From 1fb3e149b5b5892d69fc41a7786f3b619640a472 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Wed, 11 Jan 2017 15:04:42 -0800 Subject: [PATCH 2/3] Ticket #49082 - Fix password expiration related shadow attributes The original patch was provided by Gordon Messmer (gordon.messmer@gmail.com) with the description: Bug description: Shadow attributes (in /etc/shadow and in LDAP) are typically unset when no policy is in place. 389-ds will incorrectly return values (possibly set to 0) when there is no policy. Fix description: Only auto-fill shadow attributes when a password policy is available. These are empty when no policy is in place. Don't auto-fill expiration related shadow attributes if passwords never expire. --- ldap/servers/slapd/pw.c | 74 +++++++++++++++++++++++++------------------------ 1 file changed, 38 insertions(+), 36 deletions(-) diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c index 650c1bc..215c9eb 100644 --- a/ldap/servers/slapd/pw.c +++ b/ldap/servers/slapd/pw.c @@ -2823,7 +2823,7 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e) { const char *dn = NULL; passwdPolicy *pwpolicy = NULL; - long long shadowval = 0; + long long shadowval = -1; Slapi_Mods *smods = NULL; LDAPMod **mods; long long sval; @@ -2861,64 +2861,66 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e) if (shadowval > _MAX_SHADOW) { shadowval = _MAX_SHADOW; } - } else { - shadowval = 0; } - shmin = slapi_entry_attr_get_charptr(*e, "shadowMin"); - if (shmin) { - sval = strtoll(shmin, NULL, 0); - if (sval != shadowval) { - slapi_ch_free_string(&shmin); - shmin = slapi_ch_smprintf("%lld", shadowval); + if (shadowval > 0) { + shmin = slapi_entry_attr_get_charptr(*e, "shadowMin"); + if (shmin) { + sval = strtoll(shmin, NULL, 0); + if (sval != shadowval) { + slapi_ch_free_string(&shmin); + shmin = slapi_ch_smprintf("%lld", shadowval); + mod_num++; + } + } else { mod_num++; + shmin = slapi_ch_smprintf("%lld", shadowval); } - } else { - mod_num++; - shmin = slapi_ch_smprintf("%lld", shadowval); } /* shadowMax - the maximum number of days for which the user password remains valid. */ - if (pwpolicy->pw_maxage > 0) { + shadowval = -1; + if (pwpolicy->pw_exp == 1 && pwpolicy->pw_maxage > 0) { shadowval = pwpolicy->pw_maxage / _SEC_PER_DAY; if (shadowval > _MAX_SHADOW) { shadowval = _MAX_SHADOW; } - } else { - shadowval = _MAX_SHADOW; } - shmax = slapi_entry_attr_get_charptr(*e, "shadowMax"); - if (shmax) { - sval = strtoll(shmax, NULL, 0); - if (sval != shadowval) { - slapi_ch_free_string(&shmax); - shmax = slapi_ch_smprintf("%lld", shadowval); + if (shadowval > 0) { + shmax = slapi_entry_attr_get_charptr(*e, "shadowMax"); + if (shmax) { + sval = strtoll(shmax, NULL, 0); + if (sval != shadowval) { + slapi_ch_free_string(&shmax); + shmax = slapi_ch_smprintf("%lld", shadowval); + mod_num++; + } + } else { mod_num++; + shmax = slapi_ch_smprintf("%lld", shadowval); } - } else { - mod_num++; - shmax = slapi_ch_smprintf("%lld", shadowval); } /* shadowWarning - the number of days of advance warning given to the user before the user password expires. */ - if (pwpolicy->pw_warning > 0) { + shadowval = -1; + if (pwpolicy->pw_exp == 1 && pwpolicy->pw_warning > 0) { shadowval = pwpolicy->pw_warning / _SEC_PER_DAY; if (shadowval > _MAX_SHADOW) { shadowval = _MAX_SHADOW; } - } else { - shadowval = 0; } - shwarn = slapi_entry_attr_get_charptr(*e, "shadowWarning"); - if (shwarn) { - sval = strtoll(shwarn, NULL, 0); - if (sval != shadowval) { - slapi_ch_free_string(&shwarn); - shwarn = slapi_ch_smprintf("%lld", shadowval); + if (shadowval > 0) { + shwarn = slapi_entry_attr_get_charptr(*e, "shadowWarning"); + if (shwarn) { + sval = strtoll(shwarn, NULL, 0); + if (sval != shadowval) { + slapi_ch_free_string(&shwarn); + shwarn = slapi_ch_smprintf("%lld", shadowval); + mod_num++; + } + } else { mod_num++; + shwarn = slapi_ch_smprintf("%lld", shadowval); } - } else { - mod_num++; - shwarn = slapi_ch_smprintf("%lld", shadowval); } smods = slapi_mods_new(); -- 2.9.3