mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-06 10:46:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

ITS#9156 Implement pwdGraceExpiry

Browse Source
This commit is contained in:
Ondřej Kuzník 2019-10-24 13:43:34 +01:00
parent 79728709e9
commit f60e41bc14
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
servers/slapd/overlays/ppolicy.c
View File

@ -78,6 +78,8 @@ typedef struct pass_policy {
int pwdMinLength; /* minimum number of chars in password */
int pwdExpireWarning; /* number of seconds that warning controls are
sent before a password expires */
int pwdGraceExpiry; /* number of seconds after expiry grace logins are
valid */
int pwdGraceAuthNLimit; /* number of times you can log in with an
expired password */
int pwdLockout; /* 0 = do not lockout passwords, 1 = lock them out */
@ -719,6 +721,9 @@ ppolicy_get( Operation *op, Entry *e, PassPolicy *pp )
if ( ( a = attr_find( pe->e_attrs, ad_pwdMaxRecordedFailure ) )
&& lutil_atoi( &pp->pwdMaxRecordedFailure, a->a_vals[0].bv_val ) != 0 )
goto defaultpol;
if ( ( a = attr_find( pe->e_attrs, ad_pwdGraceExpiry ) )
&& lutil_atoi( &pp->pwdGraceExpiry, a->a_vals[0].bv_val ) != 0 )
goto defaultpol;
if ( ( a = attr_find( pe->e_attrs, ad_pwdGraceAuthNLimit ) )
&& lutil_atoi( &pp->pwdGraceAuthNLimit, a->a_vals[0].bv_val ) != 0 )
goto defaultpol;
@ -1332,9 +1337,13 @@ ppolicy_bind_response( Operation *op, SlapReply *rs )
grace:
if (!pwExpired) goto check_expiring_password;
if ((a = attr_find( e->e_attrs, ad_pwdGraceUseTime )) == NULL)
if ( ppb->pp.pwdGraceExpiry &&
now - pwtime > ppb->pp.pwdMaxAge + ppb->pp.pwdGraceExpiry ) {
/* Grace logins have expired now */
ngut = 0;
} else if ((a = attr_find( e->e_attrs, ad_pwdGraceUseTime )) == NULL) {
ngut = ppb->pp.pwdGraceAuthNLimit;
else {
} else {
for(ngut=0; a->a_nvals[ngut].bv_val; ngut++);
ngut = ppb->pp.pwdGraceAuthNLimit - ngut;
}