ipa/0001-Only-calculate-LDAP-password-grace-when-the-password.patch
Florence Blanc-Renaud f569c41e74 ipa-4.10.0-2
- Resolves: rhbz#2091988
  [RFE] Add code to check password expiration on ldap bind
2022-06-30 16:22:52 +02:00

57 lines
2.2 KiB
Diff

From 22d1392a8a0d2887c389dcd78be06104cff88d30 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Jun 2022 13:25:55 +0000
Subject: [PATCH] Only calculate LDAP password grace when the password is
expired
The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
index 0860b5c20fc86687f80ee6f2426e23c87123130f..a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f 100644
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
Slapi_ValueSet *values = NULL;
long grace_limit = 0;
int grace_user_time;
- char *pwd_expiration = NULL;
+ char *tmpstr = NULL;
+ time_t pwd_expiration;
int pwresponse_requested = 0;
Slapi_PBlock *pbtm = NULL;
Slapi_Mods *smods = NULL;
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
}
slapi_value_free(&objectclass);
- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
- if (pwd_expiration == NULL) {
+ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
+ if (tmpstr == NULL) {
/* No expiration means nothing to do */
LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
goto done;
}
+ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
+ if (pwd_expiration > time(NULL)) {
+ /* Not expired, nothing to see here */
+ goto done;
+ }
ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
&values, &actual_type_name,
--
2.36.1