|
 |
ee765b |
From 3675bd1d7aca443832bb9bb2f521cc4d3a088aec Mon Sep 17 00:00:00 2001
|
|
|
ee765b |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
ee765b |
Date: Wed, 29 Jun 2022 13:25:55 +0000
|
|
|
ee765b |
Subject: [PATCH] Only calculate LDAP password grace when the password is
|
|
|
ee765b |
expired
|
|
|
ee765b |
|
|
|
ee765b |
The user's pwd expiration was retrieved but inadvertently was never
|
|
|
ee765b |
compared to current time. So any LDAP bind, including from the
|
|
|
ee765b |
IPA API, counted against the grace period. There is no need to go
|
|
|
ee765b |
through the graceperiod code for non-expired passwords.
|
|
|
ee765b |
|
|
|
ee765b |
https://pagure.io/freeipa/issue/1539
|
|
|
ee765b |
|
|
|
ee765b |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
ee765b |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
ee765b |
---
|
|
|
ee765b |
.../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++---
|
|
|
ee765b |
1 file changed, 9 insertions(+), 3 deletions(-)
|
|
|
ee765b |
|
|
|
ee765b |
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
|
ee765b |
index 0860b5c20..a3f57cb4b 100644
|
|
|
ee765b |
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
|
ee765b |
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
|
|
ee765b |
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
|
|
|
ee765b |
Slapi_ValueSet *values = NULL;
|
|
|
ee765b |
long grace_limit = 0;
|
|
|
ee765b |
int grace_user_time;
|
|
|
ee765b |
- char *pwd_expiration = NULL;
|
|
|
ee765b |
+ char *tmpstr = NULL;
|
|
|
ee765b |
+ time_t pwd_expiration;
|
|
|
ee765b |
int pwresponse_requested = 0;
|
|
|
ee765b |
Slapi_PBlock *pbtm = NULL;
|
|
|
ee765b |
Slapi_Mods *smods = NULL;
|
|
|
ee765b |
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
|
|
|
ee765b |
}
|
|
|
ee765b |
slapi_value_free(&objectclass);
|
|
|
ee765b |
|
|
|
ee765b |
- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
|
|
|
ee765b |
- if (pwd_expiration == NULL) {
|
|
|
ee765b |
+ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
|
|
|
ee765b |
+ if (tmpstr == NULL) {
|
|
|
ee765b |
/* No expiration means nothing to do */
|
|
|
ee765b |
LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
|
|
|
ee765b |
goto done;
|
|
|
ee765b |
}
|
|
|
ee765b |
+ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
|
|
|
ee765b |
+ if (pwd_expiration > time(NULL)) {
|
|
|
ee765b |
+ /* Not expired, nothing to see here */
|
|
|
ee765b |
+ goto done;
|
|
|
ee765b |
+ }
|
|
|
ee765b |
|
|
|
ee765b |
ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
|
|
|
ee765b |
&values, &actual_type_name,
|
|
|
ee765b |
--
|
|
|
ee765b |
2.36.1
|
|
|
ee765b |
|