IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

IPA Allows Password Reuse with History value defined when admin resets the password.

Browse Source 
When admin reset a user password, history of user passwords is
preserved according to its policy.

https://fedorahosted.org/freeipa/ticket/6402

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Thierry Bordaz 2016-10-19 15:04:13 +02:00 committed by Martin Babinsky
parent a8376a2447
commit c223130d5f
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
View File

@ -548,15 +548,6 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN; pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN;
switch(data->changetype) { switch(data->changetype) {
case IPA_CHANGETYPE_ADMIN:
/* The expiration date needs to be older than the current time
* otherwise the KDC may not immediately register the password
* as expired. The last password change needs to match the
* password expiration otherwise minlife issues will arise.
*/
data->timeNow -= 1;
data->expireTime = data->timeNow;
break;
case IPA_CHANGETYPE_NORMAL: case IPA_CHANGETYPE_NORMAL:
/* Find the entry with the password policy */ /* Find the entry with the password policy */
ret = ipapwd_getPolicy(data->dn, data->target, &pol); ret = ipapwd_getPolicy(data->dn, data->target, &pol);
@ -564,6 +555,19 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
LOG_TRACE("No password policy, use defaults"); LOG_TRACE("No password policy, use defaults");
} }
break; break;
case IPA_CHANGETYPE_ADMIN:
/* The expiration date needs to be older than the current time
* otherwise the KDC may not immediately register the password
* as expired. The last password change needs to match the
* password expiration otherwise minlife issues will arise.
*/
data->timeNow -= 1;
data->expireTime = data->timeNow;
/* let set the entry password property according to its
* entry password policy (done with ipapwd_getPolicy)
* For this intentional fallthrough here
*/
case IPA_CHANGETYPE_DSMGR: case IPA_CHANGETYPE_DSMGR:
/* PassSync agents and Directory Manager can administratively /* PassSync agents and Directory Manager can administratively
* change the password without expiring it. * change the password without expiring it.
@ -577,6 +581,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
LOG_TRACE("No password policy, use defaults"); LOG_TRACE("No password policy, use defaults");
} else { } else {
pol.max_pwd_life = tmppol.max_pwd_life; pol.max_pwd_life = tmppol.max_pwd_life;
pol.history_length = tmppol.history_length;
} }
break; break;
default: default: