231 lines
8.3 KiB
Diff
231 lines
8.3 KiB
Diff
From 434620ee342ac4767beccec647a318bfa7743dfa Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Thu, 18 Aug 2022 08:21:58 -0400
|
|
Subject: [PATCH] doc: Update LDAP grace period design with default values
|
|
|
|
New group password policies will get -1 (unlimited) on creation
|
|
by default.
|
|
|
|
Existing group password policies will remain untouched and
|
|
those created prior will be treated as no BIND allowed.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9212
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
doc/designs/ldap_grace_period.md | 17 ++++++++++++++++-
|
|
1 file changed, 16 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/doc/designs/ldap_grace_period.md b/doc/designs/ldap_grace_period.md
|
|
index 4b9db3424..e26aedda9 100644
|
|
--- a/doc/designs/ldap_grace_period.md
|
|
+++ b/doc/designs/ldap_grace_period.md
|
|
@@ -51,7 +51,22 @@ The basic flow is:
|
|
|
|
On successful password reset (by anyone) reset the user's passwordGraceUserTime to 0.
|
|
|
|
-The default value on install/upgrade will be -1 to retail existing behavior.
|
|
+Range values for passwordgracelimit are:
|
|
+
|
|
+-1 : password grace checking is disabled
|
|
+ 0 : no grace BIND are allowed at all post-expiration
|
|
+ 1..MAXINT: the number of BIND allowed post-expiration
|
|
+
|
|
+The default value for the global policy on install/upgrade will be -1 to
|
|
+retain existing behavior.
|
|
+
|
|
+New group password policies will default to -1 to retain previous
|
|
+behavior.
|
|
+
|
|
+Existing group policies with no grace limit set are updated to use
|
|
+the default unlimited value, -1. This is done because lack of value in
|
|
+LDAP is treated as 0 so any existing group policies would not allow
|
|
+post-expiration BIND so this will avoid confusion.
|
|
|
|
The per-user attempts will not be replicated.
|
|
|
|
--
|
|
2.37.2
|
|
|
|
From 497a57e7a6872fa30d1855a1d91a455bfdbf9300 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Thu, 4 Aug 2022 12:04:22 -0400
|
|
Subject: [PATCH] Set default gracelimit on group password policies to -1
|
|
|
|
This will retain previous behavior of unlimited LDAP BIND
|
|
post-expiration.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9212
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
API.txt | 2 +-
|
|
ipaserver/plugins/pwpolicy.py | 2 ++
|
|
ipatests/test_xmlrpc/test_pwpolicy_plugin.py | 2 ++
|
|
3 files changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/API.txt b/API.txt
|
|
index 5ba9add13..d7ea74f08 100644
|
|
--- a/API.txt
|
|
+++ b/API.txt
|
|
@@ -4075,7 +4075,7 @@ option: Int('krbpwdlockoutduration?', cli_name='lockouttime')
|
|
option: Int('krbpwdmaxfailure?', cli_name='maxfail')
|
|
option: Int('krbpwdmindiffchars?', cli_name='minclasses')
|
|
option: Int('krbpwdminlength?', cli_name='minlength')
|
|
-option: Int('passwordgracelimit?', cli_name='gracelimit', default=-1)
|
|
+option: Int('passwordgracelimit?', autofill=True, cli_name='gracelimit', default=-1)
|
|
option: Flag('raw', autofill=True, cli_name='raw', default=False)
|
|
option: Str('setattr*', cli_name='setattr')
|
|
option: Str('version?')
