ipa-kdb: Fix expiration time calculation

Expiration time should be enforced as per policy only for users and only when a password change occurs, ina ll other cases we should just let kadmin decide whther it is going to set a password expiration time or just leave it empty. In general service tickts have strong random passwords so they do not need a password policy or expiration at all. https://fedorahosted.org/freeipa/ticket/1839
author: Simo Sorce <ssorce@redhat.com> 2011-09-23 18:37:42 -0400
committer: Martin Kosek <mkosek@redhat.com> 2011-09-26 10:07:11 +0200
commit: dfc704de25bbf60062361c4a7d41971a77e5c9a4 (patch)
tree: 8cefcb5772ac5127f4abe00145a2a08b9173c81f
parent: f323d818b9a47a4658d6178e5bedb3c2f862db98 (diff)
download: freeipa-dfc704de25bbf60062361c4a7d41971a77e5c9a4.tar.gz
freeipa-dfc704de25bbf60062361c4a7d41971a77e5c9a4.tar.xz
freeipa-dfc704de25bbf60062361c4a7d41971a77e5c9a4.zip
2 files changed, 18 insertions, 17 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c
index 18be9be0..28ec382d 100644
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@@ -279,7 +279,7 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
                                          time_t *expire_time)
 {
     krb5_error_code kerr;
-    krb5_timestamp mod_time;
+    krb5_timestamp mod_time = 0;
     krb5_principal mod_princ = NULL;
     krb5_boolean truexp = true;
 
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index ed5195fb..249aed2f 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1587,6 +1587,23 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
             if (kerr) {
                 goto done;
             }
+
+            /* Also set new password expiration time.
+             * Have to do it here because kadmin doesn't know policies and
+             * resets entry->mask after we have gone through the password
+             * change code.  */
+            kerr = ipadb_get_pwd_expiration(kcontext, entry,
+                                            ied, &expire_time);
+            if (kerr) {
+                goto done;
+            }
+
+            kerr = ipadb_get_ldap_mod_time(imods,
+                                           "krbPasswordExpiration",
+                                           expire_time, mod_op);
+            if (kerr) {
+                goto done;
+            }
         }
 
         if (ied->ipa_user && ied->passwd && ied->pol.history_length) {
@@ -1605,22 +1622,6 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
                 goto done;
             }
         }
-
-        /* Also set new password expiration time.
-         * Have to do it here because kadmin doesn't know policies and resets
-         * entry->mask after we have gone through the password change code.
-         */
-        kerr = ipadb_get_pwd_expiration(kcontext, entry, ied, &expire_time);
-        if (kerr) {
-            goto done;
-        }
-
-        kerr = ipadb_get_ldap_mod_time(imods,
-                                       "krbPasswordExpiration",
-                                       expire_time, mod_op);
-        if (kerr) {
-            goto done;
-        }
     }
 
     kerr = 0;
author	Simo Sorce <ssorce@redhat.com>	2011-09-23 18:37:42 -0400
committer	Martin Kosek <mkosek@redhat.com>	2011-09-26 10:07:11 +0200
commit	dfc704de25bbf60062361c4a7d41971a77e5c9a4 (patch)
tree	8cefcb5772ac5127f4abe00145a2a08b9173c81f
parent	f323d818b9a47a4658d6178e5bedb3c2f862db98 (diff)
download	freeipa-dfc704de25bbf60062361c4a7d41971a77e5c9a4.tar.gz freeipa-dfc704de25bbf60062361c4a7d41971a77e5c9a4.tar.xz freeipa-dfc704de25bbf60062361c4a7d41971a77e5c9a4.zip