mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 00:31:56 -06:00
Set default on group pwpolicy with no grace limit in upgrade
If an existing group policy lacks a password grace limit update it to -1 on upgrade. Fixes: https://pagure.io/freeipa/issue/9212 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
parent
c8955a4d0a
commit
0468cc6085
@ -26,6 +26,7 @@ plugin: update_ra_cert_store
|
||||
plugin: update_mapping_Guests_to_nobody
|
||||
plugin: fix_kra_people_entry
|
||||
plugin: update_pwpolicy
|
||||
plugin: update_pwpolicy_grace
|
||||
|
||||
# last
|
||||
# DNS version 1
|
||||
|
@ -78,3 +78,69 @@ class update_pwpolicy(Updater):
|
||||
return False, []
|
||||
|
||||
return False, []
|
||||
|
||||
|
||||
@register()
|
||||
class update_pwpolicy_grace(Updater):
|
||||
"""
|
||||
Ensure all group policies have a grace period set.
|
||||
"""
|
||||
|
||||
def execute(self, **options):
|
||||
ldap = self.api.Backend.ldap2
|
||||
|
||||
base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'),
|
||||
self.api.env.basedn)
|
||||
search_filter = (
|
||||
"(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))"
|
||||
)
|
||||
|
||||
while True:
|
||||
# Run the search in loop to avoid issues when LDAP limits are hit
|
||||
# during update
|
||||
|
||||
try:
|
||||
(entries, truncated) = ldap.find_entries(
|
||||
search_filter, ['objectclass'], base_dn, time_limit=0,
|
||||
size_limit=0)
|
||||
|
||||
except errors.EmptyResult:
|
||||
logger.debug("update_pwpolicy: no policies without "
|
||||
"passwordgracelimit set")
|
||||
return False, []
|
||||
|
||||
except errors.ExecutionError as e:
|
||||
logger.error("update_pwpolicy: cannot retrieve list "
|
||||
"of policies missing passwordgracelimit: %s", e)
|
||||
return False, []
|
||||
|
||||
logger.debug("update_pwpolicy: found %d "
|
||||
"policies to update, truncated: %s",
|
||||
len(entries), truncated)
|
||||
|
||||
error = False
|
||||
|
||||
for entry in entries:
|
||||
# Set unlimited BIND by default
|
||||
entry['passwordgracelimit'] = -1
|
||||
try:
|
||||
ldap.update_entry(entry)
|
||||
except (errors.EmptyModlist, errors.NotFound):
|
||||
pass
|
||||
except errors.ExecutionError as e:
|
||||
logger.debug("update_pwpolicy: cannot "
|
||||
"update policy: %s", e)
|
||||
error = True
|
||||
|
||||
if error:
|
||||
# Exit loop to avoid infinite cycles
|
||||
logger.error("update_pwpolicy: error(s) "
|
||||
"detected during pwpolicy update")
|
||||
return False, []
|
||||
|
||||
elif not truncated:
|
||||
# All affected entries updated, exit the loop
|
||||
logger.debug("update_pwpolicy: all policies updated")
|
||||
return False, []
|
||||
|
||||
return False, []
|
||||
|
Loading…
Reference in New Issue
Block a user