IPA Allows Password Reuse with History value defined when admin resets the password.

When admin reset a user password, history of user passwords is preserved according to its policy. https://fedorahosted.org/freeipa/ticket/6402 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-10-19 15:04:13 +02:00 · 2016-10-19 15:04:13 +02:00 · c223130d5f
commit c223130d5f
parent a8376a2447
1 changed files with 14 additions and 9 deletions
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@ -548,15 +548,6 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
    pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN;

    switch(data->changetype) {
-        case IPA_CHANGETYPE_ADMIN:
-            /* The expiration date needs to be older than the current time
-             * otherwise the KDC may not immediately register the password
-             * as expired. The last password change needs to match the
-             * password expiration otherwise minlife issues will arise.
-             */
-            data->timeNow -= 1;
-            data->expireTime = data->timeNow;
-            break;
        case IPA_CHANGETYPE_NORMAL:
            /* Find the entry with the password policy */
            ret = ipapwd_getPolicy(data->dn, data->target, &pol);
@ -564,6 +555,19 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
                LOG_TRACE("No password policy, use defaults");
            }
            break;
+	case IPA_CHANGETYPE_ADMIN:
+            /* The expiration date needs to be older than the current time
+             * otherwise the KDC may not immediately register the password
+             * as expired. The last password change needs to match the
+             * password expiration otherwise minlife issues will arise.
+             */
+            data->timeNow -= 1;
+            data->expireTime = data->timeNow;
+
+            /* let set the entry password property according to its
+             * entry password policy (done with ipapwd_getPolicy)
+             * For this intentional fallthrough here
+             */
        case IPA_CHANGETYPE_DSMGR:
            /* PassSync agents and Directory Manager can administratively
             * change the password without expiring it.
@ -577,6 +581,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
                LOG_TRACE("No password policy, use defaults");
            } else {
                pol.max_pwd_life = tmppol.max_pwd_life;
+                pol.history_length = tmppol.history_length;
            }
            break;
        default: