URL: https://github.com/freeipa/freeipa/pull/211 Author: tbordaz Title: #211: IPA Allows Password Reuse with History value defined when admin reset… Action: opened
PR body: """ …s the password. When admin reset a user password, history of user passwords is preserved according to its policy. https://fedorahosted.org/freeipa/ticket/6402 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/211/head:pr211 git checkout pr211
From 95aea810c8b19104a5b71dbd2cb55bf04031b652 Mon Sep 17 00:00:00 2001 From: Thierry Bordaz <tbor...@redhat.com> Date: Wed, 19 Oct 2016 15:04:13 +0200 Subject: [PATCH] IPA Allows Password Reuse with History value defined when admin resets the password. When admin reset a user password, history of user passwords is preserved according to its policy. https://fedorahosted.org/freeipa/ticket/6402 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index cab7b7c..8ee0417 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -548,15 +548,6 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN; switch(data->changetype) { - case IPA_CHANGETYPE_ADMIN: - /* The expiration date needs to be older than the current time - * otherwise the KDC may not immediately register the password - * as expired. The last password change needs to match the - * password expiration otherwise minlife issues will arise. - */ - data->timeNow -= 1; - data->expireTime = data->timeNow; - break; case IPA_CHANGETYPE_NORMAL: /* Find the entry with the password policy */ ret = ipapwd_getPolicy(data->dn, data->target, &pol); @@ -564,6 +555,18 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) LOG_TRACE("No password policy, use defaults"); } break; + case IPA_CHANGETYPE_ADMIN: + /* The expiration date needs to be older than the current time + * otherwise the KDC may not immediately register the password + * as expired. The last password change needs to match the + * password expiration otherwise minlife issues will arise. + */ + data->timeNow -= 1; + data->expireTime = data->timeNow; + + /* let set the entry password property according to its + * entry password policy + */ case IPA_CHANGETYPE_DSMGR: /* PassSync agents and Directory Manager can administratively * change the password without expiring it. @@ -577,6 +580,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) LOG_TRACE("No password policy, use defaults"); } else { pol.max_pwd_life = tmppol.max_pwd_life; + pol.history_length = tmppol.history_length; } break; default:
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code