krb5 commit: Allow principals to refer to nonexistent policies

Greg Hudson ghudson at MIT.EDU
Wed Jan 9 15:41:47 EST 2013


https://github.com/krb5/krb5/commit/0780e46fc13dbafa177525164997cd204cc50b51
commit 0780e46fc13dbafa177525164997cd204cc50b51
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Jan 8 15:20:45 2013 -0500

    Allow principals to refer to nonexistent policies
    
    Stop using and maintaining the policy_refcnt field, and do not try to
    prevent deletion of a policy which is still referenced by principals.
    Instead, allow principals to refer to policy names which do not exist
    as policy objects; treat those principals as having no associated
    policy.
    
    In the kadmin client, warn if addprinc or modprinc tries to reference
    a policy which doesn't exist, since the server will no longer error
    out in this case.
    
    ticket: 7385

 src/include/kdb.h                                  |    2 +-
 src/kadmin/cli/kadmin.c                            |   49 ++-
 src/kadmin/dbutil/dump.c                           |   29 +-
 src/lib/kadm5/admin.h                              |    2 +-
 src/lib/kadm5/srv/svr_policy.c                     |   11 -
 src/lib/kadm5/srv/svr_principal.c                  |  229 ++++---------
 .../kadm5/unit-test/api.current/crte-principal.exp |    4 +-
 .../kadm5/unit-test/api.current/dlte-policy.exp    |    5 +-
 .../kadm5/unit-test/api.current/dlte-principal.exp |   76 ----
 .../kadm5/unit-test/api.current/mod-principal.exp  |  369 +-------------------
 src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c |    7 -
 src/tests/dejagnu/krb-standalone/kadmin.exp        |    3 +-
 src/tests/kdbtest.c                                |    3 +-
 13 files changed, 125 insertions(+), 664 deletions(-)

diff --git a/src/include/kdb.h b/src/include/kdb.h
index 1bfb5d0..78d78c5 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -215,7 +215,7 @@ typedef struct _osa_policy_ent_t {
     krb5_ui_4       pw_min_length;
     krb5_ui_4       pw_min_classes;
     krb5_ui_4       pw_history_num;
-    krb5_ui_4       policy_refcnt;
+    krb5_ui_4       policy_refcnt;              /* no longer used */
     /* Only valid if version > 1 */
     krb5_ui_4       pw_max_fail;                /* pwdMaxFailure */
     krb5_ui_4       pw_failcnt_interval;        /* pwdFailureCountInterval */
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index 649bbc1..151f316 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -232,6 +232,17 @@ randkey_princ(krb5_principal princ, krb5_boolean keepold, int n_ks,
         return kadm5_randkey_principal(handle, princ, NULL, NULL);
 }
 
+static krb5_boolean
+policy_exists(const char *name)
+{
+    kadm5_policy_ent_rec pol;
+
+    if (kadm5_get_policy(handle, (char *)name, &pol) != 0)
+        return FALSE;
+    kadm5_free_policy_ent(handle, &pol);
+    return TRUE;
+}
+
 char *
 kadmin_startup(int argc, char *argv[])
 {
@@ -1158,7 +1169,6 @@ void
 kadmin_addprinc(int argc, char *argv[])
 {
     kadm5_principal_ent_rec princ;
-    kadm5_policy_ent_rec defpol;
     long mask;
     krb5_boolean randkey = FALSE, old_style_randkey = FALSE;
     int n_ks_tuple;
@@ -1184,23 +1194,24 @@ kadmin_addprinc(int argc, char *argv[])
         goto cleanup;
     }
 
-    /*
-     * If -policy was not specified, and -clearpolicy was not
-     * specified, and the policy "default" exists, assign it.  If
-     * -clearpolicy was specified, then KADM5_POLICY_CLR should be
-     * unset, since it is never valid for kadm5_create_principal.
-     */
-    if (!(mask & KADM5_POLICY) && !(mask & KADM5_POLICY_CLR)) {
-        if (!kadm5_get_policy(handle, "default", &defpol)) {
+    if (mask & KADM5_POLICY) {
+        /* Warn if the specified policy does not exist. */
+        if (!policy_exists(princ.policy)) {
+            fprintf(stderr, _("WARNING: policy \"%s\" does not exist\n"),
+                    princ.policy);
+        }
+    } else if (!(mask & KADM5_POLICY_CLR)) {
+        /* If the policy "default" exists, assign it. */
+        if (policy_exists("default")) {
             fprintf(stderr, _("NOTICE: no policy specified for %s; "
                               "assigning \"default\"\n"), canon);
             princ.policy = "default";
             mask |= KADM5_POLICY;
-            kadm5_free_policy_ent(handle, &defpol);
         } else
             fprintf(stderr, _("WARNING: no policy specified for %s; "
                               "defaulting to no policy\n"), canon);
     }
+    /* Don't send KADM5_POLICY_CLR to the server. */
     mask &= ~KADM5_POLICY_CLR;
 
