Add require-pwchange flag to HDB and honour it if present in mit-db:.

2012-02-27 10:19:54 +00:00
parent 91f2de8d1a
commit 0da84c0c3a
5 changed files with 11 additions and 0 deletions
--- a/lib/hdb/hdb-mitdb.c
+++ b/lib/hdb/hdb-mitdb.c
@@ -445,6 +445,7 @@ mdb_value2entry(krb5_context context, krb5_data *data, krb5_kvno target_kvno,
    entry->flags.invalid =	!!(u32 & KRB5_KDB_DISALLOW_ALL_TIX);
    entry->flags.require_preauth =!!(u32 & KRB5_KDB_REQUIRES_PRE_AUTH);
    entry->flags.require_hwauth =!!(u32 & KRB5_KDB_REQUIRES_HW_AUTH);
+    entry->flags.require_pwchange =!!(u32 & KRB5_KDB_REQUIRES_PWCHANGE);
    entry->flags.server =	 !(u32 & KRB5_KDB_DISALLOW_SVR);
    entry->flags.change_pw = 	!!(u32 & KRB5_KDB_PWCHANGE_SERVICE);
    entry->flags.client =	   1; /* XXX */
--- a/lib/hdb/hdb.asn1
+++ b/lib/hdb/hdb.asn1
@@ -48,6 +48,7 @@ HDBFlags ::= BIT STRING {
 	allow-digest(16),		-- Allow digest requests
 	locked-out(17),			-- Account is locked out,
 					-- authentication will be denied
+	require-pwchange(18),		-- require a passwd change
 	do-not-store(31)		-- Not to be modified and stored in HDB
 }