[krbdev.mit.edu #8861] git commit
Greg Hudson via RT
rt at KRBDEV-PROD-APP-1.mit.edu
Mon Jan 27 10:32:52 EST 2020
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8861 >
Fix LDAP policy enforcement of pw_expiration
In the LDAP backend, the change mask is used to determine what LDAP
attributes to update. As a result, password expiration was not set
from policy when running during addprinc, among other issues.
However, when the mask did not contain KADM5_PRINCIPAL, pw_expiration
would be applied regardless, which meant that (for instance) changing
the password would cause the password application to be applied.
Remove the check for KADM5_PRINCIPAL, and fix the mask to contain
KADM5_PW_EXPIRATION where appropriate. Add a regression test to
t_kdb.py.
[ghudson at mit.edu: also set KADM5_ATTRIBUTES for randkey and setkey
since they both unset KRB5_KDB_REQUIRES_PWCHANGE; edited comments and
commit message]
(cherry picked from commit 6b004dd5739bded71be4290c11e7ac3a816c7e09)
https://github.com/krb5/krb5/commit/90a13e6d9763c510339c7a40fbc4ecb30041f421
Author: Robbie Harwood <rharwood at redhat.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: 90a13e6d9763c510339c7a40fbc4ecb30041f421
Branch: krb5-1.17
src/lib/kadm5/srv/svr_principal.c | 92 +++++++++-----------
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 13 ---
src/tests/t_kdb.py | 17 ++++
3 files changed, 60 insertions(+), 62 deletions(-)
More information about the krb5-bugs
mailing list