     if (randkey) {
@@ -1312,6 +1323,13 @@ kadmin_modprinc(int argc, char *argv[])
         kadmin_modprinc_usage();
         goto cleanup;
     }
+    if (mask & KADM5_POLICY) {
+        /* Warn if the specified policy does not exist. */
+        if (!policy_exists(princ.policy)) {
+            fprintf(stderr, _("WARNING: policy \"%s\" does not exist\n"),
+                    princ.policy);
+        }
+    }
     if (mask) {
         /* Skip this if all we're doing is setting certhash. */
         retval = kadm5_modify_principal(handle, &princ, mask);
@@ -1336,6 +1354,7 @@ kadmin_getprinc(int argc, char *argv[])
     kadm5_principal_ent_rec dprinc;
     krb5_principal princ = NULL;
     krb5_error_code retval;
+    const char *polname, *noexist;
     char *canon = NULL, *princstr = NULL, *modprincstr = NULL;
     int i;
     size_t j;
@@ -1422,7 +1441,10 @@ kadmin_getprinc(int argc, char *argv[])
                 printf(" %s", prflags[j]);
         }
         printf("\n");
-        printf(_("Policy: %s\n"), dprinc.policy ? dprinc.policy : _("[none]"));
+        polname = (dprinc.policy != NULL) ? dprinc.policy : _("[none]");
+        noexist = (dprinc.policy != NULL && !policy_exists(dprinc.policy)) ?
+            _(" [does not exist]") : "";
+        printf(_("Policy: %s%s\n"), polname, noexist);
     } else {
         printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\""
                "\t%d\t%d\t%d\t%d\t%d",
@@ -1699,7 +1721,6 @@ kadmin_getpol(int argc, char *argv[])
         printf(_("Minimum number of password character classes: %ld\n"),
                policy.pw_min_classes);
         printf(_("Number of old keys kept: %ld\n"), policy.pw_history_num);
-        printf(_("Reference count: %ld\n"), policy.policy_refcnt);
         printf(_("Maximum password failures before lockout: %lu\n"),
                (unsigned long)policy.pw_max_fail);
         printf(_("Password failure count reset interval: %s\n"),
@@ -1709,11 +1730,11 @@ kadmin_getpol(int argc, char *argv[])
         if (policy.allowed_keysalts != NULL)
             printf(_("Allowed key/salt types: %s\n"), policy.allowed_keysalts);
     } else {
+        /* Output 0 where we used to output policy_refcnt. */
         printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\t%lu\t%ld\t%ld\t%s\n",
                policy.policy, policy.pw_max_life, policy.pw_min_life,
                policy.pw_min_length, policy.pw_min_classes,
-               policy.pw_history_num, policy.policy_refcnt,
-               (unsigned long)policy.pw_max_fail,
+               policy.pw_history_num, 0, (unsigned long)policy.pw_max_fail,
                (long)policy.pw_failcnt_interval,
                (long)policy.pw_lockout_duration,
                (policy.allowed_keysalts == NULL) ? "-" :
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 7b515bd..af10c9c 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -1112,8 +1112,7 @@ void dump_k5beta7_policy(void *data, osa_policy_ent_t entry)
     arg = (struct dump_args *) data;
     fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\n", entry->name,
             entry->pw_min_life, entry->pw_max_life, entry->pw_min_length,
-            entry->pw_min_classes, entry->pw_history_num,
-            entry->policy_refcnt);
+            entry->pw_min_classes, entry->pw_history_num, 0);
 }
 
 void dump_r1_8_policy(void *data, osa_policy_ent_t entry)
@@ -1124,9 +1123,9 @@ void dump_r1_8_policy(void *data, osa_policy_ent_t entry)
     fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n",
             entry->name,
             entry->pw_min_life, entry->pw_max_life, entry->pw_min_length,
-            entry->pw_min_classes, entry->pw_history_num,
-            entry->policy_refcnt, entry->pw_max_fail,
-            entry->pw_failcnt_interval, entry->pw_lockout_duration);
+            entry->pw_min_classes, entry->pw_history_num, 0,
+            entry->pw_max_fail, entry->pw_failcnt_interval,
+            entry->pw_lockout_duration);
 }
 
 void
@@ -1140,10 +1139,10 @@ dump_r1_11_policy(void *data, osa_policy_ent_t entry)
             "%d\t%d\t%d\t%s\t%d",
             entry->name,
             entry->pw_min_life, entry->pw_max_life, entry->pw_min_length,
-            entry->pw_min_classes, entry->pw_history_num,
-            entry->policy_refcnt, entry->pw_max_fail,
-            entry->pw_failcnt_interval, entry->pw_lockout_duration,
-            entry->attributes, entry->max_life, entry->max_renewable_life,
+            entry->pw_min_classes, entry->pw_history_num, 0,
+            entry->pw_max_fail, entry->pw_failcnt_interval,
+            entry->pw_lockout_duration, entry->attributes, entry->max_life,
+            entry->max_renewable_life,
             entry->allowed_keysalts ? entry->allowed_keysalts : "-",
             entry->n_tl_data);
 
@@ -2301,7 +2300,7 @@ process_k5beta7_policy(fname, kcontext, filep, flags, linenop)
 {
     osa_policy_ent_rec rec;
     char namebuf[1024];
-    int nread, ret;
+    int nread, refcnt, ret;
 
     memset(&rec, 0, sizeof(rec));
 
@@ -2311,7 +2310,7 @@ process_k5beta7_policy(fname, kcontext, filep, flags, linenop)
     nread = fscanf(filep, "%1023s\t%d\t%d\t%d\t%d\t%d\t%d", rec.name,
                    &rec.pw_min_life, &rec.pw_max_life,
                    &rec.pw_min_length, &rec.pw_min_classes,
-                   &rec.pw_history_num, &rec.policy_refcnt);
+                   &rec.pw_history_num, &refcnt);
     if (nread == EOF)
         return -1;
     else if (nread != 7) {
@@ -2344,7 +2343,7 @@ process_r1_8_policy(fname, kcontext, filep, flags, linenop)
 {
     osa_policy_ent_rec rec;
     char namebuf[1024];
-    int nread, ret;
+    int nread, refcnt, ret;
 
     memset(&rec, 0, sizeof(rec));
 
