Set default on group pwpolicy with no grace limit in upgrade

If an existing group policy lacks a password grace limit update it to -1 on upgrade. Fixes: https://pagure.io/freeipa/issue/9212 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-12-23 07:33:27 -06:00 · 2022-08-04 12:04:41 -04:00 · 2022-08-04 12:04:41 -04:00 · 0468cc6085
commit 0468cc6085
parent c8955a4d0a
2 changed files with 67 additions and 0 deletions
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@ -26,6 +26,7 @@ plugin: update_ra_cert_store
 plugin: update_mapping_Guests_to_nobody
 plugin: fix_kra_people_entry
 plugin: update_pwpolicy
+plugin: update_pwpolicy_grace

 # last
 # DNS version 1
--- a/ipaserver/install/plugins/update_pwpolicy.py
+++ b/ipaserver/install/plugins/update_pwpolicy.py
@ -78,3 +78,69 @@ class update_pwpolicy(Updater):
                return False, []

        return False, []
+
+
+@register()
+class update_pwpolicy_grace(Updater):
+    """
+    Ensure all group policies have a grace period set.
+    """
+
+    def execute(self, **options):
+        ldap = self.api.Backend.ldap2
+
+        base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'),
+                     self.api.env.basedn)
+        search_filter = (
+            "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))"
+        )
+
+        while True:
+            # Run the search in loop to avoid issues when LDAP limits are hit
+            # during update
+
+            try:
+                (entries, truncated) = ldap.find_entries(
+                    search_filter, ['objectclass'], base_dn, time_limit=0,
+                    size_limit=0)
+
+            except errors.EmptyResult:
+                logger.debug("update_pwpolicy: no policies without "
+                             "passwordgracelimit set")
+                return False, []
+
+            except errors.ExecutionError as e:
+                logger.error("update_pwpolicy: cannot retrieve list "
+                             "of policies missing passwordgracelimit: %s", e)
+                return False, []
+
+            logger.debug("update_pwpolicy: found %d "
+                         "policies to update, truncated: %s",
+                         len(entries), truncated)
+
+            error = False
+
+            for entry in entries:
+                # Set unlimited BIND by default
+                entry['passwordgracelimit'] = -1
+                try:
+                    ldap.update_entry(entry)
+                except (errors.EmptyModlist, errors.NotFound):
+                    pass
+                except errors.ExecutionError as e:
+                    logger.debug("update_pwpolicy: cannot "
+                                 "update policy: %s", e)
+                    error = True
+
+            if error:
+                # Exit loop to avoid infinite cycles
+                logger.error("update_pwpolicy: error(s) "
+                             "detected during pwpolicy update")
+                return False, []
+
+            elif not truncated:
+                # All affected entries updated, exit the loop
+                logger.debug("update_pwpolicy: all policies updated")
+                return False, []
+
+        return False, []