Revert "Check for password expiration in pre-bind"

This reverts commit bfdbd3b6ad. Forceful validation of password expiration date in a BIND pre-callback breaks LDAP password change extended operation as the password change is only allowed via authenticated (bound) channel. Passwords could be only changed via kadmin protocol. This change would thus break LDAP-only clients and Web UI password change hook. This patch will need to be revisited so that unauthenicated corner cases are also revisited. https://fedorahosted.org/freeipa/ticket/1539
2025-02-25 18:55:28 -06:00 · 2014-06-10 08:42:03 +02:00
parent 2a8c509567
commit c41b782bc5
1 changed files with 4 additions and 29 deletions
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1217,35 +1217,13 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
 }

 static int ipapwd_authenticate(const char *dn, Slapi_Entry *entry,
-                               const struct berval *credentials,
-                               const char **errmsg)
+                               const struct berval *credentials)
 {
    Slapi_Value **pwd_values = NULL; /* values of userPassword attribute */
    Slapi_Value *value = NULL;
    Slapi_Attr *attr = NULL;
-    struct tm expire_tm;
-    char *expire;
-    char *p;
    int ret;

-    /* check the if the krbPrincipalKey attribute is present */
-    ret = slapi_entry_attr_find(entry, "krbprincipalkey", &attr);
-    if (!ret) {
-        /* check that the password is not expired */
-        expire = slapi_entry_attr_get_charptr(entry, "krbpasswordexpiration");
-        if (expire) {
-            memset(&expire_tm, 0, sizeof (expire_tm));
-            p = strptime(expire, "%Y%m%d%H%M%SZ", &expire_tm);
-            if (*p) {
-                LOG("Invalid expiration date string format");
-                return 1;
-            } else if (time(NULL) > mktime(&expire_tm)) {
-                *errmsg = "The user password is expired";
-                return 1;
-            }
-        }
-    }
-
    /* retrieve userPassword attribute */
    ret = slapi_entry_attr_find(entry, SLAPI_USERPWD_ATTR, &attr);
    if (ret) {
@@ -1403,7 +1381,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
    static const char *attrs_list[] = {
        SLAPI_USERPWD_ATTR, "ipaUserAuthType", "krbprincipalkey", "uid",
        "krbprincipalname", "objectclass", "passwordexpirationtime",
-        "passwordhistory", "krbprincipalexpiration", "krbpasswordexpiration",
+        "passwordhistory", "krbprincipalexpiration",
        NULL
    };
    struct berval *credentials = NULL;
@@ -1416,7 +1394,6 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
    time_t expire_time;
    char *principal_expire = NULL;
    struct tm expire_tm;
-    const char *errmsg = NULL;

    /* get BIND parameters */
    ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET, &dn);
@@ -1477,12 +1454,10 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
    }

    /* Authenticate the user. */
-    ret = ipapwd_authenticate(dn, entry, credentials, &errmsg);
+    ret = ipapwd_authenticate(dn, entry, credentials);
    if (ret) {
        slapi_entry_free(entry);
-        slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
-                               NULL, errmsg, 0, NULL);
-        return 1;
+        return 0;
    }

    /* Attempt to handle a token synchronization request. */