Allow unexpiring passwords

Treat maxlife=0 in password policy as "never expire". Delete krbPasswordExpiration in user entry when password should never expire. https://fedorahosted.org/freeipa/ticket/2795 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
author: David Kupka <dkupka@redhat.com> 2016-06-30 08:52:33 +0200
committer: Petr Vobornik <pvoborni@redhat.com> 2016-07-01 11:22:02 +0200
commit: d2cb9ed327ee4003598d5e45d80ab7918b89eeed (patch)
tree: 759a8dbeb8cec1226cefdb097354e78756bcf639 /daemons/ipa-kdb
parent: 3691e39a62da5134f911f6a798f79a3a2ae0c025 (diff)
download: freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.tar.gz
freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.tar.xz
freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.zip
2 files changed, 16 insertions, 1 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c
index ad57181d5..a3d4fe243 100644
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@@ -253,7 +253,11 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
 
     if (truexp) {
         if (ied->pol) {
-            *expire_time = mod_time + ied->pol->max_pwd_life;
+            if (ied->pol->max_pwd_life) {
+                *expire_time = mod_time + ied->pol->max_pwd_life;
+            } else {
+                *expire_time = 0;
+            }
         } else {
             *expire_time = mod_time + IPAPWD_DEFAULT_PWDLIFE;
         }
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index f1d3e9e89..6cdfa9094 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1850,6 +1850,11 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
                                        "krbPasswordExpiration",
                                        entry->pw_expiration,
                                        mod_op);
+        if (entry->pw_expiration == 0) {
+            kerr = ipadb_get_ldap_mod_time(imods,
+                                           "krbPasswordExpiration",
+                                           entry->pw_expiration, LDAP_MOD_DELETE);
+        }
         if (kerr) {
             goto done;
         }
@@ -2105,6 +2110,12 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
             kerr = ipadb_get_ldap_mod_time(imods,
                                            "krbPasswordExpiration",
                                            expire_time, mod_op);
+            if (expire_time == 0) {
+                kerr = ipadb_get_ldap_mod_time(imods,
+                                               "krbPasswordExpiration",
+                                               expire_time, LDAP_MOD_DELETE);
+            }
+
             if (kerr) {
                 goto done;
             }
author	David Kupka <dkupka@redhat.com>	2016-06-30 08:52:33 +0200
committer	Petr Vobornik <pvoborni@redhat.com>	2016-07-01 11:22:02 +0200
commit	d2cb9ed327ee4003598d5e45d80ab7918b89eeed (patch)
tree	759a8dbeb8cec1226cefdb097354e78756bcf639 /daemons/ipa-kdb
parent	3691e39a62da5134f911f6a798f79a3a2ae0c025 (diff)
download	freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.tar.gz freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.tar.xz freeipa-d2cb9ed327ee4003598d5e45d80ab7918b89eeed.zip