From de6f074538f6641fd9d84bed204a3d4d50eccbe5 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 4 Aug 2022 12:04:41 -0400 Subject: [PATCH] Set default on group pwpolicy with no grace limit in upgrade If an existing group policy lacks a password grace limit update it to -1 on upgrade. Fixes: https://pagure.io/freeipa/issue/9212 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- .../updates/90-post_upgrade_plugins.update | 1 + ipaserver/install/plugins/update_pwpolicy.py | 66 +++++++++++++++++++ 2 files changed, 67 insertions(+) diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index c7ec71d492b0ac0e7641d586b7e7fa7501743bc2..6fe91aa6c6310a69a7f0feb1ad62243945db67f9 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -26,6 +26,7 @@ plugin: update_ra_cert_store plugin: update_mapping_Guests_to_nobody plugin: fix_kra_people_entry plugin: update_pwpolicy +plugin: update_pwpolicy_grace # last # DNS version 1 diff --git a/ipaserver/install/plugins/update_pwpolicy.py b/ipaserver/install/plugins/update_pwpolicy.py index dca44ce4369dfc11f83a412a1249bb045d46713f..4185f034313bd49ca68e86c620043af6ead5f6d6 100644 --- a/ipaserver/install/plugins/update_pwpolicy.py +++ b/ipaserver/install/plugins/update_pwpolicy.py @@ -78,3 +78,69 @@ class update_pwpolicy(Updater): return False, [] return False, [] + + +@register() +class update_pwpolicy_grace(Updater): + """ + Ensure all group policies have a grace period set. + """ + + def execute(self, **options): + ldap = self.api.Backend.ldap2 + + base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'), + self.api.env.basedn) + search_filter = ( + "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))" + ) + + while True: + # Run the search in loop to avoid issues when LDAP limits are hit + # during update + + try: + (entries, truncated) = ldap.find_entries( + search_filter, ['objectclass'], base_dn, time_limit=0, + size_limit=0) + + except errors.EmptyResult: + logger.debug("update_pwpolicy: no policies without " + "passwordgracelimit set") + return False, [] + + except errors.ExecutionError as e: + logger.error("update_pwpolicy: cannot retrieve list " + "of policies missing passwordgracelimit: %s", e) + return False, [] + + logger.debug("update_pwpolicy: found %d " + "policies to update, truncated: %s", + len(entries), truncated) + + error = False + + for entry in entries: + # Set unlimited BIND by default + entry['passwordgracelimit'] = -1 + try: + ldap.update_entry(entry) + except (errors.EmptyModlist, errors.NotFound): + pass + except errors.ExecutionError as e: + logger.debug("update_pwpolicy: cannot " + "update policy: %s", e) + error = True + + if error: + # Exit loop to avoid infinite cycles + logger.error("update_pwpolicy: error(s) " + "detected during pwpolicy update") + return False, [] + + elif not truncated: + # All affected entries updated, exit the loop + logger.debug("update_pwpolicy: all policies updated") + return False, [] + + return False, [] -- 2.37.2