andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone
Blob Blame History Raw
From 96ad7ec4fa84dd32439e3473c0128612dd5f9d49 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Wed, 11 Jan 2017 15:04:42 -0800
Subject: [PATCH 62/67] Ticket #49082 - Fix password expiration related shadow
 attributes

The original patch was provided by Gordon Messmer (gordon.messmer@gmail.com)
with the description:
  Bug description:
  Shadow attributes (in /etc/shadow and in LDAP) are typically unset when no
  policy is in place. 389-ds will incorrectly return values (possibly set to 0)
  when there is no policy.

  Fix description:
  Only auto-fill shadow attributes when a password policy is available.  These
  are empty when no policy is in place.

  Don't auto-fill expiration related shadow attributes if passwords never expire.

Reviewed by William Brown <wibrown@redhat.com> (Thanks!!).

(cherry picked from commit 5bcd966b73708f6b558f01e6b11a7a11e8d3b126)
(cherry picked from commit faae0fa5a4a6b3d590c1a9e068d9436965cc49c9)
---
 ldap/servers/slapd/pw.c | 74 +++++++++++++++++++++++++------------------------
 1 file changed, 38 insertions(+), 36 deletions(-)

diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index ce1ca2a..30a2cb9 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -2802,7 +2802,7 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e)
 {
     const char *dn = NULL;
     passwdPolicy *pwpolicy = NULL;
-    long long shadowval = 0;
+    long long shadowval = -1;
     Slapi_Mods *smods = NULL;
     LDAPMod **mods;
     long long sval;
@@ -2840,64 +2840,66 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e)
         if (shadowval > _MAX_SHADOW) {
             shadowval = _MAX_SHADOW;
         }
-    } else {
-        shadowval = 0;
     }
-    shmin = slapi_entry_attr_get_charptr(*e, "shadowMin");
-    if (shmin) {
-        sval = strtoll(shmin, NULL, 0);
-        if (sval != shadowval) {
-            slapi_ch_free_string(&shmin);
-            shmin = slapi_ch_smprintf("%lld", shadowval);
+    if (shadowval > 0) {
+        shmin = slapi_entry_attr_get_charptr(*e, "shadowMin");
+        if (shmin) {
+            sval = strtoll(shmin, NULL, 0);
+            if (sval != shadowval) {
+                slapi_ch_free_string(&shmin);
+                shmin = slapi_ch_smprintf("%lld", shadowval);
+                mod_num++;
+            }
+        } else {
             mod_num++;
+            shmin = slapi_ch_smprintf("%lld", shadowval);
         }
-    } else {
-        mod_num++;
-        shmin = slapi_ch_smprintf("%lld", shadowval);
     }
 
     /* shadowMax - the maximum number of days for which the user password remains valid. */
-    if (pwpolicy->pw_maxage > 0) {
+    shadowval = -1;
+    if (pwpolicy->pw_exp == 1 && pwpolicy->pw_maxage > 0) {
         shadowval = pwpolicy->pw_maxage / _SEC_PER_DAY;
         if (shadowval > _MAX_SHADOW) {
             shadowval = _MAX_SHADOW;
         }
-    } else {
-        shadowval = _MAX_SHADOW;
     }
-    shmax = slapi_entry_attr_get_charptr(*e, "shadowMax");
-    if (shmax) {
-        sval = strtoll(shmax, NULL, 0);
-        if (sval != shadowval) {
-            slapi_ch_free_string(&shmax);
-            shmax = slapi_ch_smprintf("%lld", shadowval);
+    if (shadowval > 0) {
+        shmax = slapi_entry_attr_get_charptr(*e, "shadowMax");
+        if (shmax) {
+            sval = strtoll(shmax, NULL, 0);
+            if (sval != shadowval) {
+                slapi_ch_free_string(&shmax);
+                shmax = slapi_ch_smprintf("%lld", shadowval);
+                mod_num++;
+            }
+        } else {
             mod_num++;
+            shmax = slapi_ch_smprintf("%lld", shadowval);
         }
-    } else {
-        mod_num++;
-        shmax = slapi_ch_smprintf("%lld", shadowval);
     }
 
     /* shadowWarning - the number of days of advance warning given to the user before the user password expires. */
-    if (pwpolicy->pw_warning > 0) {
+    shadowval = -1;
+    if (pwpolicy->pw_exp == 1 && pwpolicy->pw_warning > 0) {
         shadowval = pwpolicy->pw_warning / _SEC_PER_DAY;
         if (shadowval > _MAX_SHADOW) {
             shadowval = _MAX_SHADOW;
         }
-    } else {
-        shadowval = 0;
     }
-    shwarn = slapi_entry_attr_get_charptr(*e, "shadowWarning");
-    if (shwarn) {
-        sval = strtoll(shwarn, NULL, 0);
-        if (sval != shadowval) {
-            slapi_ch_free_string(&shwarn);
-            shwarn = slapi_ch_smprintf("%lld", shadowval);
+    if (shadowval > 0) {
+        shwarn = slapi_entry_attr_get_charptr(*e, "shadowWarning");
+        if (shwarn) {
+            sval = strtoll(shwarn, NULL, 0);
+            if (sval != shadowval) {
+                slapi_ch_free_string(&shwarn);
+                shwarn = slapi_ch_smprintf("%lld", shadowval);
+                mod_num++;
+            }
+        } else {
             mod_num++;
+            shwarn = slapi_ch_smprintf("%lld", shadowval);
         }
-    } else {
-        mod_num++;
-        shwarn = slapi_ch_smprintf("%lld", shadowval);
     }
 
     smods = slapi_mods_new();
-- 
2.9.3