https://bugzilla.redhat.com/show_bug.cgi?id=826790 (Red Hat Enterprise Linux 6)
Description of problem: Disabling password expiration (--maxlife=0 and --minlife=0) in the default global_policy in IPA sets user's password expiration (krbPasswordExpiration) to be 90 days Version-Release number of selected component (if applicable): ipa-server-2.1.3-9.el6 How reproducible: 100% (always) Steps to Reproduce: 1. Set maxlife and minlife to 0 2. Reset user's password 3. Confirm krbPasswordExpiration attibute is set to 90 days from now Below is the reproducer. [root@ipaserver ~]# ipa pwpolicy-find Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 ---------------------------- Number of entries returned 1 ---------------------------- [root@ipaserver ~]# ipa pwpolicy-mod --maxlife=0 --minlife=0 global_policy Group: global_policy Max lifetime (days): 0 Min lifetime (hours): 0 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600 [root@ipaserver ~]# ldapsearch -x -LLL -D "cn=Directory Manager" -w directory "cn=global_policy" dn: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbMaxPwdLife: 0 krbMinPwdLife: 0 objectClass: top objectClass: nsContainer objectClass: krbPwdPolicy krbPwdMinDiffChars: 0 krbPwdMinLength: 8 krbPwdHistoryLength: 0 krbPwdMaxFailure: 6 krbPwdFailureCountInterval: 60 krbPwdLockoutDuration: 600 cn: global_policy [root@ipaserver ~]# ipa user-add --first=foo --last=bar --password User login [fbar]: Password: Enter Password again to verify: ----------------- Added user "fbar" ----------------- User login: fbar First name: foo Last name: bar Full name: foo bar Display name: foo bar Initials: fb Home directory: /home/fbar GECOS field: foo bar Login shell: /bin/sh Kerberos principal: fbar@EXAMPLE.COM UID: 917000004 GID: 917000004 Keytab: True Password: True [root@ipaserver ~]# ldapsearch -x -LLL -D "cn=Directory Manager" -w directory "uid=fbar" krbPasswordExpiration dn: uid=fbar,cn=users,cn=compat,dc=example,dc=com dn: uid=fbar,cn=users,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20120531001210Z [root@ipaserver ~]# kinit fbar Password for fbar@EXAMPLE.COM: Password expired. You must change it now. Enter new password: Enter it again: [root@ipaserver ~]# ldapsearch -x -LLL -D "cn=Directory Manager" -w directory "uid=fbar" krbPasswordExpiration dn: uid=fbar,cn=users,cn=compat,dc=example,dc=com dn: uid=fbar,cn=users,cn=accounts,dc=example,dc=com krbPasswordExpiration: 20120829001427Z Actual results: Password expires in 90 days. Expected results: Password does not expire. Additional info:
Releasing tickets from distant milestones.
I tracked down the source of this behavior, which I'm posting here to preserve for posterity.
So, in daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c, when you update password, the expiration time appears to be set in the function ipapwd_CheckPolicy on line 631, which looks like
data->expireTime = data->timeNow + pol.max_pwd_life;
So the bug has to be in how pol.max_pwd_life gets is value. So I check around, pol is initialized like this:
struct ipapwd_policy pol = {0}; ... pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE;
And IPAPWD_DEFAULT_PWDLIFE is a constant 90 days.
But then the actual value of max_pwd_life is obtained by passing pol into the function ipapwd_getPolicy on line 577 or 590, depending on the password change type.
Inside of ipapwd_getPolicy, there's a couple of lines starting at line 393
tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife"); if (tmpint != 0) { policy->max_pwd_life = tmpint; }:
Which sets the max password life to the returned value, unless this function returns 0. However, the documentation from /usr/include/dirsrv/slapi-plugin.h says that that function, slapi_entry_attr_get_int, returns 0 if the entry does not contain that attribute. So, since the value 0 is returned, an error is assumed to have occurred that member of the struct is left untouched... which means it's still set to the value it was set to when it was initialized, 90 days.
So, when the expireTime is set at line 631, it's set to 90 days because the value returned by slapi_entry_attr_get_int is 0.
Also, see thread [Freeipa-devel] Password Maxlife 0 causes expiration of 90 days for details.
[Freeipa-devel] Password Maxlife 0 causes expiration of 90 days
AD itself treats "0" as infinity, we may want to choose the same semantics.
Increasing priority. It's required by higher number of users.
master:
Metadata Update from @dpal: - Issue assigned to dkupka - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.