On 04/05/16 17:22, Pavel Vomacka wrote:


On 05/04/2016 04:36 PM, Simo Sorce wrote:
On Wed, 2016-05-04 at 15:39 +0200, Martin Kosek wrote:
On 05/02/2016 02:28 PM, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/2795
That patch looks suspiciously short given the struggles I saw in
http://www.redhat.com/archives/freeipa-devel/2015-June/msg00198.html
:-)

Instead of setting to IPAPWD_END_OF_TIME, should we instead avoid
filling
"krbPasswordExpiration" attribute at all, i.e. have password *without*
expiration? Or is krbPasswordExpiration mandatory?
So I looked at the MIT code, and it seem like they are coping just fine
with a missing (ie value = 0 internally) pw_expiration attribute.

So if we make our code cope with omitting any expiration if the
attribute is missing then yes, we can mark no expiration with simply
removing (or not setting) the krbPasswordExpiration attribute.
The attribute itself is optional and can be omitted.

I think this is a good idea, and is definitely better than inventing a a
magic value.

Simo.

Just a note: I tested David's patch and it actually doesn't work when
the new password policy for ipausers group is created (priority = 0,
which should be the highest priority). The maxlife and minlife values
are empty. Even if I set the new password policy maxlife and minlife to
0 the result was that password will expire in 90 days. The patch worked
correctly when I changed value of maxlife and minlife to 0 in
'global_policy'. Then the password expiration was set to 2038-01-01.


Hello!

I hope I've finally find all the places in ipa-kdb and ipa-pwd-extop plugins to tickle in order to have password that don't expire. Updated patch attached.

https://fedorahosted.org/freeipa/ticket/2795
--
David Kupka
From dc2250869ca4f527b9b353913ed5a750a6f0f6e5 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Thu, 30 Jun 2016 08:52:33 +0200
Subject: [PATCH] Allow unexpiring passwords

Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795
---
 daemons/ipa-kdb/ipa_kdb_passwords.c               |  6 +++++-
 daemons/ipa-kdb/ipa_kdb_principals.c              | 11 +++++++++++
 daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c  | 11 ++++++++++-
 daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c |  4 ++++
 ipaserver/plugins/pwpolicy.py                     |  2 +-
 5 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c
index ad57181d5049f36c69044bb2c9cfe183d7e4ea25..a3d4fe2436da60d081040754780d3e815acb1473 100644
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
@@ -253,7 +253,11 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context,
 
     if (truexp) {
         if (ied->pol) {
-            *expire_time = mod_time + ied->pol->max_pwd_life;
+            if (ied->pol->max_pwd_life) {
+                *expire_time = mod_time + ied->pol->max_pwd_life;
+            } else {
+                *expire_time = 0;
+            }
         } else {
             *expire_time = mod_time + IPAPWD_DEFAULT_PWDLIFE;
         }
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index f1d3e9e89c2016b8a9ebad9c0c6fd46487a33a4b..6cdfa909452a4b55912b2a5a74648abd2053482a 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1850,6 +1850,11 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
                                        "krbPasswordExpiration",
                                        entry->pw_expiration,
                                        mod_op);
+        if (entry->pw_expiration == 0) {
+            kerr = ipadb_get_ldap_mod_time(imods,
+                                           "krbPasswordExpiration",
+                                           entry->pw_expiration, LDAP_MOD_DELETE);
+        }
         if (kerr) {
             goto done;
         }
@@ -2105,6 +2110,12 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
             kerr = ipadb_get_ldap_mod_time(imods,
                                            "krbPasswordExpiration",
                                            expire_time, mod_op);
+            if (expire_time == 0) {
+                kerr = ipadb_get_ldap_mod_time(imods,
+                                               "krbPasswordExpiration",
+                                               expire_time, LDAP_MOD_DELETE);
+            }
+
             if (kerr) {
                 goto done;
             }
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 5dc606d22305cf63a16feca30aab2728bb20b80d..de295e0b4cbd8eeff556d96be3db68705114b994 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -620,7 +620,11 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data)
     slapi_ch_array_free(pwd_history);
 
     if (data->expireTime == 0) {
-        data->expireTime = data->timeNow + pol.max_pwd_life;
+        if (pol.max_pwd_life > 0) {
+            /* max_pwd_life = 0 => never expire
+             * set expire time only when max_pwd_life > 0 */
+            data->expireTime = data->timeNow + pol.max_pwd_life;
+        }
     }
 
     data->policy = pol;
@@ -788,6 +792,11 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
                  "%Y%m%d%H%M%SZ", &utctime);
 			slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                               "krbPasswordExpiration", timestr);
+			if (data->expireTime == 0) {
+			    slapi_mods_add_string(smods, LDAP_MOD_DELETE,
+			                          "krbPasswordExpiration", timestr);
+			}
+
 		}
 	}
 
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 5c700211b59e8707fa2d1d27347c73708dbbde61..9d923d6fb133ef9c743c1f0c5362343e588e1b20 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1123,6 +1123,10 @@ static int ipapwd_post_modadd(Slapi_PBlock *pb)
                      "%Y%m%d%H%M%SZ", &utctime);
             slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                                   "krbPasswordExpiration", timestr);
+			if (pwdop->pwdata.expireTime == 0) {
+			    slapi_mods_add_string(smods, LDAP_MOD_DELETE,
+			                          "krbPasswordExpiration", timestr);
+			}
 
             /* change Last Password Change field with the current date */
             if (!gmtime_r(&(pwdop->pwdata.timeNow), &utctime)) {
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
index 5a2202aa004cd6f306530aa8b68760d53cf60537..e5e68fb58a09d24a374a16c7916a4796812766d2 100644
--- a/ipaserver/plugins/pwpolicy.py
+++ b/ipaserver/plugins/pwpolicy.py
@@ -411,7 +411,7 @@ class pwpolicy(LDAPObject):
             if maxlife is None and 'krbmaxpwdlife' in existing_entry:
                 maxlife = int(existing_entry['krbmaxpwdlife'][0]) * 86400
 
-        if maxlife is not None and minlife is not None:
+        if maxlife not in (None, 0) and minlife is not None:
             if minlife > maxlife:
                 raise errors.ValidationError(
                     name='maxlife',
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to