summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2013-01-07 15:22:26 -0500
committerGreg Hudson <ghudson@mit.edu>2013-01-09 15:35:43 -0500
commit090f561c631db7e4970b71cbe1426d636c39c77a (patch)
treeb42d62ba55e427796ff837f39f1117b7b71569dd /src
parent941e26f9eb76471159e0a024aeac63f1b6e6ea45 (diff)
downloadkrb5-090f561c631db7e4970b71cbe1426d636c39c77a.tar.gz
krb5-090f561c631db7e4970b71cbe1426d636c39c77a.tar.xz
krb5-090f561c631db7e4970b71cbe1426d636c39c77a.zip
Stop loading policy for pw_expiration in LDAP
populate_krb5_db_entry() performs a subsidiary LDAP search to load the password policy, which it uses to update the pw_expiration field. This has some minimal value (it causes pw_expiration values in principals to auto-update whenever the pw_max_life field of a policy changes), but it's complicated, expensive, and inconsistent with the DB2 back end. Get rid of it. ticket: 7535 (new)
Diffstat (limited to 'src')
-rw-r--r--src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c24
1 files changed, 0 insertions, 24 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 5252ab428c..aba9e8eb10 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -1817,30 +1817,6 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
goto cleanup;
- /* We already know that the policy is inside the realm container. */
- if (polname) {
- osa_policy_ent_t pwdpol;
- krb5_timestamp last_pw_changed;
- krb5_ui_4 pw_max_life;
-
- memset(&pwdpol, 0, sizeof(pwdpol));
-
- if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol)) != 0)
- goto cleanup;
- pw_max_life = pwdpol->pw_max_life;
- krb5_ldap_free_password_policy(context, pwdpol);
-
- if (pw_max_life > 0) {
- if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
- goto cleanup;
-
- if (mask & KDB_PWD_EXPIRE_TIME_ATTR) {
- if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
- entry->pw_expiration = last_pw_changed + pw_max_life;
- } else
- entry->pw_expiration = last_pw_changed + pw_max_life;
- }
- }
/* XXX so krb5_encode_princ_contents() will be happy */
entry->len = KRB5_KDB_V1_BASE_LENGTH;
generated by cgit (git 2.34.1) at 2024-06-12 20:24:04 +0000