rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   7061940ab4d3416b71aba7d14621726963c9f79a
  2.   SOURCES
  3.   0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch
Blob History Raw
706194 
From 3675bd1d7aca443832bb9bb2f521cc4d3a088aec Mon Sep 17 00:00:00 2001
706194 
From: Rob Crittenden <rcritten@redhat.com>
706194 
Date: Wed, 29 Jun 2022 13:25:55 +0000
706194 
Subject: [PATCH] Only calculate LDAP password grace when the password is
706194 
 expired
706194
706194 
The user's pwd expiration was retrieved but inadvertently was never
706194 
compared to current time. So any LDAP bind, including from the
706194 
IPA API, counted against the grace period. There is no need to go
706194 
through the graceperiod code for non-expired passwords.
706194
706194 
https://pagure.io/freeipa/issue/1539
706194
706194 
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
706194 
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
706194 
---
706194 
 .../ipa-graceperiod/ipa_graceperiod.c                | 12 +++++++++---
706194 
 1 file changed, 9 insertions(+), 3 deletions(-)
706194
706194 
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
706194 
index 0860b5c20..a3f57cb4b 100644
706194 
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
706194 
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
706194 
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
706194 
     Slapi_ValueSet *values = NULL;
706194 
     long grace_limit = 0;
706194 
     int grace_user_time;
706194 
-    char *pwd_expiration = NULL;
706194 
+    char *tmpstr = NULL;
706194 
+    time_t pwd_expiration;
706194 
     int pwresponse_requested = 0;
706194 
     Slapi_PBlock *pbtm = NULL;
706194 
     Slapi_Mods *smods = NULL;
706194 
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
706194 
     }
706194 
     slapi_value_free(&objectclass);
706194
706194 
-    pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
706194 
-    if (pwd_expiration == NULL) {
706194 
+    tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
706194 
+    if (tmpstr == NULL) {
706194 
         /* No expiration means nothing to do */
706194 
         LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
706194 
         goto done;
706194 
     }
706194 
+    pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
706194 
+    if (pwd_expiration > time(NULL)) {
706194 
+        /* Not expired, nothing to see here */
706194 
+        goto done;
706194 
+    }
706194
706194 
     ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
706194 
                                     &values, &actual_type_name,
706194 
--
706194 
2.36.1
706194

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation