Ticket #49082 - Fix password expiration related shadow attributes

The original patch was provided by Gordon Messmer (gordon.messmer@gmail.com) with the description: Bug description: Shadow attributes (in /etc/shadow and in LDAP) are typically unset when no policy is in place. 389-ds will incorrectly return values (possibly set to 0) when there is no policy. Fix description: Only auto-fill shadow attributes when a password policy is available. These are empty when no policy is in place. Don't auto-fill expiration related shadow attributes if passwords never expire. Reviewed by William Brown <wibrown@redhat.com> (Thanks!!). (cherry picked from commit 5bcd966)
389ds · Jan 12, 2017 · faae0fa · faae0fa
1 parent 2ca12fc
commit faae0fa
Showing 1 changed file with 38 additions and 36 deletions.
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
@@ -2802,7 +2802,7 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e)
 {
     const char *dn = NULL;
     passwdPolicy *pwpolicy = NULL;
-    long long shadowval = 0;
+    long long shadowval = -1;
     Slapi_Mods *smods = NULL;
     LDAPMod **mods;
     long long sval;
@@ -2840,64 +2840,66 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e)
         if (shadowval > _MAX_SHADOW) {
             shadowval = _MAX_SHADOW;
         }
-    } else {
-        shadowval = 0;
     }
-    shmin = slapi_entry_attr_get_charptr(*e, "shadowMin");
-    if (shmin) {
-        sval = strtoll(shmin, NULL, 0);
-        if (sval != shadowval) {
-            slapi_ch_free_string(&shmin);
-            shmin = slapi_ch_smprintf("%lld", shadowval);
+    if (shadowval > 0) {
+        shmin = slapi_entry_attr_get_charptr(*e, "shadowMin");
+        if (shmin) {
+            sval = strtoll(shmin, NULL, 0);
+            if (sval != shadowval) {
+                slapi_ch_free_string(&shmin);
+                shmin = slapi_ch_smprintf("%lld", shadowval);
+                mod_num++;
+            }
+        } else {
             mod_num++;
+            shmin = slapi_ch_smprintf("%lld", shadowval);
         }
-    } else {
-        mod_num++;
-        shmin = slapi_ch_smprintf("%lld", shadowval);
     }
 
     /* shadowMax - the maximum number of days for which the user password remains valid. */
-    if (pwpolicy->pw_maxage > 0) {
+    shadowval = -1;
+    if (pwpolicy->pw_exp == 1 && pwpolicy->pw_maxage > 0) {
         shadowval = pwpolicy->pw_maxage / _SEC_PER_DAY;
         if (shadowval > _MAX_SHADOW) {
             shadowval = _MAX_SHADOW;
         }
-    } else {
-        shadowval = _MAX_SHADOW;
     }
-    shmax = slapi_entry_attr_get_charptr(*e, "shadowMax");
-    if (shmax) {
-        sval = strtoll(shmax, NULL, 0);
-        if (sval != shadowval) {
-            slapi_ch_free_string(&shmax);
-            shmax = slapi_ch_smprintf("%lld", shadowval);
+    if (shadowval > 0) {
+        shmax = slapi_entry_attr_get_charptr(*e, "shadowMax");
+        if (shmax) {
+            sval = strtoll(shmax, NULL, 0);
+            if (sval != shadowval) {
+                slapi_ch_free_string(&shmax);
+                shmax = slapi_ch_smprintf("%lld", shadowval);
+                mod_num++;
+            }
+        } else {
             mod_num++;
+            shmax = slapi_ch_smprintf("%lld", shadowval);
         }
-    } else {
-        mod_num++;
-        shmax = slapi_ch_smprintf("%lld", shadowval);
     }
 
     /* shadowWarning - the number of days of advance warning given to the user before the user password expires. */
-    if (pwpolicy->pw_warning > 0) {
+    shadowval = -1;
+    if (pwpolicy->pw_exp == 1 && pwpolicy->pw_warning > 0) {
         shadowval = pwpolicy->pw_warning / _SEC_PER_DAY;
         if (shadowval > _MAX_SHADOW) {
             shadowval = _MAX_SHADOW;
         }
-    } else {
-        shadowval = 0;
     }
-    shwarn = slapi_entry_attr_get_charptr(*e, "shadowWarning");
-    if (shwarn) {
-        sval = strtoll(shwarn, NULL, 0);
-        if (sval != shadowval) {
-            slapi_ch_free_string(&shwarn);
-            shwarn = slapi_ch_smprintf("%lld", shadowval);
+    if (shadowval > 0) {
+        shwarn = slapi_entry_attr_get_charptr(*e, "shadowWarning");
+        if (shwarn) {
+            sval = strtoll(shwarn, NULL, 0);
+            if (sval != shadowval) {
+                slapi_ch_free_string(&shwarn);
+                shwarn = slapi_ch_smprintf("%lld", shadowval);
+                mod_num++;
+            }
+        } else {
             mod_num++;
+            shwarn = slapi_ch_smprintf("%lld", shadowval);
         }
-    } else {
-        mod_num++;
-        shwarn = slapi_ch_smprintf("%lld", shadowval);
     }
 
     smods = slapi_mods_new();