diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-06-28 13:09:18 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-07-18 19:34:19 -0400 |
commit | a00b03831b6a7ccb87d58c92c1072c586889508e (patch) | |
tree | 8f473bf5de7a0a2dc56c3a93d3aeea4a35502bf5 /daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | |
parent | e5a5c781f9c1152ff61cd21d649df99f465722c4 (diff) | |
download | freeipa-a00b03831b6a7ccb87d58c92c1072c586889508e.tar.gz freeipa-a00b03831b6a7ccb87d58c92c1072c586889508e.tar.xz freeipa-a00b03831b6a7ccb87d58c92c1072c586889508e.zip |
Don't set krbLastPwdChange when setting a host OTP password.
We have no visibility into whether an entry has a keytab or not so
krbLastPwdChange is used as a rough guide.
If this value exists during enrollment then it fails because the host
is considered already joined. This was getting set when a OTP was
added to a host that had already been enrolled (e.g. you enroll a host,
unenroll it, set a OTP, then try to re-enroll). The second enrollment
was failing because the enrollment plugin thought it was still
enrolled becaused krbLastPwdChange was set.
https://fedorahosted.org/freeipa/ticket/1357
Diffstat (limited to 'daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c')
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index f1da29321..cb9af98e4 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -141,6 +141,7 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) struct berval *extop_value = NULL; BerElement *ber = NULL; Slapi_Entry *targetEntry=NULL; + Slapi_Value *objectclass=NULL; char *attrlist[] = {"*", "passwordHistory", NULL }; struct ipapwd_data pwdata; int is_krb, is_smb; @@ -288,6 +289,14 @@ parse_req_done: goto free_and_return; } + /* When setting the password for host principals do not set kerberos + * keys */ + objectclass = slapi_value_new_string("ipaHost"); + if ((slapi_entry_attr_has_syntax_value(targetEntry, SLAPI_ATTR_OBJECTCLASS, objectclass)) == 1) { + is_krb = 0; + } + slapi_value_free(&objectclass); + /* First thing to do is to ask access control if the bound identity has * rights to modify the userpassword attribute on this entry. If not, * then we fail immediately with insufficient access. This means that |