IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-26 16:16:31 -06:00
Code Issues Packages Projects Releases Wiki Activity

When dealing with samba password set also the sambaPwdLastSet

Browse Source 
This attribute is required for samba to properly identify a user has changed
it's password and doesn't need to change it again at next login.

At the same time, if we are forcing a pssword reset we also need to let samba
know the user must change its password.
This commit is contained in:
Simo Sorce 2010-10-05 18:09:12 -04:00
parent ceb91a3f71
commit 475c064227
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
View File

@ -1165,6 +1165,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
int is_smb = 0;
Slapi_Value *sambaSamAccount;
char *errMesg = NULL;
char *modtime = NULL;
slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
"=> ipapwd_SetPassword\n");
@ -1224,7 +1225,25 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"sambaNTPassword", nt);
}
if (is_smb) {
/* with samba integration we need to also set sambaPwdLastSet or
* samba will decide the user has to change the password again */
if (data->changetype == IPA_CHANGETYPE_ADMIN) {
/* if it is an admin change instead we need to let know to
* samba as well that the use rmust change its password */
modtime = slapi_ch_smprintf("0");
} else {
modtime = slapi_ch_smprintf("%ld", (long)data->timeNow);
}
if (!modtime) {
slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
"failed to smprintf string!\n");
ret = LDAP_OPERATIONS_ERROR;
goto free_and_return;
}
slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
"sambaPwdLastset", modtime);
}
/* let DS encode the password itself, this allows also other plugins to
* intercept it to perform operations like synchronization with Active
* Directory domains through the replication plugin */
@ -1252,6 +1271,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
free_and_return:
if (lm) slapi_ch_free((void **)&lm);
if (nt) slapi_ch_free((void **)&nt);
if (modtime) slapi_ch_free((void **)&modtime);
slapi_mods_free(&smods);
ipapwd_free_slapi_value_array(&svals);
ipapwd_free_slapi_value_array(&pwvals);

26
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
View File

@ -351,6 +351,19 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
slapi_ch_free_string(&nt);
}
if (is_smb) {
/* with samba integration we need to also set sambaPwdLastSet or
* samba will decide the user has to change the password again */
if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) {
/* if it is an admin change instead we need to let know to
* samba as well that the use rmust change its password */
slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L);
} else {
slapi_entry_attr_set_long(e, "sambaPwdLastset",
(long)pwdop->pwdata.timeNow);
}
}
}
rc = LDAP_SUCCESS;
@ -736,6 +749,19 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
"sambaNTPassword", nt);
slapi_ch_free_string(&nt);
}
if (is_smb) {
/* with samba integration we need to also set sambaPwdLastSet or
* samba will decide the user has to change the password again */
if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) {
/* if it is an admin change instead we need to let know to
* samba as well that the use rmust change its password */
slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L);
} else {
slapi_entry_attr_set_long(e, "sambaPwdLastset",
(long)pwdop->pwdata.timeNow);
}
}
}
rc = LDAP_SUCCESS;