Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.507 (Entity 5.507) From: ghudson@mit.edu Subject: git commit Content-Length: 1233 Fix LDAP policy enforcement of pw_expiration In the LDAP backend, the change mask is used to determine what LDAP attributes to update. As a result, password expiration was not set from policy when running during addprinc, among other issues. However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration would be applied regardless, which meant that (for instance) changing the password would cause the password application to be applied. Remove the check for KADM5_PRINCIPAL, and fix the mask to contain KADM5_PW_EXPIRATION where appropriate. Add a regression test to t_kdb.py. [ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and commit message] https://github.com/krb5/krb5/commit/6b004dd5739bded71be4290c11e7ac3a816c7e09 Author: Robbie Harwood Committer: Greg Hudson Commit: 6b004dd5739bded71be4290c11e7ac3a816c7e09 Branch: master src/lib/kadm5/srv/svr_principal.c | 92 +++++++++----------- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 13 --- src/tests/t_kdb.py | 17 ++++ 3 files changed, 60 insertions(+), 62 deletions(-)