[krbdev.mit.edu #8861] git commit
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Tue Jan 7 18:44:05 EST 2020
Tue Jan 07 18:44:05 2020: Request 8861 was acted upon.
Transaction: Ticket created by ghudson at mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson at mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8861 >
Fix LDAP policy enforcement of pw_expiration
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.
Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.
[ghudson at mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]
https://github.com/krb5/krb5/commit/6b004dd5739bded71be4290c11e7ac3a816c7e09
Author: Robbie Harwood <rharwood at redhat.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: 6b004dd5739bded71be4290c11e7ac3a816c7e09
Branch: master
src/lib/kadm5/srv/svr_principal.c | 92 +++++++++-----------
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 13 ---
src/tests/t_kdb.py | 17 ++++
3 files changed, 60 insertions(+), 62 deletions(-)
More information about the krb5-bugs
mailing list