|
|
706194 |
From 3675bd1d7aca443832bb9bb2f521cc4d3a088aec Mon Sep 17 00:00:00 2001
|
|
|
706194 |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
706194 |
Date: Wed, 29 Jun 2022 13:25:55 +0000
|
|
|
706194 |
Subject: [PATCH] Only calculate LDAP password grace when the password is
|
|
|
706194 |
expired
|
|
|
706194 |
|
|
|
706194 |
The user's pwd expiration was retrieved but inadvertently was never
|
|
|
706194 |
compared to current time. So any LDAP bind, including from the
|
|
|
706194 |
IPA API, counted against the grace period. There is no need to go
|
|
|
706194 |
through the graceperiod code for non-expired passwords.
|
|
|
706194 |
|
|
|
706194 |
https://pagure.io/freeipa/issue/1539
|
|
|
706194 |
|
|
|
706194 |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
706194 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
706194 |
---
|
|
|
706194 |
.../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++---
|
|
|
706194 |
1 file changed, 9 insertions(+), 3 deletions(-)
|
|
|
706194 |
|
|
|
706194 |
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
|
706194 |
index 0860b5c20..a3f57cb4b 100644
|
|
|
706194 |
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
|
706194 |
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
|
706194 |
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
|
|
|
706194 |
Slapi_ValueSet *values = NULL;
|
|
|
706194 |
long grace_limit = 0;
|
|
|
706194 |
int grace_user_time;
|
|
|
706194 |
- char *pwd_expiration = NULL;
|
|
|
706194 |
+ char *tmpstr = NULL;
|
|
|
706194 |
+ time_t pwd_expiration;
|
|
|
706194 |
int pwresponse_requested = 0;
|
|
|
706194 |
Slapi_PBlock *pbtm = NULL;
|
|
|
706194 |
Slapi_Mods *smods = NULL;
|
|
|
706194 |
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
|
|
|
706194 |
}
|
|
|
706194 |
slapi_value_free(&objectclass);
|
|
|
706194 |
|
|
|
706194 |
- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
|
|
|
706194 |
- if (pwd_expiration == NULL) {
|
|
|
706194 |
+ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
|
|
|
706194 |
+ if (tmpstr == NULL) {
|
|
|
706194 |
/* No expiration means nothing to do */
|
|
|
706194 |
LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
|
|
|
706194 |
goto done;
|
|
|
706194 |
}
|
|
|
706194 |
+ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
|
|
|
706194 |
+ if (pwd_expiration > time(NULL)) {
|
|
|
706194 |
+ /* Not expired, nothing to see here */
|
|
|
706194 |
+ goto done;
|
|
|
706194 |
+ }
|
|
|
706194 |
|
|
|
706194 |
ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
|
|
|
706194 |
&values, &actual_type_name,
|
|
|
706194 |
--
|
|
|
706194 |
2.36.1
|
|
|
706194 |
|