summaryrefslogtreecommitdiffstats
path: root/daemons
diff options
context:
space:
mode:
Diffstat (limited to 'daemons')
-rw-r--r--daemons/ipa-kdb/ipa_kdb.h4
-rw-r--r--daemons/ipa-kdb/ipa_kdb_passwords.c46
-rw-r--r--daemons/ipa-kdb/ipa_kdb_principals.c28
3 files changed, 74 insertions, 4 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 78746918..cfcaca64 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -178,3 +178,7 @@ krb5_error_code ipadb_change_pwd(krb5_context context,
int new_kvno, krb5_boolean keepold,
krb5_db_entry *db_entry);
+krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
+ krb5_db_entry *entry,
+ struct ipadb_e_data *ied,
+ time_t *expire_time);
diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c
index ab58057a..18be9be0 100644
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@@ -269,3 +269,49 @@ krb5_error_code ipadb_change_pwd(krb5_context context,
return 0;
}
+/*
+ * Check who actually changed the password, if it is not 'self' then
+ * we need to expire it if it is a user principal.
+ */
+krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
+ krb5_db_entry *entry,
+ struct ipadb_e_data *ied,
+ time_t *expire_time)
+{
+ krb5_error_code kerr;
+ krb5_timestamp mod_time;
+ krb5_principal mod_princ = NULL;
+ krb5_boolean truexp = true;
+
+
+ /* Assume all principals with just one component as user principals */
+ if (entry->princ->length == 1) {
+ kerr = krb5_dbe_lookup_mod_princ_data(context, entry,
+ &mod_time, &mod_princ);
+ if (kerr) {
+ goto done;
+ }
+
+ /* If the mod principal is kadmind then we have to assume an actual
+ * password change for now. Apparently kadmind does not properly pass
+ * the actual user principal down when said user is performing a
+ * password change */
+ if (mod_princ->length == 1 &&
+ strcmp(mod_princ->data[0].data, "kadmind") != 0) {
+ truexp = krb5_principal_compare(context, mod_princ, entry->princ);
+ }
+ }
+
+ if (truexp) {
+ *expire_time = mod_time + ied->pol.max_pwd_life;
+ } else {
+ /* not 'self', so reset */
+ *expire_time = mod_time;
+ }
+
+ kerr = 0;
+
+done:
+ krb5_free_principal(context, mod_princ);
+ return kerr;
+}
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 8e1d4218..ed5195fb 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1362,7 +1362,8 @@ done:
return kerr;
}
-static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods,
+static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
+ struct ipadb_mods *imods,
krb5_db_entry *entry,
char *principal,
int mod_op)
@@ -1561,10 +1562,11 @@ static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods,
/* KADM5_LOAD */
- /* Store saved password if any and password history */
+ /* Handle password change related operations. */
if (entry->e_data) {
struct ipadb_e_data *ied;
time_t now = time(NULL);
+ time_t expire_time;
char **new_history;
int nh_len;
int ret;
@@ -1603,6 +1605,22 @@ static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods,
goto done;
}
}
+
+ /* Also set new password expiration time.
+ * Have to do it here because kadmin doesn't know policies and resets
+ * entry->mask after we have gone through the password change code.
+ */
+ kerr = ipadb_get_pwd_expiration(kcontext, entry, ied, &expire_time);
+ if (kerr) {
+ goto done;
+ }
+
+ kerr = ipadb_get_ldap_mod_time(imods,
+ "krbPasswordExpiration",
+ expire_time, mod_op);
+ if (kerr) {
+ goto done;
+ }
}
kerr = 0;
@@ -1689,7 +1707,8 @@ static krb5_error_code ipadb_add_principal(krb5_context kcontext,
goto done;
}
- kerr = ipadb_entry_to_mods(imods, entry, principal, LDAP_MOD_ADD);
+ kerr = ipadb_entry_to_mods(kcontext, imods,
+ entry, principal, LDAP_MOD_ADD);
if (kerr != 0) {
goto done;
}
@@ -1752,7 +1771,8 @@ static krb5_error_code ipadb_modify_principal(krb5_context kcontext,
goto done;
}
- kerr = ipadb_entry_to_mods(imods, entry, principal, LDAP_MOD_REPLACE);
+ kerr = ipadb_entry_to_mods(kcontext, imods,
+ entry, principal, LDAP_MOD_REPLACE);
if (kerr != 0) {
goto done;
}