REVIEW:UF_LOCKOUT dsdb: reset badPwdCount and and remove lockoutTime on password...
authorAndrew Bartlett <abartlet@samba.org>
Mon, 4 Nov 2013 08:37:45 +0000 (21:37 +1300)
committerStefan Metzmacher <metze@samba.org>
Fri, 21 Mar 2014 14:35:58 +0000 (15:35 +0100)
Change-Id: I93dec072012773364d2e60fdf32f50f7775ef577
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
REVIEW: "lockoutTime" NULL vs. 0
REVIEW: ACB_AUTOLOCK|ACB_PW_EXPIRED vs. UF_LOCKOUT|UF_PASSWORD_EXPIRED
REVIEW: should this be implicitly done when verifying the old password?
REVIEW: don't we need everything from authsam_zero_bad_pwd_count()?

source4/dsdb/samdb/ldb_modules/password_hash.c

index 1dee6af8f39f118bd80fa68ff8c173989b074f5b..177d7fd21733a8c7b16eca7f1896a812edf5eb5d 100644 (file)
@@ -3431,6 +3431,17 @@ static int password_hash_mod_do_mod(struct ph_context *ac)
        ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
        ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
 
+       if (!io.ac->pwd_reset) {
+               /*
+                * If it's not a password reset, the client provided the correct
+                * old password, so we reset "lockoutTime".
+                */
+               ret = ldb_msg_add_empty(msg, "lockoutTime", LDB_FLAG_MOD_REPLACE, NULL);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
+       }
+
        if (io.g.nt_hash) {
                ret = samdb_msg_add_hash(ldb, ac, msg,
                                         "unicodePwd", io.g.nt_hash);