diff options
author | Martin Kosek <mkosek@redhat.com> | 2013-10-10 18:00:53 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2013-10-17 14:04:03 +0200 |
commit | 5d8c02cfb8ce92fa7d92f3e34bfd7501672cc208 (patch) | |
tree | e0189f8c91b3470fa6d228ef26349f27102575f2 /daemons/ipa-slapi-plugins | |
parent | dd3295ac32c0cae3234723e65175e337761ddf38 (diff) | |
download | freeipa-5d8c02cfb8ce92fa7d92f3e34bfd7501672cc208.tar.gz freeipa-5d8c02cfb8ce92fa7d92f3e34bfd7501672cc208.tar.xz freeipa-5d8c02cfb8ce92fa7d92f3e34bfd7501672cc208.zip |
Administrative password change does not respect password policy
When Directory Manager or a PassSync agent is changing a password,
it is not being expired, but standard expiration time should apply.
However, default expiration time was always applied (90 days)
even though administrator may have a custom policy for the user.
https://fedorahosted.org/freeipa/ticket/3968
Diffstat (limited to 'daemons/ipa-slapi-plugins')
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 44 |
1 files changed, 29 insertions, 15 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index a54e91d87..f0339c47c 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -755,6 +755,7 @@ done: int ipapwd_CheckPolicy(struct ipapwd_data *data) { struct ipapwd_policy pol = {0}; + struct ipapwd_policy tmppol = {0}; time_t acct_expiration; time_t pwd_expiration; time_t last_pwd_change; @@ -765,11 +766,8 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE; pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN; - if (data->changetype != IPA_CHANGETYPE_NORMAL) { - /* We must skip policy checks (Admin change) but - * force a password change on the next login. - * But not if Directory Manager */ - if (data->changetype == IPA_CHANGETYPE_ADMIN) { + switch(data->changetype) { + case IPA_CHANGETYPE_ADMIN: /* The expiration date needs to be older than the current time * otherwise the KDC may not immediately register the password * as expired. The last password change needs to match the @@ -777,16 +775,32 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) */ data->timeNow -= 1; data->expireTime = data->timeNow; - } - - /* do not load policies */ - } else { - - /* find the entry with the password policy */ - ret = ipapwd_getPolicy(data->dn, data->target, &pol); - if (ret) { - LOG_TRACE("No password policy, use defaults"); - } + break; + case IPA_CHANGETYPE_NORMAL: + /* Find the entry with the password policy */ + ret = ipapwd_getPolicy(data->dn, data->target, &pol); + if (ret) { + LOG_TRACE("No password policy, use defaults"); + } + break; + case IPA_CHANGETYPE_DSMGR: + /* PassSync agents and Directory Manager can administratively + * change the password without expiring it. + * + * Find password policy for the entry to properly set expiration. + * Do not store it in resulting policy to avoid aplying password + * quality checks on administratively set passwords + */ + ret = ipapwd_getPolicy(data->dn, data->target, &tmppol); + if (ret) { + LOG_TRACE("No password policy, use defaults"); + } else { + pol.max_pwd_life = tmppol.max_pwd_life; + } + break; + default: + LOG_TRACE("Unknown password change type, use defaults"); + break; } tmpstr = slapi_entry_attr_get_charptr(data->target, |