diff options
author | David Kupka <dkupka@redhat.com> | 2016-06-30 08:52:33 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2016-07-01 11:22:02 +0200 |
commit | d2cb9ed327ee4003598d5e45d80ab7918b89eeed (patch) | |
tree | 759a8dbeb8cec1226cefdb097354e78756bcf639 /daemons/ipa-kdb | |
parent | 3691e39a62da5134f911f6a798f79a3a2ae0c025 (diff) | |
download | freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.tar.gz freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.tar.xz freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.zip |
Allow unexpiring passwords
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.
https://fedorahosted.org/freeipa/ticket/2795
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Diffstat (limited to 'daemons/ipa-kdb')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_passwords.c | 6 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 11 |
2 files changed, 16 insertions, 1 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c index ad57181d5..a3d4fe243 100644 --- a/daemons/ipa-kdb/ipa_kdb_passwords.c +++ b/daemons/ipa-kdb/ipa_kdb_passwords.c @@ -253,7 +253,11 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context, if (truexp) { if (ied->pol) { - *expire_time = mod_time + ied->pol->max_pwd_life; + if (ied->pol->max_pwd_life) { + *expire_time = mod_time + ied->pol->max_pwd_life; + } else { + *expire_time = 0; + } } else { *expire_time = mod_time + IPAPWD_DEFAULT_PWDLIFE; } diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index f1d3e9e89..6cdfa9094 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1850,6 +1850,11 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, "krbPasswordExpiration", entry->pw_expiration, mod_op); + if (entry->pw_expiration == 0) { + kerr = ipadb_get_ldap_mod_time(imods, + "krbPasswordExpiration", + entry->pw_expiration, LDAP_MOD_DELETE); + } if (kerr) { goto done; } @@ -2105,6 +2110,12 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, kerr = ipadb_get_ldap_mod_time(imods, "krbPasswordExpiration", expire_time, mod_op); + if (expire_time == 0) { + kerr = ipadb_get_ldap_mod_time(imods, + "krbPasswordExpiration", + expire_time, LDAP_MOD_DELETE); + } + if (kerr) { goto done; } |