honour krb5PasswordEnd also if sambaPwdLastSet

Commit 9f696b1 changed the behaviour of key expiry for principals that have an sambaPwdLastSet attribute in LDAP. The change was twofold: * if "password_lifetime" is not set in kdc.conf a default lifetime of 1 year is enforced * krb5PasswordEnd is not honoured. This patch causes pw_end to be modified only if sambaPwdLastSet *and* "password_lifetime" is defined in kdc.conf. Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
heimdal · Mar 4, 2013 · 3cf3708 · 3cf3708
1 parent 66f4c44
commit 3cf3708
Showing 1 changed file with 14 additions and 11 deletions.
diff --git a/lib/hdb/hdb-ldap.c b/lib/hdb/hdb-ldap.c
@@ -1239,21 +1239,24 @@ LDAP_message2entry(krb5_context context, HDB * db, LDAPMessage * msg,
     if (ret == 0) {
 	time_t delta;
 
-	if (ent->entry.pw_end == NULL) {
-            ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
-            if (ent->entry.pw_end == NULL) {
-                ret = ENOMEM;
-                krb5_set_error_message(context, ret, "malloc: out of memory");
-                goto out;
-            }
-        }
-
 	delta = krb5_config_get_time_default(context, NULL,
-					     365 * 24 * 60 * 60,
+					     0,
 					     "kadmin",
 					     "password_lifetime",
 					     NULL);
-        *ent->entry.pw_end = tmp_time + delta;
+
+	if (delta) {
+		if (ent->entry.pw_end == NULL) {
+		    ent->entry.pw_end = malloc(sizeof(*ent->entry.pw_end));
+		    if (ent->entry.pw_end == NULL) {
+			ret = ENOMEM;
+			krb5_set_error_message(context, ret, "malloc: out of memory");
+			goto out;
+		    }
+		}
+
+		*ent->entry.pw_end = tmp_time + delta;
+	}
     }
 
     ret = LDAP_get_integer_value(db, msg, "sambaPwdMustChange", &tmp_time);