From 63672067ea1d5f2bde8533aa243aaf707ded00d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@h5l.org>
Date: Sat, 30 Jul 2011 12:34:40 -0700
Subject: [PATCH] add nob for [kadmin]allow_self_change_password

---
 kadmin/server.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/kadmin/server.c b/kadmin/server.c
index 7395e9f78..0ac0b83e4 100644
--- a/kadmin/server.c
+++ b/kadmin/server.c
@@ -235,14 +235,17 @@ kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
 
 	/*
 	 * The change is allowed if at least one of:
-
-	 * a) it's for the principal him/herself and this was an
+	 *
+	 * a) allowed by sysadmin
+	 * b) it's for the principal him/herself and this was an
 	 *    initial ticket, but then, check with the password quality
 	 *    function.
-	 * b) the user is on the CPW ACL.
+	 * c) the user is on the CPW ACL.
 	 */
 
-	if (initial
+	if (krb5_config_get_bool_default(contextp->context, NULL, TRUE,
+					 "kadmin", "allow_self_change_password", NULL)
+	    && initial
 	    && krb5_principal_compare (contextp->context, contextp->caller,
 				       princ))
 	{