_UF_TRUST_ACCOUNTS \
)
+
+/*
+ * Returns the Effective-MaximumPasswordAge for a user
+ */
+static int64_t get_user_max_pwd_age(struct ldb_module *module,
+ struct ldb_message *user_msg,
+ struct ldb_request *parent,
+ struct ldb_dn *nc_root)
+{
+ int ret;
+ struct ldb_message *pso = NULL;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+
+ /* if a PSO applies to the user, use its maxPwdAge */
+ ret = get_pso_for_user(module, user_msg, parent, &pso);
+ if (ret != LDB_SUCCESS) {
+
+ /* log the error, but fallback to the domain default */
+ DBG_ERR("Error retrieving PSO for %s\n",
+ ldb_dn_get_linearized(user_msg->dn));
+ }
+
+ if (pso != NULL) {
+ return ldb_msg_find_attr_as_int64(pso,
+ "msDS-MaximumPasswordAge", 0);
+ }
+
+ /* otherwise return the default domain value */
+ return samdb_search_int64(ldb, user_msg, 0, nc_root, "maxPwdAge", NULL);
+}
+
/*
calculate msDS-UserPasswordExpiryTimeComputed
*/
static NTTIME get_msds_user_password_expiry_time_computed(struct ldb_module *module,
struct ldb_message *msg,
+ struct ldb_request *parent,
struct ldb_dn *domain_dn)
{
int64_t pwdLastSet, maxPwdAge;
* maxPwdAge: -9223372036854775808 (-0x8000000000000000ULL)
*
*/
- maxPwdAge = samdb_search_int64(ldb_module_get_ctx(module), msg, 0,
- domain_dn, "maxPwdAge", NULL);
+ maxPwdAge = get_user_max_pwd_age(module, msg, parent, domain_dn);
if (maxPwdAge >= -864000000000) {
/*
* This is not really possible...
if (!(userAccountControl & _UF_NO_EXPIRY_ACCOUNTS)) {
NTTIME must_change_time
= get_msds_user_password_expiry_time_computed(module,
- msg, nc_root);
+ msg,
+ parent,
+ nc_root);
/* check for expired password */
if (must_change_time < now) {
msDS_User_Account_Control_Computed |= UF_PASSWORD_EXPIRED;
password_expiry_time
= get_msds_user_password_expiry_time_computed(module, msg,
- nc_root);
+ parent, nc_root);
return samdb_msg_add_int64(ldb,
msg->elements, msg,
"msDS-PasswordSettingsPrecedence",
"objectGUID",
"msDS-LockoutDuration",
+ "msDS-MaximumPasswordAge",
NULL
};
static const char *user_password_expiry_time_computed_attrs[] =
{
"pwdLastSet",
+ PSO_ATTR_DEPENDENCIES,
NULL
};