s4:password_hash LDB module - support this new password set syntax

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index e90653f7ec276ceeb174942a4f64ec1d1e4c3d44..48d841b817b6b2fabb0753ecd77dfb1ec91c4fda 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -2431,10 +2431,18 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
                                ++rep_attr_cnt;
                        }
                        if ((passwordAttr->num_values != 1) &&
-                           (passwordAttr->flags != LDB_FLAG_MOD_REPLACE)) {
+                           (passwordAttr->flags == LDB_FLAG_MOD_ADD)) {
                                talloc_free(ac);
                                ldb_asprintf_errstring(ldb,
-                                                      "'%s' attributes must have exactly one value!",
+                                                      "'%s' attribute must have exactly one value on add operations!",
+                                                      *l);
+                               return LDB_ERR_CONSTRAINT_VIOLATION;
+                       }
+                       if ((passwordAttr->num_values > 1) &&
+                           (passwordAttr->flags == LDB_FLAG_MOD_DELETE)) {
+                               talloc_free(ac);
+                               ldb_asprintf_errstring(ldb,
+                                                      "'%s' attribute must have zero or one value(s) on delete operations!",
                                                       *l);
                                return LDB_ERR_CONSTRAINT_VIOLATION;
                        }