git.ipfire.org Git - thirdparty/krb5.git/commit

author	Robbie Harwood <rharwood@redhat.com>
	Tue, 17 Dec 2019 22:37:41 +0000 (17:37 -0500)
committer	Greg Hudson <ghudson@mit.edu>
	Tue, 7 Jan 2020 23:21:18 +0000 (18:21 -0500)
commit	6b004dd5739bded71be4290c11e7ac3a816c7e09
tree	60852c40409f7e69a18b3e2cb0cc121a2c4bb2a9	tree
parent	775e496aac2650343ec20826b1ba7f6306a12f3c	commit \| diff

Fix LDAP policy enforcement of pw_expiration

In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.

Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.

[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]

ticket: 8861 (new)
tags: pullup
target_version: 1.17-next

src/lib/kadm5/srv/svr_principal.c		diff \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c		diff \| blob \| blame \| history
src/tests/t_kdb.py		diff \| blob \| blame \| history