diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-01-07 15:22:26 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-01-09 15:35:43 -0500 |
commit | 090f561c631db7e4970b71cbe1426d636c39c77a (patch) | |
tree | b42d62ba55e427796ff837f39f1117b7b71569dd /src | |
parent | 941e26f9eb76471159e0a024aeac63f1b6e6ea45 (diff) | |
download | krb5-090f561c631db7e4970b71cbe1426d636c39c77a.tar.gz krb5-090f561c631db7e4970b71cbe1426d636c39c77a.tar.xz krb5-090f561c631db7e4970b71cbe1426d636c39c77a.zip |
Stop loading policy for pw_expiration in LDAP
populate_krb5_db_entry() performs a subsidiary LDAP search to load the
password policy, which it uses to update the pw_expiration field.
This has some minimal value (it causes pw_expiration values in
principals to auto-update whenever the pw_max_life field of a policy
changes), but it's complicated, expensive, and inconsistent with the
DB2 back end. Get rid of it.
ticket: 7535 (new)
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 24 |
1 files changed, 0 insertions, 24 deletions
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 5252ab428c..aba9e8eb10 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -1817,30 +1817,6 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context, if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0) goto cleanup; - /* We already know that the policy is inside the realm container. */ - if (polname) { - osa_policy_ent_t pwdpol; - krb5_timestamp last_pw_changed; - krb5_ui_4 pw_max_life; - - memset(&pwdpol, 0, sizeof(pwdpol)); - - if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol)) != 0) - goto cleanup; - pw_max_life = pwdpol->pw_max_life; - krb5_ldap_free_password_policy(context, pwdpol); - - if (pw_max_life > 0) { - if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) - goto cleanup; - - if (mask & KDB_PWD_EXPIRE_TIME_ATTR) { - if ((last_pw_changed + pw_max_life) < entry->pw_expiration) - entry->pw_expiration = last_pw_changed + pw_max_life; - } else - entry->pw_expiration = last_pw_changed + pw_max_life; - } - } /* XXX so krb5_encode_princ_contents() will be happy */ entry->len = KRB5_KDB_V1_BASE_LENGTH; |