From: | ghudson@mit.edu |
Subject: | git commit |
Fix LDAP policy enforcement of pw_expiration
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.
Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.
[ghudson@mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]
https://github.com/krb5/krb5/commit/6b004dd5739bded71be4290c11e7ac3a816c7e09
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 6b004dd5739bded71be4290c11e7ac3a816c7e09
Branch: master
src/lib/kadm5/srv/svr_principal.c | 92 +++++++++-----------
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 13 ---
src/tests/t_kdb.py | 17 ++++
3 files changed, 60 insertions(+), 62 deletions(-)