IPA Allows Password Reuse with History value defined when admin resets the password.

When admin reset a user password, history of user passwords is preserved according to its policy. https://fedorahosted.org/freeipa/ticket/6402 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-10-19 15:04:13 +02:00 · 2016-10-19 15:04:13 +02:00 · c223130d5f
commit c223130d5f
parent a8376a2447
1 changed files with 14 additions and 9 deletions
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@ -548,6 +548,13 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
    pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN;

    switch(data->changetype) {
+        case IPA_CHANGETYPE_NORMAL:
+            /* Find the entry with the password policy */
+            ret = ipapwd_getPolicy(data->dn, data->target, &pol);
+            if (ret) {
+                LOG_TRACE("No password policy, use defaults");
+            }
+            break;
 	case IPA_CHANGETYPE_ADMIN:
            /* The expiration date needs to be older than the current time
             * otherwise the KDC may not immediately register the password
@ -556,14 +563,11 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
             */
            data->timeNow -= 1;
            data->expireTime = data->timeNow;
-            break;
-        case IPA_CHANGETYPE_NORMAL:
-            /* Find the entry with the password policy */
-            ret = ipapwd_getPolicy(data->dn, data->target, &pol);
-            if (ret) {
-                LOG_TRACE("No password policy, use defaults");
-            }
-            break;
+
+            /* let set the entry password property according to its
+             * entry password policy (done with ipapwd_getPolicy)
+             * For this intentional fallthrough here
+             */
        case IPA_CHANGETYPE_DSMGR:
            /* PassSync agents and Directory Manager can administratively
             * change the password without expiring it.
@ -577,6 +581,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
                LOG_TRACE("No password policy, use defaults");
            } else {
                pol.max_pwd_life = tmppol.max_pwd_life;
+                pol.history_length = tmppol.history_length;
            }
            break;
        default: