diff options
author | Thierry Bordaz <tbordaz@redhat.com> | 2016-10-19 15:04:13 +0200 |
---|---|---|
committer | Martin Babinsky <mbabinsk@redhat.com> | 2016-11-24 17:01:02 +0100 |
commit | c223130d5f429278202aaf8bf87af53911a3b448 (patch) | |
tree | b882ca0745b14eb9bfbe30616c7668b1c04bf107 | |
parent | a8376a244758494db31341442bc2163e1807b7ac (diff) | |
download | freeipa-c223130d5f429278202aaf8bf87af53911a3b448.tar.gz freeipa-c223130d5f429278202aaf8bf87af53911a3b448.tar.xz freeipa-c223130d5f429278202aaf8bf87af53911a3b448.zip |
IPA Allows Password Reuse with History value defined when admin resets the password.
When admin reset a user password, history of user passwords is
preserved according to its policy.
https://fedorahosted.org/freeipa/ticket/6402
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index cab7b7c7b..761f7a8e3 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -548,15 +548,6 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN; switch(data->changetype) { - case IPA_CHANGETYPE_ADMIN: - /* The expiration date needs to be older than the current time - * otherwise the KDC may not immediately register the password - * as expired. The last password change needs to match the - * password expiration otherwise minlife issues will arise. - */ - data->timeNow -= 1; - data->expireTime = data->timeNow; - break; case IPA_CHANGETYPE_NORMAL: /* Find the entry with the password policy */ ret = ipapwd_getPolicy(data->dn, data->target, &pol); @@ -564,6 +555,19 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) LOG_TRACE("No password policy, use defaults"); } break; + case IPA_CHANGETYPE_ADMIN: + /* The expiration date needs to be older than the current time + * otherwise the KDC may not immediately register the password + * as expired. The last password change needs to match the + * password expiration otherwise minlife issues will arise. + */ + data->timeNow -= 1; + data->expireTime = data->timeNow; + + /* let set the entry password property according to its + * entry password policy (done with ipapwd_getPolicy) + * For this intentional fallthrough here + */ case IPA_CHANGETYPE_DSMGR: /* PassSync agents and Directory Manager can administratively * change the password without expiring it. @@ -577,6 +581,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) LOG_TRACE("No password policy, use defaults"); } else { pol.max_pwd_life = tmppol.max_pwd_life; + pol.history_length = tmppol.history_length; } break; default: |