s4:dsdb/password_hash: move ldb_msg_add_empty() calls to update_final_msg()

We should only replace attributes when we're asked to do so.
Currently that's always the case, but that will change soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 7e6ae4cb666b0956eed516350b59886337eba761..ebf0b804097e4c2511acd51f03cd8f8d88ff1594 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -2156,6 +2156,47 @@ static int update_final_msg(struct setup_password_fields_io *io,
 {
        struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
        int ret;
+       int el_flags = 0;
+
+       if (io->ac->req->operation == LDB_MODIFY) {
+               el_flags |= LDB_FLAG_MOD_REPLACE;
+       }
+
+       /* make sure we replace all the old attributes */
+       if (io->ac->update_password && el_flags != 0) {
+               ret = ldb_msg_add_empty(msg, "unicodePwd",
+                                       el_flags, NULL);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+               ret = ldb_msg_add_empty(msg, "dBCSPwd",
+                                       el_flags, NULL);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+               ret = ldb_msg_add_empty(msg, "ntPwdHistory",
+                                       el_flags, NULL);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+               ret = ldb_msg_add_empty(msg, "lmPwdHistory",
+                                       el_flags, NULL);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+               ret = ldb_msg_add_empty(msg, "supplementalCredentials",
+                                       el_flags, NULL);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+       }
+       if (io->ac->update_lastset && el_flags != 0) {
+               ret = ldb_msg_add_empty(msg, "pwdLastSet",
+                                       el_flags, NULL);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+       }
 
        if (io->g.nt_hash != NULL) {
                ret = samdb_msg_add_hash(ldb, io->ac, msg,
@@ -3499,14 +3540,6 @@ static int password_hash_mod_do_mod(struct ph_context *ac)
                return ret;
        }
 
-       /* make sure we replace all the old attributes */
-       ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
-       ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
-       ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
-       ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
-       ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
-       ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
-
        ret = update_final_msg(&io, msg);
        if (ret != LDB_SUCCESS) {
                return ret;