From 96ad7ec4fa84dd32439e3473c0128612dd5f9d49 Mon Sep 17 00:00:00 2001

From: Noriko Hosoi <nhosoi@redhat.com>

Date: Wed, 11 Jan 2017 15:04:42 -0800

Subject: [PATCH 62/67] Ticket #49082 - Fix password expiration related shadow

 attributes

The original patch was provided by Gordon Messmer (gordon.messmer@gmail.com)

with the description:

  Bug description:

  Shadow attributes (in /etc/shadow and in LDAP) are typically unset when no

  policy is in place. 389-ds will incorrectly return values (possibly set to 0)

  when there is no policy.

  Fix description:

  Only auto-fill shadow attributes when a password policy is available.  These

  are empty when no policy is in place.

  Don't auto-fill expiration related shadow attributes if passwords never expire.

Reviewed by William Brown <wibrown@redhat.com> (Thanks!!).

(cherry picked from commit 5bcd966b73708f6b558f01e6b11a7a11e8d3b126)

(cherry picked from commit faae0fa5a4a6b3d590c1a9e068d9436965cc49c9)

---

 ldap/servers/slapd/pw.c | 74 +++++++++++++++++++++++++------------------------

 1 file changed, 38 insertions(+), 36 deletions(-)

diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c

index ce1ca2a..30a2cb9 100644

--- a/ldap/servers/slapd/pw.c

+++ b/ldap/servers/slapd/pw.c

@@ -2802,7 +2802,7 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e)

 {

     const char *dn = NULL;

     passwdPolicy *pwpolicy = NULL;

-    long long shadowval = 0;

+    long long shadowval = -1;

     Slapi_Mods *smods = NULL;

     LDAPMod **mods;

     long long sval;

@@ -2840,64 +2840,66 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e)

         if (shadowval > _MAX_SHADOW) {

             shadowval = _MAX_SHADOW;

         }

-    } else {

-        shadowval = 0;

     }

-    shmin = slapi_entry_attr_get_charptr(*e, "shadowMin");

-    if (shmin) {

-        sval = strtoll(shmin, NULL, 0);

-        if (sval != shadowval) {

-            slapi_ch_free_string(&shmin);

-            shmin = slapi_ch_smprintf("%lld", shadowval);

+    if (shadowval > 0) {

+        shmin = slapi_entry_attr_get_charptr(*e, "shadowMin");

+        if (shmin) {

+            sval = strtoll(shmin, NULL, 0);

+            if (sval != shadowval) {

+                slapi_ch_free_string(&shmin);

+                shmin = slapi_ch_smprintf("%lld", shadowval);

+                mod_num++;

+            }

+        } else {

             mod_num++;

+            shmin = slapi_ch_smprintf("%lld", shadowval);

         }

-    } else {

-        mod_num++;

-        shmin = slapi_ch_smprintf("%lld", shadowval);

     }

     /* shadowMax - the maximum number of days for which the user password remains valid. */

-    if (pwpolicy->pw_maxage > 0) {

+    shadowval = -1;

+    if (pwpolicy->pw_exp == 1 && pwpolicy->pw_maxage > 0) {

         shadowval = pwpolicy->pw_maxage / _SEC_PER_DAY;

         if (shadowval > _MAX_SHADOW) {

             shadowval = _MAX_SHADOW;

         }

-    } else {

-        shadowval = _MAX_SHADOW;

     }

-    shmax = slapi_entry_attr_get_charptr(*e, "shadowMax");

-    if (shmax) {

-        sval = strtoll(shmax, NULL, 0);

-        if (sval != shadowval) {

-            slapi_ch_free_string(&shmax);

-            shmax = slapi_ch_smprintf("%lld", shadowval);

+    if (shadowval > 0) {

+        shmax = slapi_entry_attr_get_charptr(*e, "shadowMax");

+        if (shmax) {

+            sval = strtoll(shmax, NULL, 0);

+            if (sval != shadowval) {

+                slapi_ch_free_string(&shmax);

+                shmax = slapi_ch_smprintf("%lld", shadowval);

+                mod_num++;

+            }

+        } else {

             mod_num++;

+            shmax = slapi_ch_smprintf("%lld", shadowval);

         }

-    } else {

-        mod_num++;

-        shmax = slapi_ch_smprintf("%lld", shadowval);

     }

     /* shadowWarning - the number of days of advance warning given to the user before the user password expires. */

-    if (pwpolicy->pw_warning > 0) {

+    shadowval = -1;

+    if (pwpolicy->pw_exp == 1 && pwpolicy->pw_warning > 0) {

         shadowval = pwpolicy->pw_warning / _SEC_PER_DAY;

         if (shadowval > _MAX_SHADOW) {

             shadowval = _MAX_SHADOW;

         }

-    } else {

-        shadowval = 0;

     }

-    shwarn = slapi_entry_attr_get_charptr(*e, "shadowWarning");

-    if (shwarn) {

-        sval = strtoll(shwarn, NULL, 0);

-        if (sval != shadowval) {

-            slapi_ch_free_string(&shwarn);

-            shwarn = slapi_ch_smprintf("%lld", shadowval);

+    if (shadowval > 0) {

+        shwarn = slapi_entry_attr_get_charptr(*e, "shadowWarning");

+        if (shwarn) {

+            sval = strtoll(shwarn, NULL, 0);

+            if (sval != shadowval) {

+                slapi_ch_free_string(&shwarn);

+                shwarn = slapi_ch_smprintf("%lld", shadowval);

+                mod_num++;

+            }

+        } else {

             mod_num++;

+            shwarn = slapi_ch_smprintf("%lld", shadowval);

         }

-    } else {

-        mod_num++;

-        shwarn = slapi_ch_smprintf("%lld", shadowval);

     }

     smods = slapi_mods_new();

-- 

2.9.3