diff options
| author | David Kupka <dkupka@redhat.com> | 2016-06-30 08:52:33 +0200 |
|---|---|---|
| committer | Petr Vobornik <pvoborni@redhat.com> | 2016-07-01 11:22:02 +0200 |
| commit | d2cb9ed327ee4003598d5e45d80ab7918b89eeed (patch) | |
| tree | 759a8dbeb8cec1226cefdb097354e78756bcf639 | |
| parent | 3691e39a62da5134f911f6a798f79a3a2ae0c025 (diff) | |
| download | freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.tar.gz freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.tar.xz freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.zip | |
Allow unexpiring passwords
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.
https://fedorahosted.org/freeipa/ticket/2795
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_passwords.c | 6 | ||||
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 11 | ||||
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 22 | ||||
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 4 | ||||
| -rw-r--r-- | ipaserver/plugins/pwpolicy.py | 2 |
5 files changed, 33 insertions, 12 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c index ad57181d5..a3d4fe243 100644 --- a/daemons/ipa-kdb/ipa_kdb_passwords.c +++ b/daemons/ipa-kdb/ipa_kdb_passwords.c @@ -253,7 +253,11 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context, if (truexp) { if (ied->pol) { - *expire_time = mod_time + ied->pol->max_pwd_life; + if (ied->pol->max_pwd_life) { + *expire_time = mod_time + ied->pol->max_pwd_life; + } else { + *expire_time = 0; + } } else { *expire_time = mod_time + IPAPWD_DEFAULT_PWDLIFE; } diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index f1d3e9e89..6cdfa9094 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1850,6 +1850,11 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, "krbPasswordExpiration", entry->pw_expiration, mod_op); + if (entry->pw_expiration == 0) { + kerr = ipadb_get_ldap_mod_time(imods, + "krbPasswordExpiration", + entry->pw_expiration, LDAP_MOD_DELETE); + } if (kerr) { goto done; } @@ -2105,6 +2110,12 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, kerr = ipadb_get_ldap_mod_time(imods, "krbPasswordExpiration", expire_time, mod_op); + if (expire_time == 0) { + kerr = ipadb_get_ldap_mod_time(imods, + "krbPasswordExpiration", + expire_time, LDAP_MOD_DELETE); + } + if (kerr) { goto done; } diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 5dc606d22..0bb50fc31 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -317,7 +317,6 @@ int ipapwd_getPolicy(const char *dn, int buffer_flags=0; Slapi_ValueSet* results = NULL; char *actual_type_name = NULL; - int tmpint; LOG_TRACE("Searching policy for [%s]\n", dn); @@ -382,15 +381,9 @@ int ipapwd_getPolicy(const char *dn, /* read data out of policy object */ policy->min_pwd_life = slapi_entry_attr_get_int(pe, "krbMinPwdLife"); - tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife"); - if (tmpint != 0) { - policy->max_pwd_life = tmpint; - } + policy->max_pwd_life = slapi_entry_attr_get_int(pe, "krbMaxPwdLife"); - tmpint = slapi_entry_attr_get_int(pe, "krbPwdMinLength"); - if (tmpint != 0) { - policy->min_pwd_length = tmpint; - } + policy->min_pwd_length = slapi_entry_attr_get_int(pe, "krbPwdMinLength"); policy->history_length = slapi_entry_attr_get_int(pe, "krbPwdHistoryLength"); @@ -620,7 +613,11 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) slapi_ch_array_free(pwd_history); if (data->expireTime == 0) { - data->expireTime = data->timeNow + pol.max_pwd_life; + if (pol.max_pwd_life > 0) { + /* max_pwd_life = 0 => never expire + * set expire time only when max_pwd_life > 0 */ + data->expireTime = data->timeNow + pol.max_pwd_life; + } } data->policy = pol; @@ -788,6 +785,11 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, "%Y%m%d%H%M%SZ", &utctime); slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "krbPasswordExpiration", timestr); + if (data->expireTime == 0) { + slapi_mods_add_string(smods, LDAP_MOD_DELETE, + "krbPasswordExpiration", timestr); + } + } } diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c index 5c700211b..9d923d6fb 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c @@ -1123,6 +1123,10 @@ static int ipapwd_post_modadd(Slapi_PBlock *pb) "%Y%m%d%H%M%SZ", &utctime); slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "krbPasswordExpiration", timestr); + if (pwdop->pwdata.expireTime == 0) { + slapi_mods_add_string(smods, LDAP_MOD_DELETE, + "krbPasswordExpiration", timestr); + } /* change Last Password Change field with the current date */ if (!gmtime_r(&(pwdop->pwdata.timeNow), &utctime)) { diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py index 5a2202aa0..e5e68fb58 100644 --- a/ipaserver/plugins/pwpolicy.py +++ b/ipaserver/plugins/pwpolicy.py @@ -411,7 +411,7 @@ class pwpolicy(LDAPObject): if maxlife is None and 'krbmaxpwdlife' in existing_entry: maxlife = int(existing_entry['krbmaxpwdlife'][0]) * 86400 - if maxlife is not None and minlife is not None: + if maxlife not in (None, 0) and minlife is not None: if minlife > maxlife: raise errors.ValidationError( name='maxlife', |