Re: [SSSD] [PATCH] Ignore shadow attributes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/23/2009 09:18 AM, Simo Sorce wrote: > But the patch looks good. > > ACK > Pushed to master - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksKzIMACgkQeiVVYja6o6OUrgCdGEpxXQVKYP8vNVbXhjGkQqS5 f/kAnR1hSBIEk79Uf+iIuIY1AIwLi1Kq =iuPz -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Ignore shadow attributes
On Fri, 2009-11-20 at 21:00 +0100, Sumit Bose wrote: > > The attached patch does most of the above. There is no option "auto" > because I think it might be more confusing than without. Also there is > not option "ldap_pwd_policy", because if there is a server side policy > the client cannot ignore it. I still think that "ldap_pwd_policy" should be added so that you can force the code to use only that and fail if for some reason the ldap server does not support it (admin failed to properly configure one of the servers). But the patch looks good. ACK Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Ignore shadow attributes
On Mon, Nov 16, 2009 at 09:23:17AM -0500, Simo Sorce wrote:
> On Mon, 2009-11-16 at 14:06 +0100, Sumit Bose wrote:
> > Hi,
> >
> > this patch should fix #279 by ignoring the shadow attributes by
> > default.
>
> I was thinking about this and I think I don't want to go down this way.
> While automatic discovery of the expiration attributes is nice, I think
> it is an issue.
>
> I would rather see an attribute that overrides
> find_password_expiration_attributes() instead.
>
> This way the admin can force what expiration policy should be used
> regardless of what random attributes may be found.
>
> something like: password_policy_type
> choice of: none, ldap_pwd_policy, mit_kerberos, shadow, auto
>
> so if you don't want anything use
> password_policy_type = none
>
> if you want to use only shadow (even if the server supports
> ldap_pwd_policies set password_policy_type = shadow
>
> I am unsure if we want to add "auto", that would be the default and use
> the find_password_expiration_attributes() to autodetect what to use.
>
> Thoughts ?
>
> Simo.
>
The attached patch does most of the above. There is no option "auto"
because I think it might be more confusing than without. Also there is
not option "ldap_pwd_policy", because if there is a server side policy
the client cannot ignore it.
bye,
Sumit
>From 54edfffe7a41216a2267a57bb68525454dbe85e5 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Mon, 16 Nov 2009 13:56:57 +0100
Subject: [PATCH] Add ldap_pwd_policy option
---
server/config/SSSDConfig.py |3 +
server/config/etc/sssd.api.d/sssd-ldap.conf |1 +
server/man/sssd-ldap.5.xml | 33
server/providers/ldap/ldap_auth.c | 114 --
server/providers/ldap/ldap_common.c | 18 -
server/providers/ldap/ldap_common.h |4 +
server/providers/ldap/sdap.h|1 +
7 files changed, 129 insertions(+), 45 deletions(-)
diff --git a/server/config/SSSDConfig.py b/server/config/SSSDConfig.py
index 57d39c7..1cbf1a8 100644
--- a/server/config/SSSDConfig.py
+++ b/server/config/SSSDConfig.py
@@ -136,6 +136,9 @@ option_strings = {
'ldap_user_member_of' : _('memberOf attribute'),
'ldap_user_modify_timestamp' : _('Modification time attribute'),
+# [provider/ldap/auth]
+'ldap_pwd_policy' : _('Policy to evaluate the password expiration'),
+
# [provider/local/id]
'default_shell' : _('Default shell, /bin/bash'),
'base_directory' : _('Base for home directories'),
diff --git a/server/config/etc/sssd.api.d/sssd-ldap.conf
b/server/config/etc/sssd.api.d/sssd-ldap.conf
index 34aaa65..314f57f 100644
--- a/server/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/server/config/etc/sssd.api.d/sssd-ldap.conf
@@ -61,6 +61,7 @@ ldap_group_modify_timestamp = str, None
ldap_force_upper_case_realm = bool, None
[provider/ldap/auth]
+ldap_pwd_policy = str, None
[provider/ldap/chpass]
diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml
index a2aa730..d944392 100644
--- a/server/man/sssd-ldap.5.xml
+++ b/server/man/sssd-ldap.5.xml
@@ -582,6 +582,39 @@
+
+ldap_pwd_policy (string)
+
+
+Select the policy to evaluate the password
+expiration on the client side. The following values
+are allowed:
+
+
+none No evaluation on the
+client side. This option cannot disable server side
+password policies.
