From 22d1392a8a0d2887c389dcd78be06104cff88d30 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jun 30 2022 12:34:28 +0000
Subject: Only calculate LDAP password grace when the password is expired


The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
index 0860b5c..a3f57cb 100644
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
     Slapi_ValueSet *values = NULL;
     long grace_limit = 0;
     int grace_user_time;
-    char *pwd_expiration = NULL;
+    char *tmpstr = NULL;
+    time_t pwd_expiration;
     int pwresponse_requested = 0;
     Slapi_PBlock *pbtm = NULL;
     Slapi_Mods *smods = NULL;
@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
     }
     slapi_value_free(&objectclass);
 
-    pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
-    if (pwd_expiration == NULL) {
+    tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
+    if (tmpstr == NULL) {
         /* No expiration means nothing to do */
         LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
         goto done;
     }
+    pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
+    if (pwd_expiration > time(NULL)) {
+        /* Not expired, nothing to see here */
+        goto done;
+    }
 
     ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
                                     &values, &actual_type_name,