f569c41e74
- Resolves: rhbz#2091988 [RFE] Add code to check password expiration on ldap bind
57 lines
2.2 KiB
Diff
57 lines
2.2 KiB
Diff
From 22d1392a8a0d2887c389dcd78be06104cff88d30 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Wed, 29 Jun 2022 13:25:55 +0000
|
|
Subject: [PATCH] Only calculate LDAP password grace when the password is
|
|
expired
|
|
|
|
The user's pwd expiration was retrieved but inadvertently was never
|
|
compared to current time. So any LDAP bind, including from the
|
|
IPA API, counted against the grace period. There is no need to go
|
|
through the graceperiod code for non-expired passwords.
|
|
|
|
https://pagure.io/freeipa/issue/1539
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
.../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++---
|
|
1 file changed, 9 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
index 0860b5c20fc86687f80ee6f2426e23c87123130f..a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f 100644
|
|
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
|
|
Slapi_ValueSet *values = NULL;
|
|
long grace_limit = 0;
|
|
int grace_user_time;
|
|
- char *pwd_expiration = NULL;
|
|
+ char *tmpstr = NULL;
|
|
+ time_t pwd_expiration;
|
|
int pwresponse_requested = 0;
|
|
Slapi_PBlock *pbtm = NULL;
|
|
Slapi_Mods *smods = NULL;
|
|
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
|
|
}
|
|
slapi_value_free(&objectclass);
|
|
|
|
- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
|
|
- if (pwd_expiration == NULL) {
|
|
+ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
|
|
+ if (tmpstr == NULL) {
|
|
/* No expiration means nothing to do */
|
|
LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
|
|
goto done;
|
|
}
|
|
+ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
|
|
+ if (pwd_expiration > time(NULL)) {
|
|
+ /* Not expired, nothing to see here */
|
|
+ goto done;
|
|
+ }
|
|
|
|
ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
|
|
&values, &actual_type_name,
|
|
--
|
|
2.36.1
|
|
|