@@ -2355,7 +2354,7 @@ process_r1_8_policy(fname, kcontext, filep, flags, linenop)
                    rec.name,
                    &rec.pw_min_life, &rec.pw_max_life,
                    &rec.pw_min_length, &rec.pw_min_classes,
-                   &rec.pw_history_num, &rec.policy_refcnt,
+                   &rec.pw_history_num, &refcnt,
                    &rec.pw_max_fail, &rec.pw_failcnt_interval,
                    &rec.pw_lockout_duration);
     if (nread == EOF)
@@ -2388,7 +2387,7 @@ process_r1_11_policy(char *fname, krb5_context kcontext, FILE *filep,
     krb5_tl_data         *tl, *tl_next;
     char                  namebuf[1024];
     char                  keysaltbuf[KRB5_KDB_MAX_ALLOWED_KS_LEN + 1];
-    int                   nread;
+    int                   nread, refcnt;
     int                   ret = 0;
     const char           *try2read = NULL;
 
@@ -2406,7 +2405,7 @@ process_r1_11_policy(char *fname, krb5_context kcontext, FILE *filep,
                    rec.name,
                    &rec.pw_min_life, &rec.pw_max_life,
                    &rec.pw_min_length, &rec.pw_min_classes,
-                   &rec.pw_history_num, &rec.policy_refcnt,
+                   &rec.pw_history_num, &refcnt,
                    &rec.pw_max_fail, &rec.pw_failcnt_interval,
                    &rec.pw_lockout_duration,
                    &rec.attributes, &rec.max_life, &rec.max_renewable_life,
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
index 9260cb5..6c2efbc 100644
--- a/src/lib/kadm5/admin.h
+++ b/src/lib/kadm5/admin.h
@@ -219,7 +219,7 @@ typedef struct _kadm5_policy_ent_t {
     long            pw_min_length;
     long            pw_min_classes;
     long            pw_history_num;
-    long            policy_refcnt;
+    long            policy_refcnt;  /* no longer used */
 
     /* version 3 fields */
     krb5_kvno       pw_max_fail;
diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c
index 0d79f86..69d2fea 100644
--- a/src/lib/kadm5/srv/svr_policy.c
+++ b/src/lib/kadm5/srv/svr_policy.c
@@ -158,10 +158,6 @@ kadm5_create_policy_internal(void *server_handle,
         else
             pent.pw_history_num = entry->pw_history_num;
     }
-    if (!(mask & KADM5_REF_COUNT))
-        pent.policy_refcnt = 0;
-    else
-        pent.policy_refcnt = entry->policy_refcnt;
 
     if (handle->api_version >= KADM5_API_VERSION_4) {
         if (!(mask & KADM5_POLICY_ATTRIBUTES))
@@ -230,10 +226,6 @@ kadm5_delete_policy(void *server_handle, kadm5_policy_t name)
     else if (ret)
         return ret;
 
-    if(entry->policy_refcnt != 0) {
-        krb5_db_free_policy(handle->context, entry);
-        return KADM5_POLICY_REF;
-    }
     krb5_db_free_policy(handle->context, entry);
     ret = krb5_db_delete_policy(handle->context, name);
     if (ret == KRB5_KDB_POLICY_REF)
@@ -368,8 +360,6 @@ kadm5_modify_policy_internal(void *server_handle,
         }
         p->pw_history_num = entry->pw_history_num;
     }
-    if ((mask & KADM5_REF_COUNT))
-        p->policy_refcnt = entry->policy_refcnt;
     if (handle->api_version >= KADM5_API_VERSION_3) {
         if ((mask & KADM5_PW_MAX_FAILURE))
             p->pw_max_fail = entry->pw_max_fail;
@@ -448,7 +438,6 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name,
     entry->pw_min_length = t->pw_min_length;
     entry->pw_min_classes = t->pw_min_classes;
     entry->pw_history_num = t->pw_history_num;
-    entry->policy_refcnt = t->policy_refcnt;
     if (handle->api_version >= KADM5_API_VERSION_3) {
         entry->pw_max_fail = t->pw_max_fail;
         entry->pw_failcnt_interval = t->pw_failcnt_interval;
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index ae36841..2000fe4 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -188,6 +188,23 @@ ks_tuple_present(int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
     return FALSE;
 }
 
+/* Fetch a policy if it exists; set *have_pol_out appropriately.  Return
+ * success whether or not the policy exists. */
+static kadm5_ret_t
+get_policy(kadm5_server_handle_t handle, const char *name,
+           kadm5_policy_ent_t policy_out, krb5_boolean *have_pol_out)
+{
+    kadm5_ret_t ret;
+
+    *have_pol_out = FALSE;
+    if (name == NULL)
+        return 0;
+    ret = kadm5_get_policy(handle->lhandle, (char *)name, policy_out);
+    if (ret == 0)
+        *have_pol_out = TRUE;
+    return (ret == KADM5_UNK_POLICY) ? 0 : ret;
+}
+
 /*
  * Apply the -allowedkeysalts policy (see kadmin(1)'s addpol/modpol
  * commands).  We use the allowed key/salt tuple list as a default if
@@ -202,6 +219,7 @@ apply_keysalt_policy(kadm5_server_handle_t handle, const char *policy,
 {
     kadm5_ret_t ret;
     kadm5_policy_ent_rec polent;
+    krb5_boolean have_polent;
     int ak_n_ks_tuple = 0;
     int new_n_ks_tuple = 0;
     krb5_key_salt_tuple *ak_ks_tuple = NULL;
@@ -215,14 +233,9 @@ apply_keysalt_policy(kadm5_server_handle_t handle, const char *policy,
     }
 
