ipa-kdb: Fix expiration time calculation

Expiration time should be enforced as per policy only for users and only when a password change occurs, ina ll other cases we should just let kadmin decide whther it is going to set a password expiration time or just leave it empty. In general service tickts have strong random passwords so they do not need a password policy or expiration at all. https://fedorahosted.org/freeipa/ticket/1839
2025-02-25 18:55:28 -06:00 · 2011-09-23 18:37:42 -04:00
parent f323d818b9
commit dfc704de25
2 changed files with 18 additions and 17 deletions
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@@ -279,7 +279,7 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
                                         time_t *expire_time)
 {
    krb5_error_code kerr;
-    krb5_timestamp mod_time;
+    krb5_timestamp mod_time = 0;
    krb5_principal mod_princ = NULL;
    krb5_boolean truexp = true;

--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1587,6 +1587,23 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
            if (kerr) {
                goto done;
            }
+
+            /* Also set new password expiration time.
+             * Have to do it here because kadmin doesn't know policies and
+             * resets entry->mask after we have gone through the password
+             * change code.  */
+            kerr = ipadb_get_pwd_expiration(kcontext, entry,
+                                            ied, &expire_time);
+            if (kerr) {
+                goto done;
+            }
+
+            kerr = ipadb_get_ldap_mod_time(imods,
+                                           "krbPasswordExpiration",
+                                           expire_time, mod_op);
+            if (kerr) {
+                goto done;
+            }
        }

        if (ied->ipa_user && ied->passwd && ied->pol.history_length) {
@@ -1605,22 +1622,6 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
                goto done;
            }
        }
-
-        /* Also set new password expiration time.
-         * Have to do it here because kadmin doesn't know policies and resets
-         * entry->mask after we have gone through the password change code.
-         */
-        kerr = ipadb_get_pwd_expiration(kcontext, entry, ied, &expire_time);
-        if (kerr) {
-            goto done;
-        }
-
-        kerr = ipadb_get_ldap_mod_time(imods,
-                                       "krbPasswordExpiration",
-                                       expire_time, mod_op);
-        if (kerr) {
-            goto done;
-        }
    }

    kerr = 0;