cherry picked from commit ccc61a3a589a47844a7e6eeb13f87e1351637618)

---

 ldap/servers/slapd/modify.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c

index 90c9f8c..9c6610f 100644

--- a/ldap/servers/slapd/modify.c

+++ b/ldap/servers/slapd/modify.c

@@ -961,10 +961,10 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)

 			} else {

 				/* add pseudo password attribute - only if it's value is clear text */

 				valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);

-				if(va){

+				if(va && va[0]){

 					slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);

-					valuearray_free(&va);

 				}

+                                valuearray_free(&va);

 			}

 			/* Init new value array for hashed value */

-- 

1.9.3