oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

honour krb5PasswordEnd also if sambaPwdLastSet

Browse Source 
Commit 9f696b11c2 changed the
behaviour of key expiry for principals that have an sambaPwdLastSet
attribute in LDAP. The change was twofold:

* if "password_lifetime" is not set in kdc.conf a default lifetime
  of 1 year is enforced

* krb5PasswordEnd is not honoured.

This patch causes pw_end to be modified only if sambaPwdLastSet
*and* "password_lifetime" is defined in kdc.conf.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This commit is contained in:
Arvid Requate
2013-03-04 17:02:38 +01:00
committed by Love Hornquist Astrand
parent 66f4c441e9
commit 3cf3708950
1 changed files with 14 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
lib/hdb/hdb-ldap.c
View File

@@ -1239,21 +1239,24 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
if (ret == 0) {
time_t delta;
if (ent->entry.pw_end == NULL) {
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
if (ent->entry.pw_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
}
delta = krb5_config_get_time_default(context, NULL,
365 * 24 * 60 * 60,
0,
"kadmin",
"password_lifetime",
NULL);
*ent->entry.pw_end = tmp_time + delta;
if (delta) {
if (ent->entry.pw_end == NULL) {
ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
if (ent->entry.pw_end == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
}
*ent->entry.pw_end = tmp_time + delta;
}
}
ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);