If the KDC doesn't use the FreeIPA password for authentication, then it
is futile to provide this information. Doing so will only confuse the
user. It also causes password change dialogues when the password is
irrelevant.

https://fedorahosted.org/freeipa/ticket/4299
>From de3160c0ae01364c4eaddb83c297faa07b4b4d26 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Fri, 2 May 2014 14:55:07 -0400
Subject: [PATCH] kdb: Don't provide password expiration when using only RADIUS

If the KDC doesn't use the FreeIPA password for authentication, then it is
futile to provide this information. Doing so will only confuse the user. It
also causes password change dialogues when the password is irrelevant.

https://fedorahosted.org/freeipa/ticket/4299
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index f0be76ea7b36efe3540429f7e31ffbc582edd060..b5fc679c5bc07e5b4c37ab5f46776532c1bbb4fd 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -428,7 +428,13 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
                                            "krbPasswordExpiration", &restime);
     switch (ret) {
     case 0:
-        entry->pw_expiration = restime;
+        /* If any method is set other than RADIUS, provide expiration. */
+        if (ua & ~IPADB_USER_AUTH_RADIUS)
+            entry->pw_expiration = restime;
+
+        /* However, if we are only using RADIUS, we don't know expiration. */
+        else
+            entry->pw_expiration = 0;
     case ENOENT:
         break;
     default:
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to