Hi,
in trac ticket #751 it was requested to add syslog messages telling the
admin why access was denied for a specific user with LDAP access
provider.
The following two patches add this for the check based on the shadow
expire attribute and the authorized service check.
bye,
Sumit
From 31d15a60582cbd49e08533f594b9da23c2f66627 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 4 Jan 2011 17:54:19 +0100
Subject: [PATCH 1/2] Add syslog message to shadow access check
---
src/providers/ldap/sdap_access.c | 20 ++++++++++++++------
1 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 4767812..f031032 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -70,7 +70,7 @@ static struct tevent_req
*sdap_account_expired_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct be_ctx *be_ctx,
struct sdap_access_ctx
*access_ctx,
- const char *username,
+ struct pam_data *pd,
struct ldb_message *user_entry);
static errno_t sdap_access_service_recv(struct tevent_req *req,
int *pam_status);
@@ -237,7 +237,7 @@ static errno_t select_next_rule(struct tevent_req *req)
case LDAP_ACCESS_EXPIRE:
subreq = sdap_account_expired_send(state, state->ev, state->be_ctx,
state->access_ctx,
- state->pd->user,
+ state->pd,
state->user_entry);
if (subreq == NULL) {
DEBUG(1, ("sdap_account_expired_send failed.\n"));
@@ -297,8 +297,9 @@ static void next_access_rule(struct tevent_req *req)
return;
}
+#define SHADOW_EXPIRE_MSG "Account expired according to shadow attributes"
-static errno_t sdap_account_expired_shadow(const char *username,
+static errno_t sdap_account_expired_shadow(struct pam_data *pd,
struct ldb_message *user_entry,
int *pam_status)
{
@@ -307,7 +308,7 @@ static errno_t sdap_account_expired_shadow(const char
*username,
long sp_expire;
long today;
- DEBUG(6, ("Performing access shadow check for user [%s]\n", username));
+ DEBUG(6, ("Performing access shadow check for user [%s]\n", pd->user));
val = ldb_msg_find_attr_as_string(user_entry, SYSDB_SHADOWPW_EXPIRE, NULL);
if (val == NULL) {
@@ -325,6 +326,13 @@ static errno_t sdap_account_expired_shadow(const char
*username,
today = (long) (time(NULL) / (60 * 60 * 24));
if (sp_expire > 0 && today > sp_expire) {
*pam_status = PAM_ACCT_EXPIRED;
+
+ ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO,
+ sizeof(SHADOW_EXPIRE_MSG),
+ (const uint8_t *) SHADOW_EXPIRE_MSG);
+ if (ret != EOK) {
+ DEBUG(1, ("pam_add_response failed.\n"));
+ }
} else {
*pam_status = PAM_SUCCESS;
}
@@ -340,7 +348,7 @@ static struct tevent_req
*sdap_account_expired_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct be_ctx *be_ctx,
struct sdap_access_ctx
*access_ctx,
- const char *username,
+ struct pam_data *pd,
struct ldb_message *user_entry)
{
struct tevent_req *req;
@@ -365,7 +373,7 @@ static struct tevent_req
*sdap_account_expired_send(TALLOC_CTX *mem_ctx,
goto done;
} else {
if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_SHADOW) == 0) {
- ret = sdap_account_expired_shadow(username, user_entry,
+ ret = sdap_account_expired_shadow(pd, user_entry,
&state->pam_status);
if (ret != EOK) {
DEBUG(1, ("sdap_account_expired_shadow failed.\n"));
--
1.7.3.3
From 10fb3a4a6c4566d3d707c616c3ffc54172f20928 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 4 Jan 2011 18:26:44 +0100
Subject: [PATCH 2/2] Add syslog messages to authorized service access check
---
src/providers/ldap/sdap_access.c | 32 +++++++++++++++++++++++++++++++-
1 files changed, 31 insertions(+), 1 deletions(-)
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index f031032..ce2d535 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -796,6 +796,12 @@ struct sdap_access_service_ctx {
int pam_status;
};
+#define AUTHR_SRV_MISSING_MSG "Authorized service attribute missing, " \
+ "access denied"
+#define AUTHR_SRV_DENY_MSG "Access denied by authorized service attribute"
+#define AUTHR_SRV_NO_MATCH_MSG "Authorized service attribute has " \
+ "no matching rule, access denied"
+
static struct tevent_req *sdap_access_service_send(
TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -820,6 +826,14 @@ static struct tevent_req *sdap_access_service_send(
el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_SERVICE);
if (!el || el->num_values == 0) {
DEBUG(1, ("Missing authorized services. Access denied\n"));
+
+ ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO,
+ sizeof(AUTHR_SRV_MISSING_MSG),
+ (const uint8_t *) AUTHR_SRV_MISSING_MSG);
+ if (ret != EOK) {
+ DEBUG(1, ("pam_add_response failed.\n"));
+ }
+
ret = EOK;
goto done;
}
@@ -831,8 +845,17 @@ static struct tevent_req *sdap_access_service_send(
/* This service is explicitly denied */
state->pam_status = PAM_PERM_DENIED;
DEBUG(4, ("Access denied by [%s]\n", service));
+
+ ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO,
+ sizeof(AUTHR_SRV_DENY_MSG),
+ (const uint8_t *) AUTHR_SRV_DENY_MSG);
+ if (ret != EOK) {
+ DEBUG(1, ("pam_add_response failed.\n"));
+ }
+
/* A denial trumps all. Break here */
- break;
+ ret = EOK;
+ goto done;
} else if (strcasecmp(pd->service, service) == 0) {
/* This service is explicitly allowed */
@@ -855,6 +878,13 @@ static struct tevent_req *sdap_access_service_send(
DEBUG(4, ("No matching service rule found\n"));
}
+ ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO,
+ sizeof(AUTHR_SRV_NO_MATCH_MSG),
+ (const uint8_t *) AUTHR_SRV_NO_MATCH_MSG);
+ if (ret != EOK) {
+ DEBUG(1, ("pam_add_response failed.\n"));
+ }
+
ret = EOK;
done:
--
1.7.3.3
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
