summaryrefslogtreecommitdiffstats
path: root/ipalib
diff options
context:
space:
mode:
authorNathaniel McCallum <npmccallum@redhat.com>2014-07-14 14:39:00 -0400
committerPetr Vobornik <pvoborni@redhat.com>2014-07-21 16:36:28 +0200
commite4771302812388cc7f9773ce48d0bc3b34855248 (patch)
tree4f82eb0042e21addc4d6fd570d3406ee93eb17ef /ipalib
parentad593a5c06d447006f14446cbdfbf5b437a0d111 (diff)
downloadfreeipa-e4771302812388cc7f9773ce48d0bc3b34855248.tar.gz
freeipa-e4771302812388cc7f9773ce48d0bc3b34855248.tar.xz
freeipa-e4771302812388cc7f9773ce48d0bc3b34855248.zip
Fix login password expiration detection with OTP
The preexisting code would execute two steps. First, it would perform a kinit. If the kinit failed, it would attempt to bind using the same credentials to determine if the password were expired. While this method is fairly ugly, it mostly worked in the past. However, with OTP this breaks. This is because the OTP code is consumed by the kinit step. But because the password is expired, the kinit step fails. When the bind is executed, the OTP token is already consumed, so bind fails. This causes all password expirations to be reported as invalid credentials. After discussion with MIT, the best way to handle this case with the standard tools is to set LC_ALL=C and check the output from the command. This eliminates the bind step altogether. The end result is that OTP works and all password failures are more performant. https://fedorahosted.org/freeipa/ticket/4412 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r--ipalib/errors.py6
1 files changed, 6 insertions, 0 deletions
diff --git a/ipalib/errors.py b/ipalib/errors.py
index d69e33062..09b7779e9 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -584,6 +584,12 @@ class InvalidSessionPassword(SessionError):
errno = 1201
format= _('Principal %(principal)s cannot be authenticated: %(message)s')
+class PasswordExpired(InvalidSessionPassword):
+ """
+ **1202** Raised when we cannot obtain a TGT for a principal because the password is expired.
+ """
+ errno = 1202
+
##############################################################################
# 2000 - 2999: Authorization errors
class AuthorizationError(PublicError):