diff options
author | Simo Sorce <ssorce@redhat.com> | 2010-10-05 18:09:12 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2010-10-07 07:53:36 -0400 |
commit | 475c064227620a075079eaf2bbaf846beab1d291 (patch) | |
tree | 990eb2627ac10d397508bea34728d183e11b4ac2 | |
parent | ceb91a3f7175307e4fbae929e98063fba8cc9123 (diff) | |
download | freeipa-475c064227620a075079eaf2bbaf846beab1d291.tar.gz freeipa-475c064227620a075079eaf2bbaf846beab1d291.tar.xz freeipa-475c064227620a075079eaf2bbaf846beab1d291.zip |
When dealing with samba password set also the sambaPwdLastSet
This attribute is required for samba to properly identify a user has changed
it's password and doesn't need to change it again at next login.
At the same time, if we are forcing a pssword reset we also need to let samba
know the user must change its password.
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c | 22 | ||||
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c | 26 |
2 files changed, 47 insertions, 1 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index a2b11e4ab..4c1092a09 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -1165,6 +1165,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, int is_smb = 0; Slapi_Value *sambaSamAccount; char *errMesg = NULL; + char *modtime = NULL; slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME, "=> ipapwd_SetPassword\n"); @@ -1224,7 +1225,25 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "sambaNTPassword", nt); } - + if (is_smb) { + /* with samba integration we need to also set sambaPwdLastSet or + * samba will decide the user has to change the password again */ + if (data->changetype == IPA_CHANGETYPE_ADMIN) { + /* if it is an admin change instead we need to let know to + * samba as well that the use rmust change its password */ + modtime = slapi_ch_smprintf("0"); + } else { + modtime = slapi_ch_smprintf("%ld", (long)data->timeNow); + } + if (!modtime) { + slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME, + "failed to smprintf string!\n"); + ret = LDAP_OPERATIONS_ERROR; + goto free_and_return; + } + slapi_mods_add_string(smods, LDAP_MOD_REPLACE, + "sambaPwdLastset", modtime); + } /* let DS encode the password itself, this allows also other plugins to * intercept it to perform operations like synchronization with Active * Directory domains through the replication plugin */ @@ -1252,6 +1271,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, free_and_return: if (lm) slapi_ch_free((void **)&lm); if (nt) slapi_ch_free((void **)&nt); + if (modtime) slapi_ch_free((void **)&modtime); slapi_mods_free(&smods); ipapwd_free_slapi_value_array(&svals); ipapwd_free_slapi_value_array(&pwvals); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index 7c95ac814..a4869813b 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -351,6 +351,19 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt); slapi_ch_free_string(&nt); } + + if (is_smb) { + /* with samba integration we need to also set sambaPwdLastSet or + * samba will decide the user has to change the password again */ + if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) { + /* if it is an admin change instead we need to let know to + * samba as well that the use rmust change its password */ + slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L); + } else { + slapi_entry_attr_set_long(e, "sambaPwdLastset", + (long)pwdop->pwdata.timeNow); + } + } } rc = LDAP_SUCCESS; @@ -736,6 +749,19 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) "sambaNTPassword", nt); slapi_ch_free_string(&nt); } + + if (is_smb) { + /* with samba integration we need to also set sambaPwdLastSet or + * samba will decide the user has to change the password again */ + if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) { + /* if it is an admin change instead we need to let know to + * samba as well that the use rmust change its password */ + slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L); + } else { + slapi_entry_attr_set_long(e, "sambaPwdLastset", + (long)pwdop->pwdata.timeNow); + } + } } rc = LDAP_SUCCESS; |