krb5 commit: Stop loading policy for pw_expiration in LDAP

Greg Hudson ghudson at MIT.EDU
Wed Jan 9 15:41:43 EST 2013 

https://github.com/krb5/krb5/commit/090f561c631db7e4970b71cbe1426d636c39c77a
commit 090f561c631db7e4970b71cbe1426d636c39c77a
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Jan 7 15:22:26 2013 -0500

    Stop loading policy for pw_expiration in LDAP
    
    populate_krb5_db_entry() performs a subsidiary LDAP search to load the
    password policy, which it uses to update the pw_expiration field.
    This has some minimal value (it causes pw_expiration values in
    principals to auto-update whenever the pw_max_life field of a policy
    changes), but it's complicated, expensive, and inconsistent with the
    DB2 back end.  Get rid of it.
    
    ticket: 7535 (new)

 src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c |   24 ------------------------
 1 files changed, 0 insertions(+), 24 deletions(-)

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 5252ab4..aba9e8e 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -1817,30 +1817,6 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
     if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
         goto cleanup;
 
-    /* We already know that the policy is inside the realm container. */
-    if (polname) {
-        osa_policy_ent_t   pwdpol;
-        krb5_timestamp     last_pw_changed;
-        krb5_ui_4          pw_max_life;
-
-        memset(&pwdpol, 0, sizeof(pwdpol));
-
-        if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol)) != 0)
-            goto cleanup;
-        pw_max_life = pwdpol->pw_max_life;
-        krb5_ldap_free_password_policy(context, pwdpol);
-
-        if (pw_max_life > 0) {
-            if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
-                goto cleanup;
-
-            if (mask & KDB_PWD_EXPIRE_TIME_ATTR) {
-                if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
-                    entry->pw_expiration = last_pw_changed + pw_max_life;
-            } else
-                entry->pw_expiration = last_pw_changed + pw_max_life;
-        }
-    }
     /* XXX so krb5_encode_princ_contents() will be happy */
     entry->len = KRB5_KDB_V1_BASE_LENGTH;

More information about the cvs-krb5 mailing list