mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
ipa-kdb: Properly set password expiration time.
We do the policy check so we are the only one that can calculate the new pwd espiration time. Fixes: https://fedorahosted.org/freeipa/ticket/1793
This commit is contained in:
Simo Sorce
parent
7854d8166e
commit
4167ad01d7
@ -178,3 +178,7 @@ krb5_error_code ipadb_change_pwd(krb5_context context,
|
|||||||
int new_kvno, krb5_boolean keepold,
|
int new_kvno, krb5_boolean keepold,
|
||||||
krb5_db_entry *db_entry);
|
krb5_db_entry *db_entry);
|
||||||
|
|
||||||
|
krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
|
||||||
|
krb5_db_entry *entry,
|
||||||
|
struct ipadb_e_data *ied,
|
||||||
|
time_t *expire_time);
|
||||||
|
|||||||
@ -269,3 +269,49 @@ krb5_error_code ipadb_change_pwd(krb5_context context,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check who actually changed the password, if it is not 'self' then
|
||||||
|
* we need to expire it if it is a user principal.
|
||||||
|
*/
|
||||||
|
krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
|
||||||
|
krb5_db_entry *entry,
|
||||||
|
struct ipadb_e_data *ied,
|
||||||
|
time_t *expire_time)
|
||||||
|
{
|
||||||
|
krb5_error_code kerr;
|
||||||
|
krb5_timestamp mod_time;
|
||||||
|
krb5_principal mod_princ = NULL;
|
||||||
|
krb5_boolean truexp = true;
|
||||||
|
|
||||||
|
|
||||||
|
/* Assume all principals with just one component as user principals */
|
||||||
|
if (entry->princ->length == 1) {
|
||||||
|
kerr = krb5_dbe_lookup_mod_princ_data(context, entry,
|
||||||
|
&mod_time, &mod_princ);
|
||||||
|
if (kerr) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* If the mod principal is kadmind then we have to assume an actual
|
||||||
|
* password change for now. Apparently kadmind does not properly pass
|
||||||
|
* the actual user principal down when said user is performing a
|
||||||
|
* password change */
|
||||||
|
if (mod_princ->length == 1 &&
|
||||||
|
strcmp(mod_princ->data[0].data, "kadmind") != 0) {
|
||||||
|
truexp = krb5_principal_compare(context, mod_princ, entry->princ);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (truexp) {
|
||||||
|
*expire_time = mod_time + ied->pol.max_pwd_life;
|
||||||
|
} else {
|
||||||
|
/* not 'self', so reset */
|
||||||
|
*expire_time = mod_time;
|
||||||
|
}
|
||||||
|
|
||||||
|
kerr = 0;
|
||||||
|
|
||||||
|
done:
|
||||||
|
krb5_free_principal(context, mod_princ);
|
||||||
|
return kerr;
|
||||||
|
}
|
||||||
|
|||||||
@ -1362,7 +1362,8 @@ done:
|
|||||||
return kerr;
|
return kerr;
|
||||||
}
|
}
|
||||||
|
|
||||||
static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods,
|
static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
|
||||||
|
struct ipadb_mods *imods,
|
||||||
krb5_db_entry *entry,
|
krb5_db_entry *entry,
|
||||||
char *principal,
|
char *principal,
|
||||||
int mod_op)
|
int mod_op)
|
||||||
@ -1561,10 +1562,11 @@ static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods,
|
|||||||
|
|
||||||
/* KADM5_LOAD */
|
/* KADM5_LOAD */
|
||||||
|
|
||||||
/* Store saved password if any and password history */
|
/* Handle password change related operations. */
|
||||||
if (entry->e_data) {
|
if (entry->e_data) {
|
||||||
struct ipadb_e_data *ied;
|
struct ipadb_e_data *ied;
|
||||||
time_t now = time(NULL);
|
time_t now = time(NULL);
|
||||||
|
time_t expire_time;
|
||||||
char **new_history;
|
char **new_history;
|
||||||
int nh_len;
|
int nh_len;
|
||||||
int ret;
|
int ret;
|
||||||
@ -1603,6 +1605,22 @@ static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods,
|
|||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Also set new password expiration time.
|
||||||
|
* Have to do it here because kadmin doesn't know policies and resets
|
||||||
|
* entry->mask after we have gone through the password change code.
|
||||||
|
*/
|
||||||
|
kerr = ipadb_get_pwd_expiration(kcontext, entry, ied, &expire_time);
|
||||||
|
if (kerr) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
kerr = ipadb_get_ldap_mod_time(imods,
|
||||||
|
"krbPasswordExpiration",
|
||||||
|
expire_time, mod_op);
|
||||||
|
if (kerr) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
kerr = 0;
|
kerr = 0;
|
||||||
@ -1689,7 +1707,8 @@ static krb5_error_code ipadb_add_principal(krb5_context kcontext,
|
|||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
kerr = ipadb_entry_to_mods(imods, entry, principal, LDAP_MOD_ADD);
|
kerr = ipadb_entry_to_mods(kcontext, imods,
|
||||||
|
entry, principal, LDAP_MOD_ADD);
|
||||||
if (kerr != 0) {
|
if (kerr != 0) {
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
@ -1752,7 +1771,8 @@ static krb5_error_code ipadb_modify_principal(krb5_context kcontext,
|
|||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
kerr = ipadb_entry_to_mods(imods, entry, principal, LDAP_MOD_REPLACE);
|
kerr = ipadb_entry_to_mods(kcontext, imods,
|
||||||
|
entry, principal, LDAP_MOD_REPLACE);
|
||||||
if (kerr != 0) {
|
if (kerr != 0) {
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user