Skip to content

Make password expiration time attribute configurable #652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Make password expiration time attribute configurable #652

wants to merge 1 commit into from

Conversation

@edvalley
Copy link

@edvalley edvalley commented Apr 5, 2022
edited
Loading

As the title says...
Thanks for your time and your great project

@jrivard
Copy link
Contributor

jrivard commented Apr 6, 2022

In what case and ldap vendor does this need to be configurable? is the chai readPasswordExpirationTime not working? If so we should fix chai, not make an override in PWM.... Can you give more background on this issue?

@edvalley
Copy link
Author

edvalley commented Apr 6, 2022

In what case and ldap vendor does this need to be configurable? is the chai readPasswordExpirationTime not working? If so we should fix chai, not make an override in PWM.... Can you give more background on this issue?

FreeIPA uses the attribute krbPasswordExpiration, chai readPasswordExpirationTime() uses passwordExpirationTime. It's a generic and simple solution without adding Chai full support for FreeIPA.

@edvalley
Copy link
Author

edvalley commented Apr 7, 2022
edited
Loading

@jrivard: To make this PR really complete, I'll also need to change code calling chai isPasswordExpired(). I think you're right, we should fix chai's implementation. FreeIPA uses 389 DS as LDAP backend, which chai already support, but some attribute names are specific to FreeIPA. I'll close this PR and open an issue in ldapchai to discuss about adding FreeIPA support. Do you think it's the right way to go?

@jrivard
Copy link
Contributor

jrivard commented Apr 8, 2022

Yes, I think that's a better approach. As each directory varies in more than just the attribute name for this logic, the time syntax can be different, and other logic.

In this case, the krbPasswordExpiration seems to be a "secondary" attribute, possibly present on all FreeIPA instances but I don't think its part of the standard DS389 schema. So my guess would be you probably want both attributes read, and if either is present use it, if both are present prioritize one or take the largest value.... I'm not sure, but from the reading and trials I've done against the FreeIPA demo server that seems like it might work.

Also, I just added a DIRECTORY_SERVER_389 setting template to PwmSetting.xml so we can have appropriate default setting values for DS389 in PWM, and I have fixed the readGUID method in chai to read nsUniqueId attribute.

@jrivard jrivard closed this Apr 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@edvalley @jrivard