Bug 489379 - passwordExpirationTime in entry being added
collides with passwordMustChange policy
https://bugzilla.redhat.com/show_bug.cgi?id=489379
Description:
If we have passwordMustChange policy enabled and try to add an entry
that already contains an passwordExpirationTime attribute, then the
passwordMustChange code will insert another passwordExpirationTime
attribute with the magic 19700101000000Z value. This wont work
because passwordExpirationTime is single-valued:
ldap_add: Object class violation
ldap_add: additional info: single-valued attribute "passwordExpirationTime"
has multiple values
We need to pick one passwordExpirationTime value to "win". I think
it makes sense for the value that exists in the entry being added
to win, but I'm open to discussion if it's felt that would violate
the password policy.
To make the existing passwordExpirationTime value win, in
add_password_attrs() in pw.c I think the logic can be changed so
the scan for passwordExpirationTime happens unconditionally and
then not touch it even if pwpolicy->pw_must_change is set.
This patch has been submitted by Ulf Weltman (ulf.weltman@hp.com).