From 22d1392a8a0d2887c389dcd78be06104cff88d30 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 29 Jun 2022 13:25:55 +0000 Subject: [PATCH] Only calculate LDAP password grace when the password is expired The user's pwd expiration was retrieved but inadvertently was never compared to current time. So any LDAP bind, including from the IPA API, counted against the grace period. There is no need to go through the graceperiod code for non-expired passwords. https://pagure.io/freeipa/issue/1539 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- .../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c index 0860b5c20fc86687f80ee6f2426e23c87123130f..a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f 100644 --- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c +++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c @@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) Slapi_ValueSet *values = NULL; long grace_limit = 0; int grace_user_time; - char *pwd_expiration = NULL; + char *tmpstr = NULL; + time_t pwd_expiration; int pwresponse_requested = 0; Slapi_PBlock *pbtm = NULL; Slapi_Mods *smods = NULL; @@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) } slapi_value_free(&objectclass); - pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration"); - if (pwd_expiration == NULL) { + tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration"); + if (tmpstr == NULL) { /* No expiration means nothing to do */ LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn); goto done; } + pwd_expiration = ipapwd_gentime_to_time_t(tmpstr); + if (pwd_expiration > time(NULL)) { + /* Not expired, nothing to see here */ + goto done; + } ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry, &values, &actual_type_name, -- 2.36.1