+
+
+shadow use
+shadow
+5 style
+attributes to evaluate if the password is expired.
+Please note that the current version of sssd cannot
+update this attribute during a password change.
+
+
+mit_kerberos use the
attributes
+used by MIT Kerberos to evaluate if the password is
+expired. Use chpass_provider=krb5 to update these
+attributes when the password is changed.
+
+
+Default: none
+
+
+
+
diff --git a/server/providers/ldap/ldap_auth.c
b/server/providers/ldap/ldap_auth.c
index a9f03a7..1f86fb0 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -34,6 +34,7 @@
#undef _XOPEN_SOURCE
#include
#include
+#include
#include
#include
@@ -168,16 +169,24 @@ static errno
Re: [SSSD] [PATCH] Ignore shadow attributes
On Mon, 2009-11-16 at 18:38 -0500, Brian J. Murrell wrote: > > Does this patch do anything about not returning "x" in the password > field of the passwd map NM. I just saw the patch for #266. And commented on it. b. signature.asc Description: This is a digitally signed message part ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Ignore shadow attributes
On Mon, 2009-11-16 at 14:06 +0100, Sumit Bose wrote: > Hi, > > this patch should fix #279 by ignoring the shadow attributes by > default. Does this patch do anything about not returning "x" in the password field of the passwd map if the shadow object class is not present in the user's LDAP entry? Or is that entirely a different cat needing skinning? Just seems like it might be in the same neighbourhood. b. signature.asc Description: This is a digitally signed message part ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Ignore shadow attributes
On Mon, Nov 16, 2009 at 09:23:17AM -0500, Simo Sorce wrote: > On Mon, 2009-11-16 at 14:06 +0100, Sumit Bose wrote: > > Hi, > > > > this patch should fix #279 by ignoring the shadow attributes by > > default. > > I was thinking about this and I think I don't want to go down this way. > While automatic discovery of the expiration attributes is nice, I think > it is an issue. > > I would rather see an attribute that overrides > find_password_expiration_attributes() instead. > > This way the admin can force what expiration policy should be used > regardless of what random attributes may be found. > > something like: password_policy_type > choice of: none, ldap_pwd_policy, mit_kerberos, shadow, auto > > so if you don't want anything use > password_policy_type = none > > if you want to use only shadow (even if the server supports > ldap_pwd_policies set password_policy_type = shadow > > I am unsure if we want to add "auto", that would be the default and use > the find_password_expiration_attributes() to autodetect what to use. > > Thoughts ? > > Simo. > I like it. Please wait for a new patch ... bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Ignore shadow attributes
On Mon, 2009-11-16 at 14:06 +0100, Sumit Bose wrote: > Hi, > > this patch should fix #279 by ignoring the shadow attributes by > default. I was thinking about this and I think I don't want to go down this way. While automatic discovery of the expiration attributes is nice, I think it is an issue. I would rather see an attribute that overrides find_password_expiration_attributes() instead. This way the admin can force what expiration policy should be used regardless of what random attributes may be found. something like: password_policy_type choice of: none, ldap_pwd_policy, mit_kerberos, shadow, auto so if you don't want anything use password_policy_type = none if you want to use only shadow (even if the server supports ldap_pwd_policies set password_policy_type = shadow I am unsure if we want to add "auto", that would be the default and use the find_password_expiration_attributes() to autodetect what to use. Thoughts ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
[SSSD] [PATCH] Ignore shadow attributes
Hi,
this patch should fix #279 by ignoring the shadow attributes by
default.
