Bug 47516 - shadowLastChange=0 in shadowbind LDAP overlay is not respected
Summary: shadowLastChange=0 in shadowbind LDAP overlay is not respected
Status: NEW
Alias: None
Product: UCS
Classification: Unclassified
Component: LDAP
Version: UCS 5.0
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: UCS maintainers
QA Contact: UCS maintainers
URL:
Keywords:
Depends on: 45957
Blocks: 47518
  Show dependency treegraph
 
Reported: 2018-08-09 09:55 CEST by Felix Botner
Modified: 2020-06-22 13:33 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:
best: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2018-08-09 09:55:28 CEST 
related to Bug #45957

the shadow ldap overlay currently only checks "shadowMax + shadowLastChange > now for "password expired".

We should at a check for shadowLastChange == 0, in this case the password also expired (regardless of shadowMax).
Comment 1 Florian Best univentionstaff 2020-06-22 13:32:34 CEST 
diff --git contrib/slapd-modules/shadowbind/shadowbind.c contrib/slapd-modules/shadowbind/shadowbind.c
index b04200e..5a385e1 100644
--- contrib/slapd-modules/shadowbind/shadowbind.c
+++ contrib/slapd-modules/shadowbind/shadowbind.c
@@ -251,7 +251,7 @@ shadowbind_bind_response ( Operation *op, SlapReply *rs )
                                if ( lastChange ) {
                                        if ( now == 0 )
                                                now = time(NULL) / 3600 / 24;
-                                       if ( now - lastChange > max ) {
+                                       if ( lastChange == 0l || now - lastChange > max ) {
                                                send_ldap_error( op, rs, LDAP_INVALID_CREDENTIALS, "password expired" );
                                                ret = rs->sr_err;
                                                goto done;