     memset(&polent, 0, sizeof(polent));
-    if (policy != NULL &&
-        (ret = kadm5_get_policy(handle->lhandle, (char *)policy,
-                                &polent)) != KADM5_OK) {
-        if (ret == EINVAL)
-            ret = KADM5_BAD_POLICY;
-        if (ret)
-            goto cleanup;
-    }
+    ret = get_policy(handle, policy, &polent, &have_polent);
+    if (ret)
+        goto cleanup;
 
     if (polent.allowed_keysalts == NULL) {
         /* Requested keysalts allowed or default to supported_enctypes. */
@@ -292,7 +305,8 @@ apply_keysalt_policy(kadm5_server_handle_t handle, const char *policy,
     ret = 0;
 
 cleanup:
-    kadm5_free_policy_ent(handle->lhandle, &polent);
+    if (have_polent)
+        kadm5_free_policy_ent(handle->lhandle, &polent);
     free(ak_ks_tuple);
 
     if (new_n_kstp != NULL) {
@@ -407,14 +421,9 @@ kadm5_create_principal_3(void *server_handle,
      * If we can not find the one specified return an error
      */
     if ((mask & KADM5_POLICY)) {
-        if ((ret = kadm5_get_policy(handle->lhandle, entry->policy,
-                                    &polent)) != KADM5_OK) {
-            if (ret == EINVAL)
-                ret = KADM5_BAD_POLICY;
-            if (ret)
-                goto cleanup;
-        }
-        have_polent = TRUE;
+        ret = get_policy(handle, entry->policy, &polent, &have_polent);
+        if (ret)
+            goto cleanup;
     }
     if (password) {
         ret = passwd_check(handle, password, have_polent ? &polent : NULL,
@@ -538,7 +547,7 @@ kadm5_create_principal_3(void *server_handle,
        single tl_data record, */
 
     adb.admin_history_kvno = INITIAL_HIST_KVNO;
-    if (have_polent) {
+    if (mask & KADM5_POLICY) {
         adb.aux_attributes = KADM5_POLICY;
 
         /* this does *not* need to be strdup'ed, because adb is xdr */
@@ -547,37 +556,12 @@ kadm5_create_principal_3(void *server_handle,
         adb.policy = entry->policy;
     }
 
-    /* increment the policy ref count, if any */
-
-    if (have_polent) {
-        polent.policy_refcnt++;
-        if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent,
-                                                KADM5_REF_COUNT))
-            != KADM5_OK)
-            goto cleanup;
-    }
-
     /* In all cases key and the principal data is set, let the database provider know */
     kdb->mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ;
 
     /* store the new db entry */
     ret = kdb_put_entry(handle, kdb, &adb);
 
-
-    if (ret) {
-        if (have_polent) {
-            /* decrement the policy ref count */
-
-            polent.policy_refcnt--;
-            /*
-             * if this fails, there's nothing we can do anyway.  the
-             * policy refcount wil be too high.
-             */
-            (void) kadm5_modify_policy_internal(handle->lhandle, &polent,
-                                                KADM5_REF_COUNT);
-        }
-    }
-
     (void) k5_kadm5_hook_create(handle->context, handle->hook_handles,
                                 KADM5_HOOK_STAGE_POSTCOMMIT, entry, mask,
                                 new_n_ks_tuple, new_ks_tuple, password);
@@ -595,7 +579,6 @@ kadm5_ret_t
 kadm5_delete_principal(void *server_handle, krb5_principal principal)
 {
     unsigned int                ret;
-    kadm5_policy_ent_rec        polent;
     krb5_db_entry               *kdb;
     osa_princ_ent_rec           adb;
     kadm5_server_handle_t handle = server_handle;
@@ -616,25 +599,6 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal)
         return ret;
     }
 
-    if ((adb.aux_attributes & KADM5_POLICY)) {
-        if ((ret = kadm5_get_policy(handle->lhandle,
-                                    adb.policy, &polent))
-            == KADM5_OK) {
-            polent.policy_refcnt--;
-            if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent,
-                                                    KADM5_REF_COUNT))
-                != KADM5_OK) {
-                (void) kadm5_free_policy_ent(handle->lhandle, &polent);
-                kdb_free_entry(handle, kdb, &adb);
-                return(ret);
-            }
-        }
-        if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) {
-            kdb_free_entry(handle, kdb, &adb);
-            return ret;
-        }
-    }
-
     ret = kdb_delete_entry(handle, principal);
 
     kdb_free_entry(handle, kdb, &adb);
@@ -652,8 +616,8 @@ kadm5_modify_principal(void *server_handle,
                        kadm5_principal_ent_t entry, long mask)
 {
     int                     ret, ret2, i;
-    kadm5_policy_ent_rec    npol, opol;
-    int                     have_npol = 0, have_opol = 0;
+    kadm5_policy_ent_rec    pol;
+    krb5_boolean            have_pol = FALSE;
     krb5_db_entry           *kdb;
     krb5_tl_data            *tl_data_orig;
     osa_princ_ent_rec       adb;
@@ -693,99 +657,36 @@ kadm5_modify_principal(void *server_handle,
      */
 
