rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0001-Only-calculate-LDAP-password-grace-when-the-password.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   b82271ee68ba2c3a100f1fef85b9702dcdb7533e
  2.   SOURCES
  3.   0001-Only-calculate-LDAP-password-grace-when-the-password.patch
Blob History Raw
8e1ca3 
From 22d1392a8a0d2887c389dcd78be06104cff88d30 Mon Sep 17 00:00:00 2001
8e1ca3 
From: Rob Crittenden <rcritten@redhat.com>
8e1ca3 
Date: Wed, 29 Jun 2022 13:25:55 +0000
8e1ca3 
Subject: [PATCH] Only calculate LDAP password grace when the password is
8e1ca3 
 expired
8e1ca3
8e1ca3 
The user's pwd expiration was retrieved but inadvertently was never
8e1ca3 
compared to current time. So any LDAP bind, including from the
8e1ca3 
IPA API, counted against the grace period. There is no need to go
8e1ca3 
through the graceperiod code for non-expired passwords.
8e1ca3
8e1ca3 
https://pagure.io/freeipa/issue/1539
8e1ca3
8e1ca3 
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
8e1ca3 
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
8e1ca3 
---
8e1ca3 
 .../ipa-graceperiod/ipa_graceperiod.c                | 12 +++++++++---
8e1ca3 
 1 file changed, 9 insertions(+), 3 deletions(-)
8e1ca3
8e1ca3 
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
8e1ca3 
index 0860b5c20fc86687f80ee6f2426e23c87123130f..a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f 100644
8e1ca3 
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
8e1ca3 
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
8e1ca3 
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
8e1ca3 
     Slapi_ValueSet *values = NULL;
8e1ca3 
     long grace_limit = 0;
8e1ca3 
     int grace_user_time;
8e1ca3 
-    char *pwd_expiration = NULL;
8e1ca3 
+    char *tmpstr = NULL;
8e1ca3 
+    time_t pwd_expiration;
8e1ca3 
     int pwresponse_requested = 0;
8e1ca3 
     Slapi_PBlock *pbtm = NULL;
8e1ca3 
     Slapi_Mods *smods = NULL;
8e1ca3 
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
8e1ca3 
     }
8e1ca3 
     slapi_value_free(&objectclass);
8e1ca3
8e1ca3 
-    pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
8e1ca3 
-    if (pwd_expiration == NULL) {
8e1ca3 
+    tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
8e1ca3 
+    if (tmpstr == NULL) {
8e1ca3 
         /* No expiration means nothing to do */
8e1ca3 
         LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
8e1ca3 
         goto done;
8e1ca3 
     }
8e1ca3 
+    pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
8e1ca3 
+    if (pwd_expiration > time(NULL)) {
8e1ca3 
+        /* Not expired, nothing to see here */
8e1ca3 
+        goto done;
8e1ca3 
+    }
8e1ca3
8e1ca3 
     ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
8e1ca3 
                                     &values, &actual_type_name,
8e1ca3 
--
8e1ca3 
2.36.1
8e1ca3

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation