summaryrefslogtreecommitdiffstats
path: root/daemons
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2013-05-09 14:25:14 -0400
committerMartin Kosek <mkosek@redhat.com>2014-06-09 08:18:16 +0200
commitbfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6 (patch)
treef19e8e8519a2613030139f54600abb34b838517f /daemons
parentf802845a7abfca0b414ad6801968d33e6788916b (diff)
downloadfreeipa-bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6.tar.gz
freeipa-bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6.tar.xz
freeipa-bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6.zip
Check for password expiration in pre-bind
If the password is expired fail a password bind. Resolves: https://fedorahosted.org/freeipa/ticket/1539 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Diffstat (limited to 'daemons')
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c33
1 files changed, 29 insertions, 4 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 23c7cb18c..6786c6ddb 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1217,13 +1217,35 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
}
static int ipapwd_authenticate(const char *dn, Slapi_Entry *entry,
- const struct berval *credentials)
+ const struct berval *credentials,
+ const char **errmsg)
{
Slapi_Value **pwd_values = NULL; /* values of userPassword attribute */
Slapi_Value *value = NULL;
Slapi_Attr *attr = NULL;
+ struct tm expire_tm;
+ char *expire;
+ char *p;
int ret;
+ /* check the if the krbPrincipalKey attribute is present */
+ ret = slapi_entry_attr_find(entry, "krbprincipalkey", &attr);
+ if (!ret) {
+ /* check that the password is not expired */
+ expire = slapi_entry_attr_get_charptr(entry, "krbpasswordexpiration");
+ if (expire) {
+ memset(&expire_tm, 0, sizeof (expire_tm));
+ p = strptime(expire, "%Y%m%d%H%M%SZ", &expire_tm);
+ if (*p) {
+ LOG("Invalid expiration date string format");
+ return 1;
+ } else if (time(NULL) > mktime(&expire_tm)) {
+ *errmsg = "The user password is expired";
+ return 1;
+ }
+ }
+ }
+
/* retrieve userPassword attribute */
ret = slapi_entry_attr_find(entry, SLAPI_USERPWD_ATTR, &attr);
if (ret) {
@@ -1381,7 +1403,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
static const char *attrs_list[] = {
SLAPI_USERPWD_ATTR, "ipaUserAuthType", "krbprincipalkey", "uid",
"krbprincipalname", "objectclass", "passwordexpirationtime",
- "passwordhistory", "krbprincipalexpiration",
+ "passwordhistory", "krbprincipalexpiration", "krbpasswordexpiration",
NULL
};
struct berval *credentials = NULL;
@@ -1394,6 +1416,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
time_t expire_time;
char *principal_expire = NULL;
struct tm expire_tm;
+ const char *errmsg = NULL;
/* get BIND parameters */
ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn);
@@ -1454,10 +1477,12 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
}
/* Authenticate the user. */
- ret = ipapwd_authenticate(dn, entry, credentials);
+ ret = ipapwd_authenticate(dn, entry, credentials, &errmsg);
if (ret) {
slapi_entry_free(entry);
- return 0;
+ slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
+ NULL, errmsg, 0, NULL);
+ return 1;
}
/* Attempt to handle a token synchronization request. */