     if ((mask & KADM5_POLICY)) {
-        /* get the new policy */
-        ret = kadm5_get_policy(handle->lhandle, entry->policy, &npol);
-        if (ret) {
-            switch (ret) {
-            case EINVAL:
-                ret = KADM5_BAD_POLICY;
-                break;
-            case KADM5_UNK_POLICY:
-            case KADM5_BAD_POLICY:
-                ret =  KADM5_UNK_POLICY;
-                break;
-            }
+        ret = get_policy(handle, entry->policy, &pol, &have_pol);
+        if (ret)
             goto done;
-        }
-        have_npol = 1;
-
-        /* if we already have a policy, get it to decrement the refcnt */
-        if(adb.aux_attributes & KADM5_POLICY) {
-            /* ... but not if the old and new are the same */
-            if(strcmp(adb.policy, entry->policy)) {
-                ret = kadm5_get_policy(handle->lhandle,
-                                       adb.policy, &opol);
-                switch(ret) {
-                case EINVAL:
-                case KADM5_BAD_POLICY:
-                case KADM5_UNK_POLICY:
-                    break;
-                case KADM5_OK:
-                    have_opol = 1;
-                    opol.policy_refcnt--;
-                    break;
-                default:
-                    goto done;
-                    break;
-                }
-                npol.policy_refcnt++;
-            }
-        } else npol.policy_refcnt++;
 
         /* set us up to use the new policy */
         adb.aux_attributes |= KADM5_POLICY;
         if (adb.policy)
             free(adb.policy);
         adb.policy = strdup(entry->policy);
-
+    }
+    if (have_pol) {
         /* set pw_max_life based on new policy */
-        if (npol.pw_max_life) {
+        if (pol.pw_max_life) {
             ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb,
                                                   &(kdb->pw_expiration));
             if (ret)
                 goto done;
-            kdb->pw_expiration += npol.pw_max_life;
+            kdb->pw_expiration += pol.pw_max_life;
         } else {
             kdb->pw_expiration = 0;
         }
     }
 
-    if ((mask & KADM5_POLICY_CLR) &&
-        (adb.aux_attributes & KADM5_POLICY)) {
-        ret = kadm5_get_policy(handle->lhandle, adb.policy, &opol);
-        switch(ret) {
-        case EINVAL:
-        case KADM5_BAD_POLICY:
-        case KADM5_UNK_POLICY:
-            ret = KADM5_BAD_DB;
-            goto done;
-            break;
-        case KADM5_OK:
-            have_opol = 1;
-            if (adb.policy)
-                free(adb.policy);
-            adb.policy = NULL;
-            adb.aux_attributes &= ~KADM5_POLICY;
-            kdb->pw_expiration = 0;
-            opol.policy_refcnt--;
-            break;
-        default:
-            goto done;
-            break;
-        }
+    if ((mask & KADM5_POLICY_CLR) && (adb.aux_attributes & KADM5_POLICY)) {
+        free(adb.policy);
+        adb.policy = NULL;
+        adb.aux_attributes &= ~KADM5_POLICY;
+        kdb->pw_expiration = 0;
     }
 
-    if (((mask & KADM5_POLICY) || (mask & KADM5_POLICY_CLR)) &&
-        (((have_opol) &&
-          (ret =
-           kadm5_modify_policy_internal(handle->lhandle, &opol,
-                                        KADM5_REF_COUNT))) ||
-         ((have_npol) &&
-          (ret =
-           kadm5_modify_policy_internal(handle->lhandle, &npol,
-                                        KADM5_REF_COUNT)))))
-        goto done;
-
     if ((mask & KADM5_ATTRIBUTES))
         kdb->attributes = entry->attributes;
     if ((mask & KADM5_MAX_LIFE))
@@ -847,12 +748,8 @@ kadm5_modify_principal(void *server_handle,
 
     ret = KADM5_OK;
 done:
-    if (have_opol) {
-        ret2 = kadm5_free_policy_ent(handle->lhandle, &opol);
-        ret = ret ? ret : ret2;
-    }
-    if (have_npol) {
-        ret2 = kadm5_free_policy_ent(handle->lhandle, &npol);
+    if (have_pol) {
+        ret2 = kadm5_free_policy_ent(handle->lhandle, &pol);
         ret = ret ? ret : ret2;
     }
     kdb_free_entry(handle, kdb, &adb);
@@ -1480,7 +1377,7 @@ kadm5_chpass_principal_3(void *server_handle,
     osa_princ_ent_rec           adb;
     krb5_db_entry               *kdb;
     int                         ret, ret2, last_pwd, hist_added;
-    int                         have_pol = 0;
+    krb5_boolean                have_pol = FALSE;
     kadm5_server_handle_t       handle = server_handle;
     osa_pw_hist_ent             hist;
     krb5_keyblock               *act_mkey, *hist_keyblocks = NULL;
@@ -1510,10 +1407,11 @@ kadm5_chpass_principal_3(void *server_handle,
         goto done;
 
