Hi,
here are some more patches regarding the handling of the LDAP ppolicy
control.
Patch1: An error code of LDAP_INVALID_CREDENTIALS + a ppolicy control
with the error PP_passwordExpired indicates an expire password
as well.
Patch2: When doing LDAP authentiation for PAM_PRELIM_CHECK, treat
SDAP_AUTH_PW_EXPIRED as a successful authentication to be able to
continue the the password change
Patch3: Display a messages to the user when a password change is going to
be initiated because of an expired password.
feedback is of course welcome,
Ralf
From c4978d1f40c3cbaa6f24c0fa1d9f3b8b4c00e616 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rha...@suse.de>
Date: Fri, 12 Mar 2010 15:06:44 +0100
Subject: [PATCH 1/3] Fixed check for expired passwords
When the user's password is expired it might also be indicated by
the bind operation returning "INVALID_CREDENTIALS" with the ppolicy
control's errorcode set to "PP_passwordExpired".
---
src/providers/ldap/sdap_async_connection.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 18e47d3..fe8a501 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -421,8 +421,10 @@ static void simple_bind_done(struct sdap_op *op,
"error [%s].\n", pp_expire, pp_grace,
ldap_passwordpolicy_err2txt(pp_error)));
- if (state->result == LDAP_SUCCESS &&
- (pp_error == PP_changeAfterReset || pp_grace > 0)) {
+ if ((state->result == LDAP_SUCCESS &&
+ (pp_error == PP_changeAfterReset || pp_grace > 0)) ||
+ (state->result == LDAP_INVALID_CREDENTIALS &&
+ pp_error == PP_passwordExpired ) ) {
DEBUG(4, ("User must set a new password.\n"));
state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
}
--
1.6.4.2
From ef8f49bf3ac93402856f37fcbb5828b6e03563ca Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rha...@suse.de>
Date: Fri, 12 Mar 2010 14:42:09 +0100
Subject: [PATCH 2/3] Fixed authentication check for CHAUTHTOK_PRELIM
When changing passwords, treat SDAP_AUTH_PW_EXPIRED as a successful
authentication in SSS_PAM_CHAUTHTOK_PRELIM.
---
src/providers/ldap/ldap_auth.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index ba1136b..5228703 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -721,7 +721,7 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
goto done;
}
- if (result == SDAP_AUTH_SUCCESS &&
+ if ( (result == SDAP_AUTH_SUCCESS || result == SDAP_AUTH_PW_EXPIRED ) &&
state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
DEBUG(9, ("Initial authentication for change password operation "
"successful.\n"));
--
1.6.4.2
From d8ca40aab756197c0806b1790387e83761e04321 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rha...@suse.de>
Date: Fri, 12 Mar 2010 15:13:59 +0100
Subject: [PATCH 3/3] Warn user about an expired password
---
src/sss_client/pam_sss.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index ff3a7f9..2ba6f15 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1122,7 +1122,12 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
if (ret == PAM_SUCCESS && task == SSS_PAM_ACCT_MGMT &&
pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data) ==
PAM_SUCCESS) {
- return PAM_NEW_AUTHTOK_REQD;
+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO,
+ _("Password expired. Change your password now."), NULL, NULL);
+ if (ret != PAM_SUCCESS) {
+ D(("do_pam_conversation failed."));
+ }
+ return PAM_NEW_AUTHTOK_REQD;
}
overwrite_and_free_authtoks(&pi);
--
1.6.4.2
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
