Blame SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch

706194
From 3675bd1d7aca443832bb9bb2f521cc4d3a088aec Mon Sep 17 00:00:00 2001
706194
From: Rob Crittenden <rcritten@redhat.com>
706194
Date: Wed, 29 Jun 2022 13:25:55 +0000
706194
Subject: [PATCH] Only calculate LDAP password grace when the password is
706194
 expired
706194
706194
The user's pwd expiration was retrieved but inadvertently was never
706194
compared to current time. So any LDAP bind, including from the
706194
IPA API, counted against the grace period. There is no need to go
706194
through the graceperiod code for non-expired passwords.
706194
706194
https://pagure.io/freeipa/issue/1539
706194
706194
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
706194
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
706194
---
706194
 .../ipa-graceperiod/ipa_graceperiod.c                | 12 +++++++++---
706194
 1 file changed, 9 insertions(+), 3 deletions(-)
706194
706194
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
706194
index 0860b5c20..a3f57cb4b 100644
706194
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
706194
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
706194
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
706194
     Slapi_ValueSet *values = NULL;
706194
     long grace_limit = 0;
706194
     int grace_user_time;
706194
-    char *pwd_expiration = NULL;
706194
+    char *tmpstr = NULL;
706194
+    time_t pwd_expiration;
706194
     int pwresponse_requested = 0;
706194
     Slapi_PBlock *pbtm = NULL;
706194
     Slapi_Mods *smods = NULL;
706194
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
706194
     }
706194
     slapi_value_free(&objectclass);
706194
 
706194
-    pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
706194
-    if (pwd_expiration == NULL) {
706194
+    tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
706194
+    if (tmpstr == NULL) {
706194
         /* No expiration means nothing to do */
706194
         LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
706194
         goto done;
706194
     }
706194
+    pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
706194
+    if (pwd_expiration > time(NULL)) {
706194
+        /* Not expired, nothing to see here */
706194
+        goto done;
706194
+    }
706194
 
706194
     ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
706194
                                     &values, &actual_type_name,
706194
-- 
706194
2.36.1
706194