From bea0a93afc0934af873b7f8094fe2281b2b8a21c Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Fri, 23 Sep 2011 18:37:42 -0400
Subject: ipa-kdb: Fix expiration time calculation

Expiration time should be enforced as per policy only for users and only when a
password change occurs, ina ll other cases we should just let kadmin decide
whther it is going to set a password expiration time or just leave it empty.

In general service tickts have strong random passwords so they do not need a
password policy or expiration at all.

https://fedorahosted.org/freeipa/ticket/1839
---
 daemons/ipa-kdb/ipa_kdb_passwords.c  |  2 +-
 daemons/ipa-kdb/ipa_kdb_principals.c | 33 +++++++++++++++++----------------
 2 files changed, 18 insertions(+), 17 deletions(-)

(limited to 'daemons')

diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c
index 18be9be0..28ec382d 100644
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@@ -279,7 +279,7 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
                                          time_t *expire_time)
 {
     krb5_error_code kerr;
-    krb5_timestamp mod_time;
+    krb5_timestamp mod_time = 0;
     krb5_principal mod_princ = NULL;
     krb5_boolean truexp = true;
 
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index ed5195fb..249aed2f 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1587,6 +1587,23 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
             if (kerr) {
                 goto done;
             }
+
+            /* Also set new password expiration time.
+             * Have to do it here because kadmin doesn't know policies and
+             * resets entry->mask after we have gone through the password
+             * change code.  */
+            kerr = ipadb_get_pwd_expiration(kcontext, entry,
+                                            ied, &expire_time);
+            if (kerr) {
+                goto done;
+            }
+
+            kerr = ipadb_get_ldap_mod_time(imods,
+                                           "krbPasswordExpiration",
+                                           expire_time, mod_op);
+            if (kerr) {
+                goto done;
+            }
         }
 
         if (ied->ipa_user && ied->passwd && ied->pol.history_length) {
@@ -1605,22 +1622,6 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
                 goto done;
             }
         }
-
-        /* Also set new password expiration time.
-         * Have to do it here because kadmin doesn't know policies and resets
-         * entry->mask after we have gone through the password change code.
-         */
-        kerr = ipadb_get_pwd_expiration(kcontext, entry, ied, &expire_time);
-        if (kerr) {
-            goto done;
-        }
-
-        kerr = ipadb_get_ldap_mod_time(imods,
-                                       "krbPasswordExpiration",
-                                       expire_time, mod_op);
-        if (kerr) {
-            goto done;
-        }
     }
 
     kerr = 0;
-- 
cgit