Allow unexpiring passwords

Treat maxlife=0 in password policy as "never expire". Delete krbPasswordExpiration in user entry when password should never expire. https://fedorahosted.org/freeipa/ticket/2795 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-06-30 08:52:33 +02:00 · 2016-06-30 08:52:33 +02:00 · d2cb9ed327
commit d2cb9ed327
parent 3691e39a62
5 changed files with 33 additions and 12 deletions
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@ -253,7 +253,11 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context,

    if (truexp) {
        if (ied->pol) {
-            *expire_time = mod_time + ied->pol->max_pwd_life;
+            if (ied->pol->max_pwd_life) {
+                *expire_time = mod_time + ied->pol->max_pwd_life;
+            } else {
+                *expire_time = 0;
+            }
        } else {
            *expire_time = mod_time + IPAPWD_DEFAULT_PWDLIFE;
        }
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@ -1850,6 +1850,11 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
                                       "krbPasswordExpiration",
                                       entry->pw_expiration,
                                       mod_op);
+        if (entry->pw_expiration == 0) {
+            kerr = ipadb_get_ldap_mod_time(imods,
+                                           "krbPasswordExpiration",
+                                           entry->pw_expiration, LDAP_MOD_DELETE);
+        }
        if (kerr) {
            goto done;
        }
@ -2105,6 +2110,12 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
            kerr = ipadb_get_ldap_mod_time(imods,
                                           "krbPasswordExpiration",
                                           expire_time, mod_op);
+            if (expire_time == 0) {
+                kerr = ipadb_get_ldap_mod_time(imods,
+                                               "krbPasswordExpiration",
+                                               expire_time, LDAP_MOD_DELETE);
+            }
+
            if (kerr) {
                goto done;
            }
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@ -317,7 +317,6 @@ int ipapwd_getPolicy(const char *dn,
    int buffer_flags=0;
    Slapi_ValueSet* results = NULL;
    char *actual_type_name = NULL;
-    int tmpint;

    LOG_TRACE("Searching policy for [%s]\n", dn);

@ -382,15 +381,9 @@ int ipapwd_getPolicy(const char *dn,
    /* read data out of policy object */
    policy->min_pwd_life = slapi_entry_attr_get_int(pe, "krbMinPwdLife");

-    tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife");
-    if (tmpint != 0) {
-        policy->max_pwd_life = tmpint;
-    }
+    policy->max_pwd_life = slapi_entry_attr_get_int(pe, "krbMaxPwdLife");

-    tmpint = slapi_entry_attr_get_int(pe, "krbPwdMinLength");
-    if (tmpint != 0) {
-        policy->min_pwd_length = tmpint;
-    }
+    policy->min_pwd_length = slapi_entry_attr_get_int(pe, "krbPwdMinLength");

    policy->history_length = slapi_entry_attr_get_int(pe,
                                                      "krbPwdHistoryLength");
@ -620,7 +613,11 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
    slapi_ch_array_free(pwd_history);

    if (data->expireTime == 0) {
-        data->expireTime = data->timeNow + pol.max_pwd_life;
+        if (pol.max_pwd_life > 0) {
+            /* max_pwd_life = 0 => never expire
+             * set expire time only when max_pwd_life > 0 */
+            data->expireTime = data->timeNow + pol.max_pwd_life;
+        }
    }

    data->policy = pol;
@ -788,6 +785,11 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
                 "%Y%m%d%H%M%SZ", &utctime);
 			slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                              "krbPasswordExpiration", timestr);
+			if (data->expireTime == 0) {
+			    slapi_mods_add_string(smods, LDAP_MOD_DELETE,
+			                          "krbPasswordExpiration", timestr);
+			}
+
 		}
 	}

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@ -1123,6 +1123,10 @@ static int ipapwd_post_modadd(Slapi_PBlock *pb)
                     "%Y%m%d%H%M%SZ", &utctime);
            slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                                  "krbPasswordExpiration", timestr);
+			if (pwdop->pwdata.expireTime == 0) {
+			    slapi_mods_add_string(smods, LDAP_MOD_DELETE,
+			                          "krbPasswordExpiration", timestr);
+			}

            /* change Last Password Change field with the current date */
            if (!gmtime_r(&(pwdop->pwdata.timeNow), &utctime)) {
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@ -411,7 +411,7 @@ class pwpolicy(LDAPObject):
            if maxlife is None and 'krbmaxpwdlife' in existing_entry:
                maxlife = int(existing_entry['krbmaxpwdlife'][0]) * 86400

-        if maxlife is not None and minlife is not None:
+        if maxlife not in (None, 0) and minlife is not None:
            if minlife > maxlife:
                raise errors.ValidationError(
                    name='maxlife',