From 58f8ebf49148172c6f3b1d22bcd7ea0fb3fb21c7 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Fri, 2 May 2014 14:55:07 -0400 Subject: kdb: Don't provide password expiration when using only RADIUS If the KDC doesn't use the FreeIPA password for authentication, then it is futile to provide this information. Doing so will only confuse the user. It also causes password change dialogues when the password is irrelevant. https://fedorahosted.org/freeipa/ticket/4299 Reviewed-By: Alexander Bokovoy --- daemons/ipa-kdb/ipa_kdb_principals.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index f0be76ea7..d2be98886 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -429,6 +429,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, switch (ret) { case 0: entry->pw_expiration = restime; + + /* If we are using only RADIUS, we don't know expiration. */ + if (ua == IPADB_USER_AUTH_RADIUS) + entry->pw_expiration = 0; case ENOENT: break; default: -- cgit