107 lines
3.8 KiB
Diff
107 lines
3.8 KiB
Diff
From de6f074538f6641fd9d84bed204a3d4d50eccbe5 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Thu, 4 Aug 2022 12:04:41 -0400
|
|
Subject: [PATCH] Set default on group pwpolicy with no grace limit in upgrade
|
|
|
|
If an existing group policy lacks a password grace limit
|
|
update it to -1 on upgrade.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9212
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
.../updates/90-post_upgrade_plugins.update | 1 +
|
|
ipaserver/install/plugins/update_pwpolicy.py | 66 +++++++++++++++++++
|
|
2 files changed, 67 insertions(+)
|
|
|
|
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
|
|
index c7ec71d492b0ac0e7641d586b7e7fa7501743bc2..6fe91aa6c6310a69a7f0feb1ad62243945db67f9 100644
|
|
--- a/install/updates/90-post_upgrade_plugins.update
|
|
+++ b/install/updates/90-post_upgrade_plugins.update
|
|
@@ -26,6 +26,7 @@ plugin: update_ra_cert_store
|
|
plugin: update_mapping_Guests_to_nobody
|
|
plugin: fix_kra_people_entry
|
|
plugin: update_pwpolicy
|
|
+plugin: update_pwpolicy_grace
|
|
|
|
# last
|
|
# DNS version 1
|
|
diff --git a/ipaserver/install/plugins/update_pwpolicy.py b/ipaserver/install/plugins/update_pwpolicy.py
|
|
index dca44ce4369dfc11f83a412a1249bb045d46713f..4185f034313bd49ca68e86c620043af6ead5f6d6 100644
|
|
--- a/ipaserver/install/plugins/update_pwpolicy.py
|
|
+++ b/ipaserver/install/plugins/update_pwpolicy.py
|
|
@@ -78,3 +78,69 @@ class update_pwpolicy(Updater):
|
|
return False, []
|
|
|
|
return False, []
|
|
+
|
|
+
|
|
+@register()
|
|
+class update_pwpolicy_grace(Updater):
|
|
+ """
|
|
+ Ensure all group policies have a grace period set.
|
|
+ """
|
|
+
|
|
+ def execute(self, **options):
|
|
+ ldap = self.api.Backend.ldap2
|
|
+
|
|
+ base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'),
|
|
+ self.api.env.basedn)
|
|
+ search_filter = (
|
|
+ "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))"
|
|
+ )
|
|
+
|
|
+ while True:
|
|
+ # Run the search in loop to avoid issues when LDAP limits are hit
|
|
+ # during update
|
|
+
|
|
+ try:
|
|
+ (entries, truncated) = ldap.find_entries(
|
|
+ search_filter, ['objectclass'], base_dn, time_limit=0,
|
|
+ size_limit=0)
|
|
+
|
|
+ except errors.EmptyResult:
|
|
+ logger.debug("update_pwpolicy: no policies without "
|
|
+ "passwordgracelimit set")
|
|
+ return False, []
|
|
+
|
|
+ except errors.ExecutionError as e:
|
|
+ logger.error("update_pwpolicy: cannot retrieve list "
|
|
+ "of policies missing passwordgracelimit: %s", e)
|
|
+ return False, []
|
|
+
|
|
+ logger.debug("update_pwpolicy: found %d "
|
|
+ "policies to update, truncated: %s",
|
|
+ len(entries), truncated)
|
|
+
|
|
+ error = False
|
|
+
|
|
+ for entry in entries:
|
|
+ # Set unlimited BIND by default
|
|
+ entry['passwordgracelimit'] = -1
|
|
+ try:
|
|
+ ldap.update_entry(entry)
|
|
+ except (errors.EmptyModlist, errors.NotFound):
|
|
+ pass
|
|
+ except errors.ExecutionError as e:
|
|
+ logger.debug("update_pwpolicy: cannot "
|
|
+ "update policy: %s", e)
|
|
+ error = True
|
|
+
|
|
+ if error:
|
|
+ # Exit loop to avoid infinite cycles
|
|
+ logger.error("update_pwpolicy: error(s) "
|
|
+ "detected during pwpolicy update")
|
|
+ return False, []
|
|
+
|
|
+ elif not truncated:
|
|
+ # All affected entries updated, exit the loop
|
|
+ logger.debug("update_pwpolicy: all policies updated")
|
|
+ return False, []
|
|
+
|
|
+ return False, []
|
|
--
|
|
2.37.2
|
|
|