https://bugzilla.redhat.com/show_bug.cgi?id=554887 The problem appears to be this - passwd_extop.c line 173: /* We copy the connection from the original pblock into the * pblock we use for the internal modify operation. We do * this to allow the password policy code to be able to tell * that the password change was initiated by the user who * sent the extended operation instead of always assuming * that it was done by the root DN. */ pb.pb_conn = pb_orig->pb_conn; This makes the internal ops think this is a real connection, and therefore it attempts to send back the result of the internal operation as a real result back to the client: send_ldap_result_ext() result.c line 357: if ( conn == NULL ) { if ( operation->o_result_handler != NULL ) { operation->o_result_handler( conn, operation, err, matched, text, nentries, urls ); logit = 1; } goto log_and_return; } I don't think the passwd_extop code should use the entire connection. I'm thinking that perhaps just the authentication parts of the connection for ACI purposes. Does anyone know exactly what parts of the conn were needed to fulfill the requirements above? -- 389-devel mailing list 389-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-devel
