On Thu, 22 May 2014, Nathaniel McCallum wrote:
On Fri, 2014-05-02 at 17:49 -0400, Nathaniel McCallum wrote:
If the KDC doesn't use the FreeIPA password for authentication, then it
is futile to provide this information. Doing so will only confuse the
user. It also causes password change dialogues when the password is
irrelevant.
https://fedorahosted.org/freeipa/ticket/4299
This new version fixes a small logic bug. This should be an easy review.
ACK.
Nathaniel
From 9764b91aa976ca1ed48885d5ace555b6b263080a Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Fri, 2 May 2014 14:55:07 -0400
Subject: [PATCH] kdb: Don't provide password expiration when using only RADIUS
If the KDC doesn't use the FreeIPA password for authentication, then it is
futile to provide this information. Doing so will only confuse the user. It
also causes password change dialogues when the password is irrelevant.
https://fedorahosted.org/freeipa/ticket/4299
---
daemons/ipa-kdb/ipa_kdb_principals.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c
b/daemons/ipa-kdb/ipa_kdb_principals.c
index
f0be76ea7b36efe3540429f7e31ffbc582edd060..d2be98886ef865eaabf7d5935994281ec262a2c8
100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -429,6 +429,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context
kcontext,
switch (ret) {
case 0:
entry->pw_expiration = restime;
+
+ /* If we are using only RADIUS, we don't know expiration. */
+ if (ua == IPADB_USER_AUTH_RADIUS)
+ entry->pw_expiration = 0;
case ENOENT:
break;
default:
--
1.9.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
