Revert "Check for password expiration in pre-bind"

This reverts commit bfdbd3b6ad7c437e7dd293d2488b2d53f4ea7ba6.

Forceful validation of password expiration date in a BIND pre-callback
breaks LDAP password change extended operation as the password change
is only allowed via authenticated (bound) channel. Passwords could be
only changed via kadmin protocol. This change would thus break
LDAP-only clients and Web UI password change hook.

This patch will need to be revisited so that unauthenicated corner
cases are also revisited.

https://fedorahosted.org/freeipa/ticket/1539

1 files changed, 4 insertions, 29 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 6786c6ddb..23c7cb18c 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1217,35 +1217,13 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
 }
 
 static int ipapwd_authenticate(const char *dn, Slapi_Entry *entry,
-                               const struct berval *credentials,
-                               const char **errmsg)
+                               const struct berval *credentials)
 {
     Slapi_Value **pwd_values = NULL; /* values of userPassword attribute */
     Slapi_Value *value = NULL;
     Slapi_Attr *attr = NULL;
-    struct tm expire_tm;
-    char *expire;
-    char *p;
     int ret;
 
-    /* check the if the krbPrincipalKey attribute is present */
-    ret = slapi_entry_attr_find(entry, "krbprincipalkey", &attr);
-    if (!ret) {
-        /* check that the password is not expired */
-        expire = slapi_entry_attr_get_charptr(entry, "krbpasswordexpiration");
-        if (expire) {
-            memset(&expire_tm, 0, sizeof (expire_tm));
-            p = strptime(expire, "%Y%m%d%H%M%SZ", &expire_tm);
-            if (*p) {
-                LOG("Invalid expiration date string format");
-                return 1;
-            } else if (time(NULL) > mktime(&expire_tm)) {
-                *errmsg = "The user password is expired";
-                return 1;
-            }
-        }
-    }
-
     /* retrieve userPassword attribute */
     ret = slapi_entry_attr_find(entry, SLAPI_USERPWD_ATTR, &attr);
     if (ret) {
@@ -1403,7 +1381,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     static const char *attrs_list[] = {
         SLAPI_USERPWD_ATTR, "ipaUserAuthType", "krbprincipalkey", "uid",
         "krbprincipalname", "objectclass", "passwordexpirationtime",
-        "passwordhistory", "krbprincipalexpiration", "krbpasswordexpiration",
+        "passwordhistory", "krbprincipalexpiration",
         NULL
     };
     struct berval *credentials = NULL;
@@ -1416,7 +1394,6 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     time_t expire_time;
     char *principal_expire = NULL;
     struct tm expire_tm;
-    const char *errmsg = NULL;
 
     /* get BIND parameters */
     ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn);
@@ -1477,12 +1454,10 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
     }
 
     /* Authenticate the user. */
-    ret = ipapwd_authenticate(dn, entry, credentials, &errmsg);
+    ret = ipapwd_authenticate(dn, entry, credentials);
     if (ret) {
         slapi_entry_free(entry);
-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
-                               NULL, errmsg, 0, NULL);
-        return 1;
+        return 0;
     }
 
     /* Attempt to handle a token synchronization request. */