Changing passwords would not properly set expiration date with the new ipa-kdb code.
Patches fixes this. Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 35d94f9f9f354b8c47f4ba48c0a8b37e72b58a81 Mon Sep 17 00:00:00 2001 From: Simo Sorce <[email protected]> Date: Sat, 17 Sep 2011 15:08:06 -0400 Subject: [PATCH] ipa-kdb: Properly set password expiration time. We do the policy check so we are the only one that can calculate the new pwd espiration time. Fixes: https://fedorahosted.org/freeipa/ticket/1793 --- daemons/ipa-kdb/ipa_kdb.h | 4 +++ daemons/ipa-kdb/ipa_kdb_passwords.c | 46 ++++++++++++++++++++++++++++++++++ daemons/ipa-kdb/ipa_kdb_principals.c | 28 +++++++++++++++++--- 3 files changed, 74 insertions(+), 4 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 78746918ad287775d05677e0f6d00bec088fafe2..cfcaca6493fd3f4657fd9f1839b6f3ac9f22546d 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -178,3 +178,7 @@ krb5_error_code ipadb_change_pwd(krb5_context context, int new_kvno, krb5_boolean keepold, krb5_db_entry *db_entry); +krb5_error_code ipadb_get_pwd_expiration(krb5_context context, + krb5_db_entry *entry, + struct ipadb_e_data *ied, + time_t *expire_time); diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c index ab58057a159992c1e9d94eb66b61d46ea302744d..18be9be017454ca10f52d622a66e7749b828ae67 100644 --- a/daemons/ipa-kdb/ipa_kdb_passwords.c +++ b/daemons/ipa-kdb/ipa_kdb_passwords.c @@ -269,3 +269,49 @@ krb5_error_code ipadb_change_pwd(krb5_context context, return 0; } +/* + * Check who actually changed the password, if it is not 'self' then + * we need to expire it if it is a user principal. + */ +krb5_error_code ipadb_get_pwd_expiration(krb5_context context, + krb5_db_entry *entry, + struct ipadb_e_data *ied, + time_t *expire_time) +{ + krb5_error_code kerr; + krb5_timestamp mod_time; + krb5_principal mod_princ = NULL; + krb5_boolean truexp = true; + + + /* Assume all principals with just one component as user principals */ + if (entry->princ->length == 1) { + kerr = krb5_dbe_lookup_mod_princ_data(context, entry, + &mod_time, &mod_princ); + if (kerr) { + goto done; + } + + /* If the mod principal is kadmind then we have to assume an actual + * password change for now. Apparently kadmind does not properly pass + * the actual user principal down when said user is performing a + * password change */ + if (mod_princ->length == 1 && + strcmp(mod_princ->data[0].data, "kadmind") != 0) { + truexp = krb5_principal_compare(context, mod_princ, entry->princ); + } + } + + if (truexp) { + *expire_time = mod_time + ied->pol.max_pwd_life; + } else { + /* not 'self', so reset */ + *expire_time = mod_time; + } + + kerr = 0; + +done: + krb5_free_principal(context, mod_princ); + return kerr; +} diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 8e1d421854296c2a17ef165a910645dfee891183..ed5195fb9ee0489c888e118d746e6797867bde03 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1362,7 +1362,8 @@ done: return kerr; } -static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods, +static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, + struct ipadb_mods *imods, krb5_db_entry *entry, char *principal, int mod_op) @@ -1561,10 +1562,11 @@ static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods, /* KADM5_LOAD */ - /* Store saved password if any and password history */ + /* Handle password change related operations. */ if (entry->e_data) { struct ipadb_e_data *ied; time_t now = time(NULL); + time_t expire_time; char **new_history; int nh_len; int ret; @@ -1603,6 +1605,22 @@ static krb5_error_code ipadb_entry_to_mods(struct ipadb_mods *imods, goto done; } } + + /* Also set new password expiration time. + * Have to do it here because kadmin doesn't know policies and resets + * entry->mask after we have gone through the password change code. + */ + kerr = ipadb_get_pwd_expiration(kcontext, entry, ied, &expire_time); + if (kerr) { + goto done; + } + + kerr = ipadb_get_ldap_mod_time(imods, + "krbPasswordExpiration", + expire_time, mod_op); + if (kerr) { + goto done; + } } kerr = 0; @@ -1689,7 +1707,8 @@ static krb5_error_code ipadb_add_principal(krb5_context kcontext, goto done; } - kerr = ipadb_entry_to_mods(imods, entry, principal, LDAP_MOD_ADD); + kerr = ipadb_entry_to_mods(kcontext, imods, + entry, principal, LDAP_MOD_ADD); if (kerr != 0) { goto done; } @@ -1752,7 +1771,8 @@ static krb5_error_code ipadb_modify_principal(krb5_context kcontext, goto done; } - kerr = ipadb_entry_to_mods(imods, entry, principal, LDAP_MOD_REPLACE); + kerr = ipadb_entry_to_mods(kcontext, imods, + entry, principal, LDAP_MOD_REPLACE); if (kerr != 0) { goto done; } -- 1.7.6.2
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
