kdb: Don't provide password expiration when using only RADIUS

If the KDC doesn't use the FreeIPA password for authentication, then it is
futile to provide this information. Doing so will only confuse the user. It
also causes password change dialogues when the password is irrelevant.

https://fedorahosted.org/freeipa/ticket/4299

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

daemons/ipa-kdb/ipa_kdb_principals.c

@@ -429,6 +429,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
     switch (ret) {
     case 0:
         entry->pw_expiration = restime;
+
+        /* If we are using only RADIUS, we don't know expiration. */
+        if (ua == IPADB_USER_AUTH_RADIUS)
+            entry->pw_expiration = 0;
     case ENOENT:
         break;
     default: