Ticket History #8882: kdb5_util load ignores password expiration with LDAP KDB module

# Thu Mar 05 13:51:57 2020 "Machin, Glenn D" <GMachin@sandia.gov> - Ticket created

From:	"Machin, Glenn D" <GMachin@sandia.gov>
Subject:	When doing a kdb5_util load with ldap backend the password expiration date is not loading
Date:	Thu, 5 Mar 2020 18:51:32 +0000
To:	"krb5-bugs@mit.edu" <krb5-bugs@mit.edu>

Download (untitled) / with headers
text/plain 707B

Download (untitled) / with headers
text/html 3.6KiB

Identified the problem to be not setting KADM5_PW_EXPIRATION in the db entry mask.

krb5-1.17/src/kadmin/dbutil/dump.c

process_k5beta7_princ()

Add KADM5_PW_EXPIRATION to mask:

Change:

dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |

KADM5_MAX_LIFE | KADM5_MAX_RLIFE |

KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS |

KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT;

To:

dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |

KADM5_MAX_LIFE | KADM5_MAX_RLIFE |

KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS |

KADM5_LAST_FAILED | KADM5_FAIL_AUTH_COUNT | KADM5_PW_EXPIRATION;

# Mon Jun 08 11:37:16 2020 ghudson@mit.edu (Greg Hudson) - Target_Version 1.18-next added

# Mon Jun 08 11:37:16 2020 ghudson@mit.edu (Greg Hudson) - Target_Version 1.17-next added

# Mon Jun 08 11:37:16 2020 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Mon Jun 08 11:37:16 2020 ghudson@mit.edu (Greg Hudson) - Taken

# Mon Jun 08 11:37:16 2020 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'resolved'

# Mon Jun 08 11:37:16 2020 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:	git commit
From:	ghudson@mit.edu

Download (untitled) / with headers
text/plain 571B

Set pw_expiration during LDAP load

When loading a principal entry in process_k5beta7_princ(), set the
KADM5_PW_EXPIRATION mask bit so that the password expiration time is
set on the principal entry. Add a regression test.

Reported (with fix) by Glenn Machin.

https://github.com/krb5/krb5/commit/778d3fd9de50ab0c87cf0031e1dd24a8ec4bd552
Author: Greg Hudson <ghudson@mit.edu>
Commit: 778d3fd9de50ab0c87cf0031e1dd24a8ec4bd552
Branch: master
src/kadmin/dbutil/dump.c | 2 +-
src/tests/t_kdb.py | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)

# Tue Nov 03 13:14:26 2020 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.18.3 added

# Tue Nov 03 13:14:26 2020 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:	git commit
From:	ghudson@mit.edu

Download (untitled) / with headers
text/plain 644B

Set pw_expiration during LDAP load

When loading a principal entry in process_k5beta7_princ(), set the
KADM5_PW_EXPIRATION mask bit so that the password expiration time is
set on the principal entry. Add a regression test.

Reported (with fix) by Glenn Machin.

(cherry picked from commit 778d3fd9de50ab0c87cf0031e1dd24a8ec4bd552)

https://github.com/krb5/krb5/commit/c5721b89d76c8484f774357d3ff62296cd6df548
Author: Greg Hudson <ghudson@mit.edu>
Commit: c5721b89d76c8484f774357d3ff62296cd6df548
Branch: krb5-1.18
src/kadmin/dbutil/dump.c | 2 +-
src/tests/t_kdb.py | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)

# Tue Nov 03 13:14:26 2020 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.17.2 added

# Tue Nov 03 13:14:26 2020 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:	git commit
From:	ghudson@mit.edu

Download (untitled) / with headers
text/plain 644B

Set pw_expiration during LDAP load

When loading a principal entry in process_k5beta7_princ(), set the
KADM5_PW_EXPIRATION mask bit so that the password expiration time is
set on the principal entry. Add a regression test.

Reported (with fix) by Glenn Machin.

(cherry picked from commit 778d3fd9de50ab0c87cf0031e1dd24a8ec4bd552)

https://github.com/krb5/krb5/commit/3c4075b01375c04070f991920028ce9117f2a512
Author: Greg Hudson <ghudson@mit.edu>
Commit: 3c4075b01375c04070f991920028ce9117f2a512
Branch: krb5-1.17
src/kadmin/dbutil/dump.c | 2 +-
src/tests/t_kdb.py | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)

# Tue Nov 03 14:24:07 2020 ghudson@mit.edu (Greg Hudson) - Tags pullup deleted

# Mon Nov 16 22:52:51 2020 ghudson@mit.edu (Greg Hudson) - Subject changed from 'When doing a kdb5_util load with ldap backend the password expiration date is not loading' to 'kdb5_util load ignores password expiration with LDAP KDB module'