|
|
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
|
|
index 4428aede2..f4ebffd5c 100644
|
|
--- a/ipaserver/plugins/pwpolicy.py
|
|
+++ b/ipaserver/plugins/pwpolicy.py
|
|
@@ -408,6 +408,7 @@ class pwpolicy(LDAPObject):
|
|
minvalue=-1,
|
|
maxvalue=Int.MAX_UINT32,
|
|
default=-1,
|
|
+ autofill=True,
|
|
),
|
|
)
|
|
|
|
@@ -539,6 +540,7 @@ class pwpolicy_add(LDAPCreate):
|
|
keys[-1], krbpwdpolicyreference=dn,
|
|
cospriority=options.get('cospriority')
|
|
)
|
|
+
|
|
return dn
|
|
|
|
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
|
diff --git a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
|
|
index 8eee69c18..fc785223b 100644
|
|
--- a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
|
|
+++ b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
|
|
@@ -387,6 +387,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
|
|
krbpwdhistorylength=[u'10'],
|
|
krbpwdmindiffchars=[u'3'],
|
|
krbpwdminlength=[u'8'],
|
|
+ passwordgracelimit=[u'-1'],
|
|
objectclass=objectclasses.pwpolicy,
|
|
),
|
|
summary=None,
|
|
@@ -417,6 +418,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
|
|
krbpwdhistorylength=[u'10'],
|
|
krbpwdmindiffchars=[u'3'],
|
|
krbpwdminlength=[u'8'],
|
|
+ passwordgracelimit=[u'-1'],
|
|
),
|
|
summary=None,
|
|
value=u'ipausers',
|
|
--
|
|
2.37.2
|
|
|
|
From a4ddaaf3048c4e8d78a1807af7266ee40ab3a30b Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Thu, 4 Aug 2022 12:04:41 -0400
|
|
Subject: [PATCH] Set default on group pwpolicy with no grace limit in upgrade
|
|
|
|
If an existing group policy lacks a password grace limit
|
|
update it to -1 on upgrade.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9212
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
.../updates/90-post_upgrade_plugins.update | 1 +
|
|
ipaserver/install/plugins/update_pwpolicy.py | 66 +++++++++++++++++++
|
|
2 files changed, 67 insertions(+)
|
|
|
|
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
|
|
index c7ec71d49..6fe91aa6c 100644
|
|
--- a/install/updates/90-post_upgrade_plugins.update
|
|
+++ b/install/updates/90-post_upgrade_plugins.update
|
|
@@ -26,6 +26,7 @@ plugin: update_ra_cert_store
|
|
plugin: update_mapping_Guests_to_nobody
|
|
plugin: fix_kra_people_entry
|
|
plugin: update_pwpolicy
|
|
+plugin: update_pwpolicy_grace
|
|
|
|
# last
|
|
# DNS version 1
|
|
diff --git a/ipaserver/install/plugins/update_pwpolicy.py b/ipaserver/install/plugins/update_pwpolicy.py
|
|
index dca44ce43..4185f0343 100644
|
|
--- a/ipaserver/install/plugins/update_pwpolicy.py
|
|
+++ b/ipaserver/install/plugins/update_pwpolicy.py
|
|
@@ -78,3 +78,69 @@ class update_pwpolicy(Updater):
|
|
return False, []
|
|
|
|
return False, []
|
|
+
|
|
+
|
|
+@register()
|
|
+class update_pwpolicy_grace(Updater):
|
|
+ """
|
|
+ Ensure all group policies have a grace period set.
|
|
+ """
|
|
+
|
|
+ def execute(self, **options):
|
|
+ ldap = self.api.Backend.ldap2
|
|
+
|
|
+ base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'),
|
|
+ self.api.env.basedn)
|
|
+ search_filter = (
|
|
+ "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))"
|
|
+ )
|
|
+
|
|
+ while True:
|
|
+ # Run the search in loop to avoid issues when LDAP limits are hit
|
|
+ # during update
|
|
+
|
|
+ try:
|
|
+ (entries, truncated) = ldap.find_entries(
|
|
+ search_filter, ['objectclass'], base_dn, time_limit=0,
|
|
+ size_limit=0)
|
|
+
|
|
+ except errors.EmptyResult:
|
|
+ logger.debug("update_pwpolicy: no policies without "
|
|
+ "passwordgracelimit set")
|
|
+ return False, []
|
|
+
|
|
+ except errors.ExecutionError as e:
|
|
+ logger.error("update_pwpolicy: cannot retrieve list "
|
|
+ "of policies missing passwordgracelimit: %s", e)
|
|
+ return False, []
|
|
+
|
|
+ logger.debug("update_pwpolicy: found %d "
|
|
+ "policies to update, truncated: %s",
|
|
+ len(entries), truncated)
|
|
+
|
|
+ error = False
|
|
+
|
|
+ for entry in entries:
|
|
+ # Set unlimited BIND by default
|
|
+ entry['passwordgracelimit'] = -1
|
|
+ try:
|
|
+ ldap.update_entry(entry)
|
|
+ except (errors.EmptyModlist, errors.NotFound):
|
|
+ pass
|
|
+ except errors.ExecutionError as e:
|
|
+ logger.debug("update_pwpolicy: cannot "
|
|
+ "update policy: %s", e)
|
|
+ error = True
|
|
+
|
|
+ if error:
|
|
+ # Exit loop to avoid infinite cycles
|
|
+ logger.error("update_pwpolicy: error(s) "
|
|
+ "detected during pwpolicy update")
|
|
+ return False, []
|
|
+
|
|
+ elif not truncated:
|
|
+ # All affected entries updated, exit the loop
|
|
+ logger.debug("update_pwpolicy: all policies updated")
|
|
+ return False, []
|
|
+
|
|
+ return False, []
|
|
--
|
|
2.37.2
|
|
|