kdb: Don't provide password expiration when using only RADIUS

If the KDC doesn't use the FreeIPA password for authentication, then it is futile to provide this information. Doing so will only confuse the user. It also causes password change dialogues when the password is irrelevant. https://fedorahosted.org/freeipa/ticket/4299 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
author: Nathaniel McCallum <npmccallum@redhat.com> 2014-05-02 14:55:07 -0400
committer: Petr Viktorin <pviktori@redhat.com> 2014-05-22 16:46:01 +0200
commit: 58f8ebf49148172c6f3b1d22bcd7ea0fb3fb21c7 (patch)
tree: 9852cdbefc109f4901a83a2d12d9ed1cdafe03d3
parent: 86f943ca180a72c4cfa3a8a03226f2471a97981b (diff)
download: freeipa-58f8ebf49148172c6f3b1d22bcd7ea0fb3fb21c7.tar.gz
freeipa-58f8ebf49148172c6f3b1d22bcd7ea0fb3fb21c7.tar.xz
freeipa-58f8ebf49148172c6f3b1d22bcd7ea0fb3fb21c7.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index f0be76ea7..d2be98886 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -429,6 +429,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
     switch (ret) {
     case 0:
         entry->pw_expiration = restime;
+
+        /* If we are using only RADIUS, we don't know expiration. */
+        if (ua == IPADB_USER_AUTH_RADIUS)
+            entry->pw_expiration = 0;
     case ENOENT:
         break;
     default:
author	Nathaniel McCallum <npmccallum@redhat.com>	2014-05-02 14:55:07 -0400
committer	Petr Viktorin <pviktori@redhat.com>	2014-05-22 16:46:01 +0200
commit	58f8ebf49148172c6f3b1d22bcd7ea0fb3fb21c7 (patch)
tree	9852cdbefc109f4901a83a2d12d9ed1cdafe03d3
parent	86f943ca180a72c4cfa3a8a03226f2471a97981b (diff)
download	freeipa-58f8ebf49148172c6f3b1d22bcd7ea0fb3fb21c7.tar.gz freeipa-58f8ebf49148172c6f3b1d22bcd7ea0fb3fb21c7.tar.xz freeipa-58f8ebf49148172c6f3b1d22bcd7ea0fb3fb21c7.zip