Univention Bugzilla – Bug 47516
shadowLastChange=0 in shadowbind LDAP overlay is not respected
Last modified: 2020-06-22 13:33:44 CEST
related to Bug #45957 the shadow ldap overlay currently only checks "shadowMax + shadowLastChange > now for "password expired". We should at a check for shadowLastChange == 0, in this case the password also expired (regardless of shadowMax).
diff --git contrib/slapd-modules/shadowbind/shadowbind.c contrib/slapd-modules/shadowbind/shadowbind.c index b04200e..5a385e1 100644 --- contrib/slapd-modules/shadowbind/shadowbind.c +++ contrib/slapd-modules/shadowbind/shadowbind.c @@ -251,7 +251,7 @@ shadowbind_bind_response ( Operation *op, SlapReply *rs ) if ( lastChange ) { if ( now == 0 ) now = time(NULL) / 3600 / 24; - if ( now - lastChange > max ) { + if ( lastChange == 0l || now - lastChange > max ) { send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, "password expired" ); ret = rs->sr_err; goto done;