int pwdMinLength; /* minimum number of chars in password */
int pwdExpireWarning; /* number of seconds that warning controls are
sent before a password expires */
+ int pwdGraceExpiry; /* number of seconds after expiry grace logins are
+ valid */
int pwdGraceAuthNLimit; /* number of times you can log in with an
expired password */
int pwdLockout; /* 0 = do not lockout passwords, 1 = lock them out */
if ( ( a = attr_find( pe->e_attrs, ad_pwdMaxRecordedFailure ) )
&& lutil_atoi( &pp->pwdMaxRecordedFailure, a->a_vals[0].bv_val ) != 0 )
goto defaultpol;
+ if ( ( a = attr_find( pe->e_attrs, ad_pwdGraceExpiry ) )
+ && lutil_atoi( &pp->pwdGraceExpiry, a->a_vals[0].bv_val ) != 0 )
+ goto defaultpol;
if ( ( a = attr_find( pe->e_attrs, ad_pwdGraceAuthNLimit ) )
&& lutil_atoi( &pp->pwdGraceAuthNLimit, a->a_vals[0].bv_val ) != 0 )
goto defaultpol;
grace:
if (!pwExpired) goto check_expiring_password;
- if ((a = attr_find( e->e_attrs, ad_pwdGraceUseTime )) == NULL)
+ if ( ppb->pp.pwdGraceExpiry &&
+ now - pwtime > ppb->pp.pwdMaxAge + ppb->pp.pwdGraceExpiry ) {
+ /* Grace logins have expired now */
+ ngut = 0;
+ } else if ((a = attr_find( e->e_attrs, ad_pwdGraceUseTime )) == NULL) {
ngut = ppb->pp.pwdGraceAuthNLimit;
- else {
+ } else {
for(ngut=0; a->a_nvals[ngut].bv_val; ngut++);
ngut = ppb->pp.pwdGraceAuthNLimit - ngut;
}
projects / thirdparty / openldap.git / commitdiff
