The patch to fix password expiration for user broke password expiration
for most other principals as it was forcing to set an arbitrary date on
all principals unconditionally.
Moved the code as is in the right spot (only if the principal is an ipa
user and only if there is a password change we override expiration based
on password policies).
Also fixes an uninitialized variable that was causing random dates.
Fixes: https://fedorahosted.org/freeipa/ticket/1839
Simo.
--
Simo Sorce * Red Hat, Inc * New York
>From 544c8ba1d641cc86b938ea50c0cd3fa4613b20ea Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Fri, 23 Sep 2011 18:37:42 -0400
Subject: [PATCH] ipa-kdb: Fix expiration time calculation
Expiration time should be enforced as per policy only for users and only when a
password change occurs, ina ll other cases we should just let kadmin decide
whther it is going to set a password expiration time or just leave it empty.
In general service tickts have strong random passwords so they do not need a
password policy or expiration at all.
---
daemons/ipa-kdb/ipa_kdb_passwords.c | 2 +-
daemons/ipa-kdb/ipa_kdb_principals.c | 33 +++++++++++++++++----------------
2 files changed, 18 insertions(+), 17 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c
index 748ee9e7b52a95f82ddcca1899cf35dfc626679b..93e9e206081af412a472ab0c7624611a628a15b7 100644
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@@ -279,7 +279,7 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
time_t *expire_time)
{
krb5_error_code kerr;
- krb5_timestamp mod_time;
+ krb5_timestamp mod_time = 0;
krb5_principal mod_princ = NULL;
krb5_boolean truexp = true;
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index c9259c6f14a3d681a83c3c6078f0ea1d978b6ccc..fdd834f355fd9e056058fa205b217e9e1f142e51 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1588,6 +1588,23 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
if (kerr) {
goto done;
}
+
+ /* Also set new password expiration time.
+ * Have to do it here because kadmin doesn't know policies and
+ * resets entry->mask after we have gone through the password
+ * change code. */
+ kerr = ipadb_get_pwd_expiration(kcontext, entry,
+ ied, &expire_time);
+ if (kerr) {
+ goto done;
+ }
+
+ kerr = ipadb_get_ldap_mod_time(imods,
+ "krbPasswordExpiration",
+ expire_time, mod_op);
+ if (kerr) {
+ goto done;
+ }
}
if (ied->ipa_user && ied->passwd && ied->pol.history_length) {
@@ -1606,22 +1623,6 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
goto done;
}
}
-
- /* Also set new password expiration time.
- * Have to do it here because kadmin doesn't know policies and resets
- * entry->mask after we have gone through the password change code.
- */
- kerr = ipadb_get_pwd_expiration(kcontext, entry, ied, &expire_time);
- if (kerr) {
- goto done;
- }
-
- kerr = ipadb_get_ldap_mod_time(imods,
- "krbPasswordExpiration",
- expire_time, mod_op);
- if (kerr) {
- goto done;
- }
}
kerr = 0;
--
1.7.6.2
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
