diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index c7ec71d49..6fe91aa6c 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -26,6 +26,7 @@ plugin: update_ra_cert_store plugin: update_mapping_Guests_to_nobody plugin: fix_kra_people_entry plugin: update_pwpolicy +plugin: update_pwpolicy_grace # last # DNS version 1 diff --git a/ipaserver/install/plugins/update_pwpolicy.py b/ipaserver/install/plugins/update_pwpolicy.py index dca44ce43..4185f0343 100644 --- a/ipaserver/install/plugins/update_pwpolicy.py +++ b/ipaserver/install/plugins/update_pwpolicy.py @@ -78,3 +78,69 @@ class update_pwpolicy(Updater): return False, [] return False, [] + + +@register() +class update_pwpolicy_grace(Updater): + """ + Ensure all group policies have a grace period set. + """ + + def execute(self, **options): + ldap = self.api.Backend.ldap2 + + base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'), + self.api.env.basedn) + search_filter = ( + "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))" + ) + + while True: + # Run the search in loop to avoid issues when LDAP limits are hit + # during update + + try: + (entries, truncated) = ldap.find_entries( + search_filter, ['objectclass'], base_dn, time_limit=0, + size_limit=0) + + except errors.EmptyResult: + logger.debug("update_pwpolicy: no policies without " + "passwordgracelimit set") + return False, [] + + except errors.ExecutionError as e: + logger.error("update_pwpolicy: cannot retrieve list " + "of policies missing passwordgracelimit: %s", e) + return False, [] + + logger.debug("update_pwpolicy: found %d " + "policies to update, truncated: %s", + len(entries), truncated) + + error = False + + for entry in entries: + # Set unlimited BIND by default + entry['passwordgracelimit'] = -1 + try: + ldap.update_entry(entry) + except (errors.EmptyModlist, errors.NotFound): + pass + except errors.ExecutionError as e: + logger.debug("update_pwpolicy: cannot " + "update policy: %s", e) + error = True + + if error: + # Exit loop to avoid infinite cycles + logger.error("update_pwpolicy: error(s) " + "detected during pwpolicy update") + return False, [] + + elif not truncated: + # All affected entries updated, exit the loop + logger.debug("update_pwpolicy: all policies updated") + return False, [] + + return False, []