diff options
| author | Simo Sorce <ssorce@redhat.com> | 2011-09-17 15:08:06 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2011-09-19 12:28:35 -0400 |
| commit | 4167ad01d73b0c7c0912bf537730da5c9b46b2c3 (patch) | |
| tree | e567c696b3b439c32accf71407b5c11716fcbb53 /daemons/ipa-kdb/ipa_kdb_principals.c | |
| parent | 7854d8166e54e0d39c51750a421ebc9b5a347233 (diff) | |
| download | freeipa-4167ad01d73b0c7c0912bf537730da5c9b46b2c3.tar.gz freeipa-4167ad01d73b0c7c0912bf537730da5c9b46b2c3.tar.xz freeipa-4167ad01d73b0c7c0912bf537730da5c9b46b2c3.zip | |
ipa-kdb: Properly set password expiration time.
We do the policy check so we are the only one that can calculate the new
pwd espiration time.
Fixes: https://fedorahosted.org/freeipa/ticket/1793
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_principals.c')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 28 |
1 files changed, 24 insertions, 4 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 8e1d42185..ed5195fb9 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1362,7 +1362,8 @@ done: return kerr; } -static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods, +static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, + struct ipadb_mods *imods, krb5_db_entry *entry, char *principal, int mod_op) @@ -1561,10 +1562,11 @@ static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods, /* KADM5_LOAD */ - /* Store saved password if any and password history */ + /* Handle password change related operations. */ if (entry->e_data) { struct ipadb_e_data *ied; time_t now = time(NULL); + time_t expire_time; char **new_history; int nh_len; int ret; @@ -1603,6 +1605,22 @@ static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods, goto done; } } + + /* Also set new password expiration time. + * Have to do it here because kadmin doesn't know policies and resets + * entry->mask after we have gone through the password change code. + */ + kerr = ipadb_get_pwd_expiration(kcontext, entry, ied, &expire_time); + if (kerr) { + goto done; + } + + kerr = ipadb_get_ldap_mod_time(imods, + "krbPasswordExpiration", + expire_time, mod_op); + if (kerr) { + goto done; + } } kerr = 0; @@ -1689,7 +1707,8 @@ static krb5_error_code ipadb_add_principal(krb5_context kcontext, goto done; } - kerr = ipadb_entry_to_mods(imods, entry, principal, LDAP_MOD_ADD); + kerr = ipadb_entry_to_mods(kcontext, imods, + entry, principal, LDAP_MOD_ADD); if (kerr != 0) { goto done; } @@ -1752,7 +1771,8 @@ static krb5_error_code ipadb_modify_principal(krb5_context kcontext, goto done; } - kerr = ipadb_entry_to_mods(imods, entry, principal, LDAP_MOD_REPLACE); + kerr = ipadb_entry_to_mods(kcontext, imods, + entry, principal, LDAP_MOD_REPLACE); if (kerr != 0) { goto done; } |