Set default on group pwpolicy with no grace limit in upgrade

If an existing group policy lacks a password grace limit update it to -1 on upgrade. Fixes: https://pagure.io/freeipa/issue/9212 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-01-11 00:31:56 -06:00 · 2022-08-04 12:04:41 -04:00 · 2022-08-04 12:04:41 -04:00 · 0468cc6085
commit 0468cc6085
parent c8955a4d0a
2 changed files with 67 additions and 0 deletions
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@ -26,6 +26,7 @@ plugin: update_ra_cert_store
 plugin: update_mapping_Guests_to_nobody
 plugin: fix_kra_people_entry
 plugin: update_pwpolicy
 plugin: update_pwpolicy_grace
 # last
 # DNS version 1
--- a/ipaserver/install/plugins/update_pwpolicy.py
+++ b/ipaserver/install/plugins/update_pwpolicy.py
@ -78,3 +78,69 @@ class update_pwpolicy(Updater):
                return False, []
        return False, []
@register()
 class update_pwpolicy_grace(Updater):
    """
    Ensure all group policies have a grace period set.
    """
    def execute(self, **options):
        ldap = self.api.Backend.ldap2
        base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'),
                     self.api.env.basedn)
        search_filter = (
            "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))"
        )
        while True:
            # Run the search in loop to avoid issues when LDAP limits are hit
            # during update
            try:
                (entries, truncated) = ldap.find_entries(
                    search_filter, ['objectclass'], base_dn, time_limit=0,
                    size_limit=0)
            except errors.EmptyResult:
                logger.debug("update_pwpolicy: no policies without "
                             "passwordgracelimit set")
                return False, []
            except errors.ExecutionError as e:
                logger.error("update_pwpolicy: cannot retrieve list "
                             "of policies missing passwordgracelimit: %s", e)
                return False, []
            logger.debug("update_pwpolicy: found %d "
                         "policies to update, truncated: %s",
                         len(entries), truncated)
            error = False
            for entry in entries:
                # Set unlimited BIND by default
                entry['passwordgracelimit'] = -1
                try:
                    ldap.update_entry(entry)
                except (errors.EmptyModlist, errors.NotFound):
                    pass
                except errors.ExecutionError as e:
                    logger.debug("update_pwpolicy: cannot "
                                 "update policy: %s", e)
                    error = True
            if error:
                # Exit loop to avoid infinite cycles
                logger.error("update_pwpolicy: error(s) "
                             "detected during pwpolicy update")
                return False, []
            elif not truncated:
                # All affected entries updated, exit the loop
                logger.debug("update_pwpolicy: all policies updated")
                return False, []
        return False, []