Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix LDAP policy enforcement of pw_expiration #1016

Merged
merged 1 commit into from Jan 7, 2020
Merged

Fix LDAP policy enforcement of pw_expiration #1016

merged 1 commit into from Jan 7, 2020

Conversation

frozencemetery
Copy link
Contributor

In only the LDAP backend, the change mask is used to determine what to
update. As a result, password expiration was not set from policy when
running during addprinc, among other issues. However, when the mask did
not contain KADM5_PRINCIPAL, pw_expiration would be applied regardless,
which meant that (for instance) changing the password would cause the
password application to be applied.

Remove this check, and fix the mask to contain KADM5_PW_EXPIRATION where
appropriate. Add a regression test to the LDAP suite.

greghudson
greghudson requested changes Dec 18, 2019
View reviewed changes
src/lib/kadm5/srv/svr_principal.c Outdated Show resolved Hide resolved
src/lib/kadm5/srv/svr_principal.c Outdated Show resolved Hide resolved
@frozencemetery frozencemetery force-pushed the ldap_pw_expiration branch 4 times, most recently from 7c83052 to a48b0d1 Compare December 19, 2019 16:12
greghudson
greghudson requested changes Dec 30, 2019
View reviewed changes
src/lib/kadm5/srv/svr_principal.c Outdated Show resolved Hide resolved
src/lib/kadm5/srv/svr_principal.c Outdated Show resolved Hide resolved
src/lib/kadm5/srv/svr_principal.c Outdated Show resolved Hide resolved
src/tests/t_kdb.py Outdated Show resolved Hide resolved
@frozencemetery frozencemetery force-pushed the ldap_pw_expiration branch 2 times, most recently from bb4845e to f087c2f Compare January 7, 2020 20:46
@frozencemetery
Copy link
Contributor Author

Rebased and addressed comments.

@frozencemetery @greghudson
Fix LDAP policy enforcement of pw_expiration
6b004dd 
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update.  As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.

Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate.  Add a regression test to
t_kdb.py.

[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]

ticket: 8861 (new)
tags: pullup
target_version: 1.17-next
@greghudson greghudson merged commit 6b004dd into krb5:master Jan 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@greghudson greghudson greghudson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@frozencemetery @greghudson