s4:dsdb/password_hash: make the DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET code path more...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index f1b9b36a03c2c872ad38302e6245b378151100fa..946ab34a785130973e228c722cc8b97f8587c187 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1695,14 +1695,23 @@ static int setup_last_set_field(struct setup_password_fields_io *io)
        }
 
        if (io->ac->pwd_last_set_bypass) {
-               struct ldb_message_element *el;
+               struct ldb_message_element *el1 = NULL;
+               struct ldb_message_element *el2 = NULL;
 
                if (msg == NULL) {
                        return LDB_ERR_CONSTRAINT_VIOLATION;
                }
 
-               el = ldb_msg_find_element(msg, "pwdLastSet");
-               if (el == NULL) {
+               el1 = dsdb_get_single_valued_attr(msg, "pwdLastSet",
+                                                 io->ac->req->operation);
+               if (el1 == NULL) {
+                       return LDB_ERR_CONSTRAINT_VIOLATION;
+               }
+               el2 = ldb_msg_find_element(msg, "pwdLastSet");
+               if (el2 == NULL) {
+                       return LDB_ERR_CONSTRAINT_VIOLATION;
+               }
+               if (el1 != el2) {
                        return LDB_ERR_CONSTRAINT_VIOLATION;
                }