diff options
| author | Simo Sorce <simo@redhat.com> | 2013-05-09 14:25:14 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-06-09 08:18:16 +0200 |
| commit | bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6 (patch) | |
| tree | f19e8e8519a2613030139f54600abb34b838517f | |
| parent | f802845a7abfca0b414ad6801968d33e6788916b (diff) | |
| download | freeipa-bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6.tar.gz freeipa-bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6.tar.xz freeipa-bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6.zip | |
Check for password expiration in pre-bind
If the password is expired fail a password bind.
Resolves: https://fedorahosted.org/freeipa/ticket/1539
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 33 |
1 files changed, 29 insertions, 4 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index 23c7cb18c..6786c6ddb 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -1217,13 +1217,35 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, } static int ipapwd_authenticate(const char *dn, Slapi_Entry *entry, - const struct berval *credentials) + const struct berval *credentials, + const char **errmsg) { Slapi_Value **pwd_values = NULL; /* values of userPassword attribute */ Slapi_Value *value = NULL; Slapi_Attr *attr = NULL; + struct tm expire_tm; + char *expire; + char *p; int ret; + /* check the if the krbPrincipalKey attribute is present */ + ret = slapi_entry_attr_find(entry, "krbprincipalkey", &attr); + if (!ret) { + /* check that the password is not expired */ + expire = slapi_entry_attr_get_charptr(entry, "krbpasswordexpiration"); + if (expire) { + memset(&expire_tm, 0, sizeof (expire_tm)); + p = strptime(expire, "%Y%m%d%H%M%SZ", &expire_tm); + if (*p) { + LOG("Invalid expiration date string format"); + return 1; + } else if (time(NULL) > mktime(&expire_tm)) { + *errmsg = "The user password is expired"; + return 1; + } + } + } + /* retrieve userPassword attribute */ ret = slapi_entry_attr_find(entry, SLAPI_USERPWD_ATTR, &attr); if (ret) { @@ -1381,7 +1403,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) static const char *attrs_list[] = { SLAPI_USERPWD_ATTR, "ipaUserAuthType", "krbprincipalkey", "uid", "krbprincipalname", "objectclass", "passwordexpirationtime", - "passwordhistory", "krbprincipalexpiration", + "passwordhistory", "krbprincipalexpiration", "krbpasswordexpiration", NULL }; struct berval *credentials = NULL; @@ -1394,6 +1416,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) time_t expire_time; char *principal_expire = NULL; struct tm expire_tm; + const char *errmsg = NULL; /* get BIND parameters */ ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn); @@ -1454,10 +1477,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) } /* Authenticate the user. */ - ret = ipapwd_authenticate(dn, entry, credentials); + ret = ipapwd_authenticate(dn, entry, credentials, &errmsg); if (ret) { slapi_entry_free(entry); - return 0; + slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, + NULL, errmsg, 0, NULL); + return 1; } /* Attempt to handle a token synchronization request. */ |