ITS#5766

diff --git a/CHANGES b/CHANGES
index 0f62b69917e7dfbc9a46163a5c4a2905e42590be..acbc00d086bc25829219a04fa80fa733e27f93c5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -41,6 +41,7 @@ OpenLDAP 2.4.13 Engineering
        Added slapo-translucent support for PasswordModify exop (ITS#5656)
        Fixed tools simple bind without SASL (ITS#5753)
        Fixed tools unaligned BerElement (ITS#5770)
+       Added contrib smbk5pwd honor principal expiration (ITS#5766)
        Build Environment
                Added ldapurl command
                Added slapd GSSAPI refactoring (ITS#5369)

diff --git a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
index 32f2733f98669e9e7e61d68531af17f153fc5ab3..4690c46705a568fdfa476aaa853a5c9809c4ab02 100644 (file)
--- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
+++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
@@ -59,6 +59,7 @@ static HDB *db;
 static AttributeDescription *ad_krb5Key;
 static AttributeDescription *ad_krb5KeyVersionNumber;
 static AttributeDescription *ad_krb5PrincipalName;
+static AttributeDescription *ad_krb5ValidEnd;
 static ObjectClass *oc_krb5KDCEntry;
 #endif
 
@@ -273,9 +274,9 @@ static int k5key_chk(
        int rc;
        Entry *e;
        Attribute *a;
-    krb5_error_code ret;
-    krb5_keyblock key;
-    krb5_salt salt;
+       krb5_error_code ret;
+       krb5_keyblock key;
+       krb5_salt salt;
        hdb_entry ent;
 
        /* Find our thread context, find our Operation */
@@ -300,6 +301,19 @@ static int k5key_chk(
                memset( &ent, 0, sizeof(ent) );
                ret = krb5_parse_name(context, a->a_vals[0].bv_val, &ent.principal);
                if ( ret ) break;
+
+               a = attr_find( e->e_attrs, ad_krb5ValidEnd );
+               if (a) {
+                       struct lutil_tm tm;
+                       struct lutil_timet tt;
+                       if ( lutil_parsetime( a->a_vals[0].bv_val, &tm ) == 0 &&
+                               lutil_tm2time( &tm, &tt ) == 0 && tt.tt_usec < op->o_time ) {
+                               /* Account is expired */
+                               rc = LUTIL_PASSWD_ERR;
+                               break;
+                       }
+               }
+
                krb5_get_pw_salt( context, ent.principal, &salt );
                krb5_free_principal( context, ent.principal );
 
@@ -840,6 +854,7 @@ smbk5pwd_modules_init( smbk5pwd_t *pi )
                { "krb5Key",                    &ad_krb5Key },
                { "krb5KeyVersionNumber",       &ad_krb5KeyVersionNumber },
                { "krb5PrincipalName",          &ad_krb5PrincipalName },
+               { "krb5ValidEnd",               &ad_krb5ValidEnd },
                { NULL }
        },
 #endif /* DO_KRB5 */
@@ -908,7 +923,7 @@ smbk5pwd_modules_init( smbk5pwd_t *pi )
                        char *err_str, *err_msg = "<unknown error>";
                        err_str = krb5_get_error_string( context );
                        if (!err_str)
-                               err_msg = krb5_get_err_text( context, ret );
+                               err_msg = (char *)krb5_get_err_text( context, ret );
                        Debug( LDAP_DEBUG_ANY, "smbk5pwd: "
                                "unable to initialize krb5 admin context: %s (%d).\n",
                                err_str ? err_str : err_msg, ret, 0 );