freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#2795 Disabling password expiration (--maxlife=0 and --minlife=0) in the default global_policy in IPA sets user's password expiration (krbPasswordExpiration) to be 90 days

Created 5 years ago by dpal
Modified 8 months ago

https://bugzilla.redhat.com/show_bug.cgi?id=826790 (Red Hat Enterprise Linux 6)

Description of problem:

Disabling password expiration (--maxlife=0 and --minlife=0) in the default
global_policy in IPA sets user's password expiration (krbPasswordExpiration) to
be 90 days

Version-Release number of selected component (if applicable):

ipa-server-2.1.3-9.el6

How reproducible:

100% (always)

Steps to Reproduce:
1. Set maxlife and minlife to 0
2. Reset user's password
3. Confirm krbPasswordExpiration attibute is set to 90 days from now

Below is the reproducer.

[root@ipaserver ~]# ipa pwpolicy-find
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600
----------------------------
Number of entries returned 1
----------------------------
[root@ipaserver ~]# ipa pwpolicy-mod --maxlife=0 --minlife=0 global_policy
  Group: global_policy
  Max lifetime (days): 0
  Min lifetime (hours): 0
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

[root@ipaserver ~]# ldapsearch -x -LLL -D "cn=Directory Manager" -w directory
"cn=global_policy"
dn: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
krbMaxPwdLife: 0
krbMinPwdLife: 0
objectClass: top
objectClass: nsContainer
objectClass: krbPwdPolicy
krbPwdMinDiffChars: 0
krbPwdMinLength: 8
krbPwdHistoryLength: 0
krbPwdMaxFailure: 6
krbPwdFailureCountInterval: 60
krbPwdLockoutDuration: 600
cn: global_policy

[root@ipaserver ~]# ipa user-add --first=foo --last=bar --password
User login [fbar]:
Password:
Enter Password again to verify:
-----------------
Added user "fbar"
-----------------
  User login: fbar
  First name: foo
  Last name: bar
  Full name: foo bar
  Display name: foo bar
  Initials: fb
  Home directory: /home/fbar
  GECOS field: foo bar
  Login shell: /bin/sh
  Kerberos principal: fbar@EXAMPLE.COM
  UID: 917000004
  GID: 917000004
  Keytab: True
  Password: True

[root@ipaserver ~]# ldapsearch -x -LLL -D "cn=Directory Manager" -w directory
"uid=fbar" krbPasswordExpiration
dn: uid=fbar,cn=users,cn=compat,dc=example,dc=com

dn: uid=fbar,cn=users,cn=accounts,dc=example,dc=com
krbPasswordExpiration: 20120531001210Z

[root@ipaserver ~]# kinit fbar
Password for fbar@EXAMPLE.COM:
Password expired.  You must change it now.
Enter new password:
Enter it again:
[root@ipaserver ~]# ldapsearch -x -LLL -D "cn=Directory Manager" -w directory
"uid=fbar" krbPasswordExpiration
dn: uid=fbar,cn=users,cn=compat,dc=example,dc=com

dn: uid=fbar,cn=users,cn=accounts,dc=example,dc=com
krbPasswordExpiration: 20120829001427Z



Actual results:

Password expires in 90 days.

Expected results:

Password does not expire.

Additional info:

Releasing tickets from distant milestones.

I tracked down the source of this behavior, which I'm posting here to preserve for posterity.

So, in daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c, when you update password, the expiration time appears to be set in the function ipapwd_CheckPolicy on line 631, which looks like

    data->expireTime = data->timeNow + pol.max_pwd_life;

So the bug has to be in how pol.max_pwd_life gets is value. So I check around, pol is initialized like this:

    struct ipapwd_policy pol = {0};
    ...
    pol.max_pwd_life = IPAPWD_DEFAULT_PWDLIFE;

And IPAPWD_DEFAULT_PWDLIFE is a constant 90 days.

But then the actual value of max_pwd_life is obtained by passing pol into the function ipapwd_getPolicy on line 577 or 590, depending on the password change type.

Inside of ipapwd_getPolicy, there's a couple of lines starting at line 393

    tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife");
    if (tmpint != 0) {
        policy->max_pwd_life = tmpint;
    }:

Which sets the max password life to the returned value, unless this function returns 0. However, the documentation from /usr/include/dirsrv/slapi-plugin.h says that that function, slapi_entry_attr_get_int, returns 0 if the entry does not contain that attribute. So, since the value 0 is returned, an error is assumed to have occurred that member of the struct is left untouched... which means it's still set to the value it was set to when it was initialized, 90 days.

So, when the expireTime is set at line 631, it's set to 90 days because the value returned by slapi_entry_attr_get_int is 0.

Also, see thread [Freeipa-devel] Password Maxlife 0 causes expiration of 90 days for details.

AD itself treats "0" as infinity, we may want to choose the same semantics.

Increasing priority. It's required by higher number of users.

master:

  • d2cb9ed Allow unexpiring passwords
8 months ago

Metadata Update from @dpal:
- Issue assigned to dkupka
- Issue set to the milestone: FreeIPA 4.4

Login to comment on this ticket.

defect

IPA

1

wanted

https://bugzilla.redhat.com/show_bug.cgi?id=826790

mkubik

cancel