     if ((adb.aux_attributes & KADM5_POLICY)) {
-        if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, &pol)))
+        ret = get_policy(handle, adb.policy, &pol, &have_pol);
+        if (ret)
             goto done;
-        have_pol = 1;
-
+    }
+    if (have_pol) {
         /* Create a password history entry before we change kdb's key_data. */
         ret = kdb_get_hist_key(handle, &hist_keyblocks, &hist_kvno);
         if (ret)
@@ -1693,7 +1591,8 @@ kadm5_randkey_principal_3(void *server_handle,
     osa_princ_ent_rec           adb;
     krb5_int32                  now;
     kadm5_policy_ent_rec        pol;
-    int                         ret, last_pwd, have_pol = 0;
+    int                         ret, last_pwd;
+    krb5_boolean                have_pol = FALSE;
     kadm5_server_handle_t       handle = server_handle;
     krb5_keyblock               *act_mkey;
     int                         new_n_ks_tuple = 0;
@@ -1742,11 +1641,11 @@ kadm5_randkey_principal_3(void *server_handle,
         goto done;
 
     if ((adb.aux_attributes & KADM5_POLICY)) {
-        if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
-                                    &pol)) != KADM5_OK)
+        ret = get_policy(handle, adb.policy, &pol, &have_pol);
+        if (ret)
             goto done;
-        have_pol = 1;
-
+    }
+    if (have_pol) {
         ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd);
         if (ret)
             goto done;
@@ -1830,7 +1729,8 @@ kadm5_setv4key_principal(void *server_handle,
     krb5_int32                  now;
     kadm5_policy_ent_rec        pol;
     krb5_keysalt                keysalt;
-    int                         i, k, kvno, ret, have_pol = 0;
+    int                         i, k, kvno, ret;
+    krb5_boolean                have_pol = FALSE;
 #if 0
     int                         last_pwd;
 #endif
@@ -1915,11 +1815,11 @@ kadm5_setv4key_principal(void *server_handle,
         goto done;
 
     if ((adb.aux_attributes & KADM5_POLICY)) {
-        if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
-                                    &pol)) != KADM5_OK)
+        ret = get_policy(handle, adb.policy, &pol, &have_pol);
+        if (ret)
             goto done;
-        have_pol = 1;
-
+    }
+    if (have_pol) {
 #if 0
         /*
          * The spec says this check is overridden if the caller has
@@ -2015,7 +1915,8 @@ kadm5_setkey_principal_3(void *server_handle,
     kadm5_policy_ent_rec        pol;
     krb5_key_data               *old_key_data;
     int                         n_old_keys;
-    int                         i, j, k, kvno, ret, have_pol = 0;
+    int                         i, j, k, kvno, ret;
+    krb5_boolean                have_pol = FALSE;
 #if 0
     int                         last_pwd;
 #endif
@@ -2178,11 +2079,11 @@ kadm5_setkey_principal_3(void *server_handle,
         goto done;
 
     if ((adb.aux_attributes & KADM5_POLICY)) {
-        if ((ret = kadm5_get_policy(handle->lhandle, adb.policy,
-                                    &pol)) != KADM5_OK)
+        ret = get_policy(handle, adb.policy, &pol, &have_pol);
+        if (ret)
             goto done;
-        have_pol = 1;
-
+    }
+    if (have_pol) {
 #if 0
         /*
          * The spec says this check is overridden if the caller has
diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/unit-test/api.current/crte-principal.exp
index 774e204..52dda78 100644
--- a/src/lib/kadm5/unit-test/api.current/crte-principal.exp
+++ b/src/lib/kadm5/unit-test/api.current/crte-principal.exp
@@ -536,11 +536,11 @@ proc test21 {} {
 	perror "$test: unexpected failure in init"
 	return
     }
-    one_line_fail_test [format {
+    one_line_succeed_test [format {
 	kadm5_create_principal $server_handle \
 		[princ_w_pol "%s/a" non-existant-pol] \
 		{KADM5_PRINCIPAL KADM5_POLICY} NotinTheDictionary
-    } $test] "UNK_POLICY"
+    } $test]
     if { ! [cmd {kadm5_destroy $server_handle}]} {
 	perror "$test: unexpected failure in destroy"
 	return
diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/unit-test/api.current/dlte-policy.exp
index cecb5c3..4ba40fd 100644
--- a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp
+++ b/src/lib/kadm5/unit-test/api.current/dlte-policy.exp
@@ -181,8 +181,9 @@ proc test12 {} {
 	perror "$test: unexpected failure in init"
 	return
     }
-    one_line_fail_test \
-	    {kadm5_delete_policy $server_handle test-pol} "POLICY_REF"
+    one_line_succeed_test [format {
+	kadm5_delete_policy $server_handle "%s/a"
+    } $test]
     if { ! [cmd {kadm5_destroy $server_handle}]} {
 	perror "$test: unexpected failure in destroy"
 	return
diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/unit-test/api.current/dlte-principal.exp
index f6d267f..6604685 100644
--- a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp
+++ b/src/lib/kadm5/unit-test/api.current/dlte-principal.exp
@@ -236,82 +236,6 @@ proc test11 {} {
 }
 test11
 
