summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2010-10-05 18:09:12 -0400
committerSimo Sorce <ssorce@redhat.com>2010-10-07 07:53:36 -0400
commit475c064227620a075079eaf2bbaf846beab1d291 (patch)
tree990eb2627ac10d397508bea34728d183e11b4ac2
parentceb91a3f7175307e4fbae929e98063fba8cc9123 (diff)
downloadfreeipa-475c064227620a075079eaf2bbaf846beab1d291.tar.gz
freeipa-475c064227620a075079eaf2bbaf846beab1d291.tar.xz
freeipa-475c064227620a075079eaf2bbaf846beab1d291.zip
When dealing with samba password set also the sambaPwdLastSet
This attribute is required for samba to properly identify a user has changed it's password and doesn't need to change it again at next login. At the same time, if we are forcing a pssword reset we also need to let samba know the user must change its password.
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c22
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c26
2 files changed, 47 insertions, 1 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index a2b11e4ab..4c1092a09 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -1165,6 +1165,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
int is_smb = 0;
Slapi_Value *sambaSamAccount;
char *errMesg = NULL;
+ char *modtime = NULL;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"=> ipapwd_SetPassword\n");
@@ -1224,7 +1225,25 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"sambaNTPassword", nt);
}
-
+ if (is_smb) {
+ /* with samba integration we need to also set sambaPwdLastSet or
+ * samba will decide the user has to change the password again */
+ if (data->changetype == IPA_CHANGETYPE_ADMIN) {
+ /* if it is an admin change instead we need to let know to
+ * samba as well that the use rmust change its password */
+ modtime = slapi_ch_smprintf("0");
+ } else {
+ modtime = slapi_ch_smprintf("%ld", (long)data->timeNow);
+ }
+ if (!modtime) {
+ slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
+ "failed to smprintf string!\n");
+ ret = LDAP_OPERATIONS_ERROR;
+ goto free_and_return;
+ }
+ slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
+ "sambaPwdLastset", modtime);
+ }
/* let DS encode the password itself, this allows also other plugins to
* intercept it to perform operations like synchronization with Active
* Directory domains through the replication plugin */
@@ -1252,6 +1271,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
free_and_return:
if (lm) slapi_ch_free((void **)&lm);
if (nt) slapi_ch_free((void **)&nt);
+ if (modtime) slapi_ch_free((void **)&modtime);
slapi_mods_free(&smods);
ipapwd_free_slapi_value_array(&svals);
ipapwd_free_slapi_value_array(&pwvals);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 7c95ac814..a4869813b 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -351,6 +351,19 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
slapi_ch_free_string(&nt);
}
+
+ if (is_smb) {
+ /* with samba integration we need to also set sambaPwdLastSet or
+ * samba will decide the user has to change the password again */
+ if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) {
+ /* if it is an admin change instead we need to let know to
+ * samba as well that the use rmust change its password */
+ slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L);
+ } else {
+ slapi_entry_attr_set_long(e, "sambaPwdLastset",
+ (long)pwdop->pwdata.timeNow);
+ }
+ }
}
rc = LDAP_SUCCESS;
@@ -736,6 +749,19 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
"sambaNTPassword", nt);
slapi_ch_free_string(&nt);
}
+
+ if (is_smb) {
+ /* with samba integration we need to also set sambaPwdLastSet or
+ * samba will decide the user has to change the password again */
+ if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) {
+ /* if it is an admin change instead we need to let know to
+ * samba as well that the use rmust change its password */
+ slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L);
+ } else {
+ slapi_entry_attr_set_long(e, "sambaPwdLastset",
+ (long)pwdop->pwdata.timeNow);
+ }
+ }
}
rc = LDAP_SUCCESS;