Blob Blame History Raw
From 3675bd1d7aca443832bb9bb2f521cc4d3a088aec Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 29 Jun 2022 13:25:55 +0000
Subject: [PATCH] Only calculate LDAP password grace when the password is
 expired

The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 .../ipa-graceperiod/ipa_graceperiod.c                | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
index 0860b5c20..a3f57cb4b 100644
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
     Slapi_ValueSet *values = NULL;
     long grace_limit = 0;
     int grace_user_time;
-    char *pwd_expiration = NULL;
+    char *tmpstr = NULL;
+    time_t pwd_expiration;
     int pwresponse_requested = 0;
     Slapi_PBlock *pbtm = NULL;
     Slapi_Mods *smods = NULL;
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
     }
     slapi_value_free(&objectclass);
 
-    pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
-    if (pwd_expiration == NULL) {
+    tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
+    if (tmpstr == NULL) {
         /* No expiration means nothing to do */
         LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
         goto done;
     }
+    pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
+    if (pwd_expiration > time(NULL)) {
+        /* Not expired, nothing to see here */
+        goto done;
+    }
 
     ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
                                     &values, &actual_type_name,
-- 
2.36.1