-test "delete-principal 12"
-proc test12 {} {
-    global test
-    global prompt
-    
-    if {! ((  [principal_exists "$test/a"]) ||
-	   [create_principal_pol "$test/a" test-pol])} {
-	    error_and_restart "$test: couldn't delete principal \"$test/a\""
-	    return
-    }
-    if {! [cmd {
-	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
-		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
-		server_handle
-    }]} {
-	perror "$test: unexpected failure in init"
-	return
-    }
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]}  {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    if { ! [cmd [format {
-	kadm5_delete_principal $server_handle "%s/a"
-    } $test]]} {
-	fail "$test: delete failed"
-	return
-    }
-    if { [cmd [format {
-	kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK
-    } $test]]} {
-	fail "$test: principal still exists"
-	return
-    }
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    send "lindex \$p1 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    
-    send "lindex \$p2 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    if { [expr "$oldref - 1"] != $newref } {
-	fail "$test: policy reference count is wrong"
-	return;
-    }
-    pass "$test"
-    if { ! [cmd {kadm5_destroy $server_handle}]} {
-	perror "$test: unexpected failure in destroy"
-	return
-    }
-}
-
-test12
-
 test "delete-principal 13"
 proc test13 {} {
 	global test
diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/unit-test/api.current/mod-principal.exp
index 25fb272..44f8548 100644
--- a/src/lib/kadm5/unit-test/api.current/mod-principal.exp
+++ b/src/lib/kadm5/unit-test/api.current/mod-principal.exp
@@ -380,10 +380,10 @@ proc test17 {} {
 	perror "$test: unexpected failure in init"
 	return
     }
-    one_line_fail_test [format {
+    one_line_succeed_test [format {
 	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
 		no-policy] {KADM5_POLICY}
-    } $test] "UNK_POLICY"
+    } $test]
     if { ! [cmd {kadm5_destroy $server_handle}]} {
 	perror "$test: unexpected failure in destroy"
 	return
@@ -391,371 +391,6 @@ proc test17 {} {
 }
 test17
 
-test "modify-principal 18"
-proc test18 {} {
-    global test
-    global prompt
-    if {! (( ! [principal_exists "$test/a"]) ||
-	   [delete_principal "$test/a"])} {
-	    error_and_restart "$test: couldn't delete principal \"$test/a\""
-	    return
-    }
-    if { !( [create_principal "$test/a"])} {
-	error_and_restart "$test: could not create principal \"$test/a\""
-	return
-    }
-    if {! [cmd {
-	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
-		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
-		server_handle
-    }]} {
-	perror "$test: unexpected failure in init"
-	return
-    }
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]}  {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    if {! [cmd [format {
-	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
-		test-pol] {KADM5_POLICY}
-    } $test]]} {
-	fail "$test: modify failed"
-	return
-    }
-    if {! [cmd [format {
-	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
-    } $test]]} {
-	error_and_restart "$test: could not retrieve principal"
-	return
-    }
-    send "lindex \$principal 10\n"
-    expect {
-	-re "test-pol\n$prompt$"	{ pass "$test" }
-	timeout				{ fail "$test" }
-    }
-    send "lindex \$p1 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    
-    send "lindex \$p2 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    if { [expr "$oldref + 1"] != $newref } {
-	fail "$test: policy reference count is wrong"
-	return;
-    }
-    if { ! [cmd {kadm5_destroy $server_handle}]} {
-	perror "$test: unexpected failure in destroy"
-	return
-    }
-}
-test18
-
-test "modify-principal 19"
-proc test19 {} {
-    global test
-    global prompt
-    if {! (( ! [principal_exists "$test/a"]) ||
-	   [delete_principal "$test/a"])} {
-	    error_and_restart "$test: couldn't delete principal \"$test/a\""
-	    return
-    }
-    if { !( [create_principal "$test/a"])} {
-	error_and_restart "$test: could not create principal \"$test/a\""
-	return
-    }
-    if {! [cmd {
-	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
-		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
-		server_handle
-    }]} {
-	perror "$test: unexpected failure in init"
-	return
-    }
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]}  {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    if {! [cmd [format {
-	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
-		test-pol] {KADM5_POLICY}
-    } $test]]} {
-	fail "$test: modify failed"
-	return
-    }
-    if {! [cmd [format {
-	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
-    } $test]]} {
-	error_and_restart "$test: could not retrieve principal"
-	return
-    }
-    send "lindex \$principal 10\n"
-    expect {
-	-re "test-pol\n$prompt$"	{ pass "$test" }
-	timeout				{ fail "$test" }
-    }
-    send "lindex \$p1 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    
-    send "lindex \$p2 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    if { [expr "$oldref + 1"] != $newref } {
-	fail "$test: policy reference count is wrong"
-	return;
-    }
-    if { ! [cmd {kadm5_destroy $server_handle}]} {
-	perror "$test: unexpected failure in destroy"
-	return
-    }
-}
-test19
-
-test "modify-principal 20"
-proc test20 {} {
-    global test
-    global prompt
-    if {! (( ! [principal_exists "$test/a"]) ||
-	   [delete_principal "$test/a"])} {
-	    error_and_restart "$test: couldn't delete principal \"$test/a\""
-	    return
-    }
-    if { !( [create_principal_pol "$test/a" "test-pol"])} {
-	error_and_restart "$test: could not create principal \"$test/a\""
-	return
-    }
-    if {! [cmd {
-	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
-		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
-		server_handle
-    }]} {
-	perror "$test: unexpected failure in init"
-	return
-    }
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]}  {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    if {! [cmd [format {
-	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
-		{KADM5_POLICY_CLR}
-    } $test]]} {
-	perror "$test: modify failed"
-	return
-    }
-    if {! [cmd [format {
-	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
-    } $test]]} {
-	error_and_restart "$test: could not retrieve principal"
-	return
-    }
-    send "lindex \$principal 10\n"
-    expect {
-	-re "test-pol\n$prompt$"	{ fail "$test" }
-	-re "null\n$prompt$"		{ pass "$test" }
-	timeout				{ pass "$test" }
-    }
-    send "lindex \$p1 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    
-    send "lindex \$p2 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    if { [expr "$oldref - 1"] != $newref } {
-	fail "$test: policy reference count is wrong"
-	return;
-    }
-    if { ! [cmd {kadm5_destroy $server_handle}]} {
-	perror "$test: unexpected failure in destroy"
-	return
-    }
-}
-test20
-
-test "modify-principal 21"
-proc test21 {} {
-    global test
-    global prompt
-    if {! (( ! [principal_exists "$test/a"]) ||
-	   [delete_principal "$test/a"])} {
-	    error_and_restart "$test: couldn't delete principal \"$test/a\""
-	    return
-    }
-    if { !( [create_principal_pol "$test/a" "test-pol"])} {
-	error_and_restart "$test: could not create principal \"$test/a\""
-	return
-    }
-    if {! [cmd {
-	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
-		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \
-		server_handle
-    }]} {
-	perror "$test: unexpected failure in init"
-	return
-    }
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol old_p1}]}  {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol-nopw old_p2}]} {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    if {! [cmd [format {
-	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
-		test-pol-nopw] {KADM5_POLICY}
-    } $test]]} {
-	fail "$test: modify failed"
-	return
-    }
-    if {! [cmd [format {
-	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
-    } $test]]} {
-	error_and_restart "$test: could not retrieve principal"
-	return
-    }
-    send "lindex \$old_p1 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set old_p1_ref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    send "lindex \$old_p2 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set old_p2_ref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol new_p1}]} {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    if { ! [cmd {kadm5_get_policy $server_handle test-pol-nopw new_p2}]} {
-	perror "$test: unexpected failure on get policy"
-	return
-    }
-    
-    send "lindex \$new_p1 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set new_p1_ref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    send "lindex \$new_p2 6\n"
-    expect {
-	-re "(\[0-9\]+)\n$prompt$" {set new_p2_ref $expect_out(1,string) }
-	timeout {
-	    error_and_restart "$test: timeout getting principal kvno (second time)"
-	    return
-	}
-	eof {
-	    error_and_restart "$test: eof getting principal kvno (second time)"
-	    return
-	}
-    }
-    if { [expr "$old_p1_ref - 1"] != $new_p1_ref } {
-	fail "$test: policy reference count is wrong"
-	return;
-    }
-    if { [expr "$old_p2_ref + 1"] != $new_p2_ref } {
-	fail "$test: policy reference count is wrong"
-	return;
-    }
-    if { ! [cmd {kadm5_destroy $server_handle}]} {
-	perror "$test: unexpected failure in destroy"
-	return
-    }
-}
-test21
-
 test "modify-principal 21.5"
 proc test21.5 {} {
     global test
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
index e955f8e..011b2a0 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
@@ -384,13 +384,6 @@ krb5_ldap_delete_password_policy(krb5_context context, char *policy)
     if (st != 0)
         goto cleanup;
 
