[Freeipa-devel] [PATCH 0026] Prevent integer overflow when setting krbPasswordExpiration
Simo Sorce
simo at redhat.com
Tue Jan 15 13:48:22 UTC 2013
On Mon, 2013-01-14 at 16:46 +0100, Tomas Babej wrote:
> Hi,
>
> Since in Kerberos V5 are used 32-bit unix timestamps, setting
> maxlife in pwpolicy to values such as 9999 days would cause
> integer overflow in krbPasswordExpiration attribute.
>
> This would result into unpredictable behaviour such as users
> not being able to log in after password expiration if password
> policy was changed (#3114) or new users not being able to log
> in at all (#3312).
>
> https://fedorahosted.org/freeipa/ticket/3312
> https://fedorahosted.org/freeipa/ticket/3114
Given that we control the KDC LDAP driver I think we should not limit
the time in LDAP but rather 'fix-it-up' for the KDC in the DAL driver.
So I would like to Nack this one, sorry.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list