Treat Jan 1 1970 in krbPrincipalExpiration as a special date that means

the account Never Expires

1 files changed, 5 insertions, 4 deletions

diff --git a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 3b3b6b245..419e3e259 100644
--- a/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/ipa-server/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -1218,10 +1218,11 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data)
 	int tmp, ret;
 	const char *old_pw;
 
-	/* check account is not expired */
+	/* check account is not expired. Ignore unixtime = 0 (Jan 1 1970) */
 	krbPrincipalExpiration = slapi_entry_attr_get_charptr(data->target, "krbPrincipalExpiration");
-	if (krbPrincipalExpiration) {
-		/* if expiration date set check it */
+	if (krbPrincipalExpiration &&
+	    (strcasecmp("19700101000000Z", krbPrincipalExpiration) != 0)) {
+		/* if expiration date is set check it */
 		memset(&tm, 0, sizeof(struct tm));
 		ret = sscanf(krbPrincipalExpiration,
 			     "%04u%02u%02u%02u%02u%02u",
@@ -1238,8 +1239,8 @@ static int ipapwd_CheckPolicy(struct ipapwd_data *data)
 			}
 		}
 		/* FIXME: else error out ? */
-		slapi_ch_free_string(&krbPrincipalExpiration);
 	}
+	slapi_ch_free_string(&krbPrincipalExpiration);
 
 	/* find the entry with the password policy */
 	ret = ipapwd_getPolicy(data->dn, data->target, &policy);