Hi, this patch should fix #279 by ignoring the shadow attributes by default.
bye, Sumit
>From 8bcd2646e948a1f05b279196a4e6f4350aa5d5a9 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Mon, 16 Nov 2009 13:56:57 +0100 Subject: [PATCH] Ignore shadow attributes --- server/man/sssd-ldap.5.xml | 25 +++++++++++++++++++++++++ server/providers/ldap/ldap_auth.c | 19 +++++++++++++++++++ server/providers/ldap/ldap_common.c | 3 ++- server/providers/ldap/sdap.h | 1 + 4 files changed, 47 insertions(+), 1 deletions(-) diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml index a2aa730..c971a2c 100644 --- a/server/man/sssd-ldap.5.xml +++ b/server/man/sssd-ldap.5.xml @@ -582,6 +582,31 @@ </listitem> </varlistentry> + <varlistentry> + <term>ldap_ignore_shadow_attributes (boolean)</term> + <listitem> + <para> + If set to true ignore the LDAP attributes + corresponding to the values describes in + <citerefentry><refentrytitle>shadow</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> during + authentication, i.e. they are not used to evaluate + if the password is expired. + </para> + <para> + Default: true + </para> + <para> + Please note that you should only set this value to + false if there is a password change mechanism + available which can update the last changed time. + The current version of sssd + <emphasis>does not</emphasis> update the + corresponding attribute. + </para> + </listitem> + </varlistentry> + </variablelist> </para> </refsect1> diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c index a9f03a7..114fc36 100644 --- a/server/providers/ldap/ldap_auth.c +++ b/server/providers/ldap/ldap_auth.c @@ -572,6 +572,7 @@ struct sdap_pam_chpass_state { char *password; char *new_password; struct sdap_handle *sh; + struct sdap_auth_ctx *ctx; }; static void sdap_auth4chpass_done(struct tevent_req *req); @@ -611,6 +612,7 @@ void sdap_pam_chpass_handler(struct be_req *breq) if (!state) goto done; state->breq = breq; + state->ctx = ctx; state->pd = pd; state->username = pd->user; state->password = talloc_strndup(state, @@ -661,6 +663,12 @@ static void sdap_auth4chpass_done(struct tevent_req *req) if (result == SDAP_AUTH_SUCCESS) { switch (pw_expire_type) { case PWEXPIRE_SHADOW: + if (dp_opt_get_bool(state->ctx->opts->basic, + SDAP_IGNORE_SHADOW_ATTRIBUTES)) { + DEBUG(5, ("Ignoring shadow attributes.\n")); + pw_expire_type = PWEXPIRE_NONE; + break; + } ret = check_pwexpire_shadow(pw_expire_data, time(NULL), &result); if (ret != EOK) { @@ -764,6 +772,7 @@ struct sdap_pam_auth_state { struct pam_data *pd; const char *username; struct dp_opt_blob password; + struct sdap_auth_ctx *ctx; }; static void sdap_pam_auth_done(struct tevent_req *req); @@ -798,6 +807,7 @@ void sdap_pam_auth_handler(struct be_req *breq) state->breq = breq; state->pd = pd; + state->ctx = ctx; state->username = pd->user; state->password.data = pd->authtok; state->password.length = pd->authtok_size; @@ -846,6 +856,12 @@ static void sdap_pam_auth_done(struct tevent_req *req) if (result == SDAP_AUTH_SUCCESS) { switch (pw_expire_type) { case PWEXPIRE_SHADOW: + if (dp_opt_get_bool(state->ctx->opts->basic, + SDAP_IGNORE_SHADOW_ATTRIBUTES)) { + DEBUG(5, ("Ignoring shadow attributes.\n")); + pw_expire_type = PWEXPIRE_NONE; + break; + } ret = check_pwexpire_shadow(pw_expire_data, time(NULL), &result); if (ret != EOK) { @@ -883,6 +899,9 @@ static void sdap_pam_auth_done(struct tevent_req *req) case SDAP_UNAVAIL: state->pd->pam_status = PAM_AUTHINFO_UNAVAIL; break; + case SDAP_ACCT_EXPIRED: + state->pd->pam_status = PAM_ACCT_EXPIRED; + break; case SDAP_AUTH_PW_EXPIRED: state->pd->pam_status = PAM_AUTHTOK_EXPIRED; break; diff --git a/server/providers/ldap/ldap_common.c b/server/providers/ldap/ldap_common.c index deffb4a..bec4099 100644 --- a/server/providers/ldap/ldap_common.c +++ b/server/providers/ldap/ldap_common.c @@ -54,7 +54,8 @@ struct dp_option default_basic_opts[] = { { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, /* use the same parm name as the krb5 module so we set it only once */ - { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING } + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_ignore_shadow_attributes", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE } }; struct sdap_attr_map generic_attr_map[] = { diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h index 8330bd6..ac25ae7 100644 --- a/server/providers/ldap/sdap.h +++ b/server/providers/ldap/sdap.h @@ -117,6 +117,7 @@ enum sdap_basic_opt { SDAP_KRB5_KEYTAB, SDAP_KRB5_KINIT, SDAP_KRB5_REALM, + SDAP_IGNORE_SHADOW_ATTRIBUTES, SDAP_OPTS_BASIC /* opts counter */ }; -- 1.6.2.5
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel