https://fedorahosted.org/freeipa/ticket/2795
--
David Kupka
From 1f1d64210246cb2a968a7484d1ffcbaf48baa4ff Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Mon, 2 May 2016 13:56:39 +0200
Subject: [PATCH] pwpolicy: Do not expire passwords when maxlife is set to 0
 (infinity).

Curently passwords that should expire after IPAPW_END_OF_TIME (Jan 1st 2038) are
set to expire at that time. We need to change MIT Kerberos to use 64bit time
stamps to allow real never-expiring password.

https://fedorahosted.org/freeipa/ticket/2795
---
 daemons/ipa-kdb/ipa_kdb_passwords.c | 6 +++++-
 ipalib/plugins/pwpolicy.py          | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c
index ad57181d5049f36c69044bb2c9cfe183d7e4ea25..2dbdf6f29fce4cbc627ce888afc6f15f6f4e91b2 100644
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@@ -253,7 +253,11 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
 
     if (truexp) {
         if (ied->pol) {
-            *expire_time = mod_time + ied->pol->max_pwd_life;
+            if (ied->pol->max_pwd_life == 0) {
+                *expire_time = IPAPWD_END_OF_TIME; // 1 Jan 2038, 00:00 GMT
+            } else {
+                *expire_time = mod_time + ied->pol->max_pwd_life;
+            }
         } else {
             *expire_time = mod_time + IPAPWD_DEFAULT_PWDLIFE;
         }
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index 86c559b7dfeb7dffaa6c777876c6e65caab02075..0271854456b9ca2968ef58438c7925dfb21930c7 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -412,7 +412,7 @@ class pwpolicy(LDAPObject):
                 maxlife = int(existing_entry['krbmaxpwdlife'][0]) * 86400
 
         if maxlife is not None and minlife is not None:
-            if minlife > maxlife:
+            if maxlife > 0 and minlife > maxlife:  # maxlife = 0 => infinity
                 raise errors.ValidationError(
                     name='maxlife',
                     error=_('Maximum password life must be greater than minimum.'),
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to