When Directory Manager or a PassSync agent is changing a password, it is not being expired, but standard expiration time should apply. However, default expiration time was always applied (90 days) even though administrator may have a custom policy for the user.
https://fedorahosted.org/freeipa/ticket/3968 -- Martin Kosek <mko...@redhat.com> Supervisor, Software Engineering - Identity Management Team Red Hat Inc.
From 312ae4d97e24965ed0928291f41e0b59973923a3 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Thu, 10 Oct 2013 18:00:53 +0200 Subject: [PATCH] Administrative password change does not respect password policy When Directory Manager or a PassSync agent is changing a password, it is not being expired, but standard expiration time should apply. However, default expiration time was always applied (90 days) even though administrator may have a custom policy for the user. https://fedorahosted.org/freeipa/ticket/3968 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 44 ++++++++++++++++-------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index a54e91d87b5e700775b05dd2859c95abd739b626..f0339c47c5b242b436d77c4845c5914eae79814f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -755,6 +755,7 @@ done: int ipapwd_CheckPolicy(struct ipapwd_data *data) { struct ipapwd_policy pol = {0}; + struct ipapwd_policy tmppol = {0}; time_t acct_expiration; time_t pwd_expiration; time_t last_pwd_change; @@ -765,11 +766,8 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE; pol.min_pwd_length = IPAPWD_DEFAULT_MINLEN; - if (data->changetype != IPA_CHANGETYPE_NORMAL) { - /* We must skip policy checks (Admin change) but - * force a password change on the next login. - * But not if Directory Manager */ - if (data->changetype == IPA_CHANGETYPE_ADMIN) { + switch(data->changetype) { + case IPA_CHANGETYPE_ADMIN: /* The expiration date needs to be older than the current time * otherwise the KDC may not immediately register the password * as expired. The last password change needs to match the @@ -777,16 +775,32 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) */ data->timeNow -= 1; data->expireTime = data->timeNow; - } - - /* do not load policies */ - } else { - - /* find the entry with the password policy */ - ret = ipapwd_getPolicy(data->dn, data->target, &pol); - if (ret) { - LOG_TRACE("No password policy, use defaults"); - } + break; + case IPA_CHANGETYPE_NORMAL: + /* Find the entry with the password policy */ + ret = ipapwd_getPolicy(data->dn, data->target, &pol); + if (ret) { + LOG_TRACE("No password policy, use defaults"); + } + break; + case IPA_CHANGETYPE_DSMGR: + /* PassSync agents and Directory Manager can administratively + * change the password without expiring it. + * + * Find password policy for the entry to properly set expiration. + * Do not store it in resulting policy to avoid aplying password + * quality checks on administratively set passwords + */ + ret = ipapwd_getPolicy(data->dn, data->target, &tmppol); + if (ret) { + LOG_TRACE("No password policy, use defaults"); + } else { + pol.max_pwd_life = tmppol.max_pwd_life; + } + break; + default: + LOG_TRACE("Unknown password change type, use defaults"); + break; } tmpstr = slapi_entry_attr_get_charptr(data->target, -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
