IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Administrative password change does not respect password policy

Browse Source 
When Directory Manager or a PassSync agent is changing a password,
it is not being expired, but standard expiration time should apply.
However, default expiration time was always applied (90 days)
even though administrator may have a custom policy for the user.

https://fedorahosted.org/freeipa/ticket/3968
This commit is contained in:
Martin Kosek
2013-10-10 18:00:53 +02:00
committed by Petr Viktorin
parent dd3295ac32
commit 5d8c02cfb8
1 changed files with 29 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
View File

@@ -755,6 +755,7 @@ done:
int ipapwd_CheckPolicy(struct ipapwd_data *data) int ipapwd_CheckPolicy(struct ipapwd_data *data)
{ {
struct ipapwd_policy pol = {0}; struct ipapwd_policy pol = {0};
struct ipapwd_policy tmppol = {0};
time_t acct_expiration; time_t acct_expiration;
time_t pwd_expiration; time_t pwd_expiration;
time_t last_pwd_change; time_t last_pwd_change;
@@ -765,11 +766,8 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE; pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE;
pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN; pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN;
if (data->changetype != IPA_CHANGETYPE_NORMAL) { switch(data->changetype) {
/* We must skip policy checks (Admin change) but case IPA_CHANGETYPE_ADMIN:
* force a password change on the next login.
* But not if Directory Manager */
if (data->changetype == IPA_CHANGETYPE_ADMIN) {
/* The expiration date needs to be older than the current time /* The expiration date needs to be older than the current time
* otherwise the KDC may not immediately register the password * otherwise the KDC may not immediately register the password
* as expired. The last password change needs to match the * as expired. The last password change needs to match the
@@ -777,16 +775,32 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
*/ */
data->timeNow -= 1; data->timeNow -= 1;
data->expireTime = data->timeNow; data->expireTime = data->timeNow;
} break;
case IPA_CHANGETYPE_NORMAL:
/* do not load policies */ /* Find the entry with the password policy */
} else { ret = ipapwd_getPolicy(data->dn, data->target, &pol);
if (ret) {
/* find the entry with the password policy */ LOG_TRACE("No password policy, use defaults");
ret = ipapwd_getPolicy(data->dn, data->target, &pol); }
if (ret) { break;
LOG_TRACE("No password policy, use defaults"); case IPA_CHANGETYPE_DSMGR:
} /* PassSync agents and Directory Manager can administratively
* change the password without expiring it.
*
* Find password policy for the entry to properly set expiration.
* Do not store it in resulting policy to avoid aplying password
* quality checks on administratively set passwords
*/
ret = ipapwd_getPolicy(data->dn, data->target, &tmppol);
if (ret) {
LOG_TRACE("No password policy, use defaults");
} else {
pol.max_pwd_life = tmppol.max_pwd_life;
}
break;
default:
LOG_TRACE("Unknown password change type, use defaults");
break;
} }
tmpstr = slapi_entry_attr_get_charptr(data->target, tmpstr = slapi_entry_attr_get_charptr(data->target,