bye,
Sumit
>From 8bcd2646e948a1f05b279196a4e6f4350aa5d5a9 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Mon, 16 Nov 2009 13:56:57 +0100
Subject: [PATCH] Ignore shadow attributes
---
server/man/sssd-ldap.5.xml | 25 +
server/providers/ldap/ldap_auth.c | 19 +++
server/providers/ldap/ldap_common.c |3 ++-
server/providers/ldap/sdap.h|1 +
4 files changed, 47 insertions(+), 1 deletions(-)
diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml
index a2aa730..c971a2c 100644
--- a/server/man/sssd-ldap.5.xml
+++ b/server/man/sssd-ldap.5.xml
@@ -582,6 +582,31 @@
+
+ldap_ignore_shadow_attributes (boolean)
+
+
+If set to true ignore the LDAP attributes
+corresponding to the values describes in
+shadow
+5 during
+authentication, i.e. they are not used to evaluate
+if the password is expired.
+
+
+Default: true
+
+
+Please note that you should only set this value to
+false if there is a password change mechanism
+available which can update the last changed time.
+The current version of sssd
+does not update the
+corresponding attribute.
+
+
+
+
diff --git a/server/providers/ldap/ldap_auth.c
b/server/providers/ldap/ldap_auth.c
index a9f03a7..114fc36 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -572,6 +572,7 @@ struct sdap_pam_chpass_state {
char *password;
char *new_password;
struct sdap_handle *sh;
+struct sdap_auth_ctx *ctx;
};
static void sdap_auth4chpass_done(struct tevent_req *req);
@@ -611,6 +612,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
if (!state) goto done;
state->breq = breq;
+state->ctx = ctx;
state->pd = pd;
state->username = pd->user;
state->password = talloc_strndup(state,
@@ -661,6 +663,12 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
if (result == SDAP_AUTH_SUCCESS) {
switch (pw_expire_type) {
case PWEXPIRE_SHADOW:
+if (dp_opt_get_bool(state->ctx->opts->basic,
+SDAP_IGNORE_SHADOW_ATTRIBUTES)) {
+DEBUG(5, ("Ignoring shadow attributes.\n"));
+pw_expire_type = PWEXPIRE_NONE;
+break;
+}
ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
&result);
if (ret != EOK) {
@@ -764,6 +772,7 @@ struct sdap_pam_auth_state {
struct pam_data *pd;
const char *username;
struct dp_opt_blob password;
+struct sdap_auth_ctx *ctx;
};
static void sdap_pam_auth_done(struct tevent_req *req);
@@ -798,6 +807,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
state->breq = breq;
state->pd = pd;
+state->ctx = ctx;
state->username = pd->user;
state->password.data = pd->authtok;
state->password.length = pd->authtok_size;
@@ -846,6 +856,12 @@ static void sdap_pam_auth_done(struct tevent_req *req)
if (result == SDAP_AUTH_SUCCESS) {
switch (pw_expire_type) {
case PWEXPIRE_SHADOW:
+if (dp_opt_get_bool(state->ctx->opts->basic,
+SDAP_IGNORE_SHADOW_ATTRIBUTES)) {
+DEBUG(5, ("Ignoring shadow attributes.\n"));
+pw_expire_type = PWEXPIRE_NONE;
+break;
+}
ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
&result);
if (ret != EOK) {
@@ -883,6 +899,9 @@ static void sdap_pam_auth_done(struct tevent_req *req)
case SDAP_UNAVAIL:
state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
break;
+case SDAP_ACCT_EXPIRED:
+state->pd->pam_status = PAM_ACCT_EXPIRED;
+break;
case SDAP_AUTH_PW_EXPIRED:
state->pd->pam_status = PAM_AUTHTOK_EXPIRED;
break;
diff --git a/server/providers/ldap/ldap_common.c
b/server/providers/ldap/ldap_common.c
index deffb4a..bec4099 100644
--- a/server/providers/ldap/ldap_common.c
+++ b/server/providers/ldap/ldap_common.c
@@ -54,7 +54,8 @@ struct dp_option default_basic_opts[] =