-    st = krb5_ldap_get_reference_count(context, policy_dn,
-                                       "krbPwdPolicyReference", &refcount, ld);
-    if (st == 0 && refcount != 0)
-        st = KRB5_KDB_POLICY_REF;
-    if (st != 0)
-        goto cleanup;
-
     /* Ensure that the object is a password policy */
     if ((st=checkattributevalue(ld, policy_dn, "objectclass", class, &mask)) != 0)
         goto cleanup;
diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp
index 1822bc3..c62e183 100644
--- a/src/tests/dejagnu/krb-standalone/kadmin.exp
+++ b/src/tests/dejagnu/krb-standalone/kadmin.exp
@@ -711,7 +711,6 @@ proc kadmin_addpol { pname } {
     expect "Minimum number of password character classes:" {
         verbose "got min pw character classes" }
     expect "Number of old keys kept:" { verbose "got num old keys kept" }
-    expect "Reference count:" { verbose "got refcount" }
     expect "kadmin.local: " { send "q\r" }
 
     expect_after
@@ -924,7 +923,7 @@ proc kadmin_showpol { pname } {
     }
     expect -re "assword\[^\r\n\]*: *"
     send "adminpass$KEY\r"
-    expect -re "\r.*Policy: $pname.*Number of old keys kept: .*Reference count: .*\r"
+    expect -re "\r.*Policy: $pname.*Number of old keys kept: .*\r"
     expect_after
     expect eof
     set k_stat [wait -i $spawn_id]
diff --git a/src/tests/kdbtest.c b/src/tests/kdbtest.c
index b569b56..93de07b 100644
--- a/src/tests/kdbtest.c
+++ b/src/tests/kdbtest.c
@@ -167,7 +167,7 @@ static osa_policy_ent_rec sample_policy = {
     6,                          /* pw_min_length */
     2,                          /* pw_min_classes */
     3,                          /* pw_history_num */
-    1,                          /* policy_refcnt */
+    0,                          /* policy_refcnt */
     2,                          /* pw_max_fail */
     60,                         /* pw_failcnt_interval */
     120,                        /* pw_lockout_duration */
@@ -377,7 +377,6 @@ main()
     CHECK(krb5_dbe_update_tl_data(ctx, ent, &tl_no_policy));
     ent->mask = KADM5_POLICY_CLR | KADM5_KEY_DATA;
     CHECK(krb5_db_put_principal(ctx, ent));
-    /* Deleting polname should work now that the reference is gone. */
     CHECK(krb5_db_delete_policy(ctx, polname));
 
     /* Put the modified entry again (with KDB_TL_USER_INFO tl-data for LDAP) as


More information about the cvs-krb5 mailing list