Content-Transfer-Encoding: binary X-Mailer: MIME-tools 5.507 (Entity 5.507) Content-Disposition: inline MIME-Version: 1.0 Subject: git commit From: ghudson@mit.edu X-RT-Interface: API Content-Type: text/plain; charset="utf-8" X-RT-Original-Encoding: ascii RT-Message-ID: Content-Length: 1306 Fix LDAP policy enforcement of pw_expiration In the LDAP backend, the change mask is used to determine what LDAP attributes to update. As a result, password expiration was not set from policy when running during addprinc, among other issues. However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration would be applied regardless, which meant that (for instance) changing the password would cause the password application to be applied. Remove the check for KADM5_PRINCIPAL, and fix the mask to contain KADM5_PW_EXPIRATION where appropriate. Add a regression test to t_kdb.py. [ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and commit message] (cherry picked from commit 6b004dd5739bded71be4290c11e7ac3a816c7e09) https://github.com/krb5/krb5/commit/90a13e6d9763c510339c7a40fbc4ecb30041f421 Author: Robbie Harwood Committer: Greg Hudson Commit: 90a13e6d9763c510339c7a40fbc4ecb30041f421 Branch: krb5-1.17 src/lib/kadm5/srv/svr_principal.c | 92 +++++++++----------- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 13 --- src/tests/t_kdb.py | 17 ++++ 3 files changed, 60 insertions(+), 62 deletions(-)