URL: https://github.com/SSSD/sssd/pull/5928 Author: elkoniu Title: #5928: IPA: Add password expire warning Action: opened
PR body: """ When LDAP is used as an access provider it can be configured to show user password expiration warning. This commit enables similar behaviour for IPA access provider. Resolves: https://github.com/SSSD/sssd/issues/5080 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5928/head:pr5928 git checkout pr5928
From 0d51941523f56f3668b0a21e17113c3eccb81ef0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <[email protected]> Date: Wed, 15 Dec 2021 07:08:42 +0100 Subject: [PATCH] IPA: Add password expire warning When LDAP is used as an access provider it can be configured to show user password expiration warning. This commit enables similar behaviour for IPA access provider. Resolves: https://github.com/SSSD/sssd/issues/5080 --- src/providers/ipa/ipa_init.c | 46 +++++++++++++++++++++++++------- src/providers/ldap/sdap_access.c | 38 ++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 10 deletions(-) diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index afdd6fdd06..10a7558fb4 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -729,13 +729,44 @@ errno_t sssm_ipa_chpass_init(TALLOC_CTX *mem_ctx, return sssm_ipa_auth_init(mem_ctx, be_ctx, module_data, dp_methods); } +static errno_t ipa_init_sdap_access_ctx(struct ipa_access_ctx *access_ctx) +{ + struct dp_option *options = access_ctx->ipa_options; + struct sdap_id_ctx *sdap_id_ctx = access_ctx->sdap_ctx; + struct sdap_access_ctx *sdap_access_ctx; + const char *filter; + + sdap_access_ctx = talloc_zero(access_ctx, struct sdap_access_ctx); + if (sdap_access_ctx == NULL) { + return ENOMEM; + } + + sdap_access_ctx->id_ctx = sdap_id_ctx; + + /* Set up an sdap_access_ctx for checking expired/locked accounts. */ + access_ctx->sdap_access_ctx = talloc_zero(access_ctx, struct sdap_access_ctx); + if (access_ctx->sdap_access_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); + return ENOMEM; + } + + access_ctx->sdap_access_ctx->id_ctx = access_ctx->sdap_ctx; + access_ctx->sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE; + access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EXPIRE_POLICY_WARN; + access_ctx->sdap_access_ctx->access_rule[2] = LDAP_ACCESS_EXPIRE_POLICY_REJECT; + access_ctx->sdap_access_ctx->access_rule[3] = LDAP_ACCESS_EXPIRE_POLICY_RENEW; + access_ctx->sdap_access_ctx->access_rule[4] = LDAP_ACCESS_EMPTY; + + return EOK; +} + errno_t sssm_ipa_access_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, void *module_data, struct dp_method *dp_methods) { - struct ipa_access_ctx *access_ctx; struct ipa_init_ctx *init_ctx; + struct ipa_access_ctx *access_ctx; struct ipa_id_ctx *id_ctx; errno_t ret; @@ -761,18 +792,13 @@ errno_t sssm_ipa_access_init(TALLOC_CTX *mem_ctx, goto done; } - /* Set up an sdap_access_ctx for checking expired/locked accounts. */ - access_ctx->sdap_access_ctx = talloc_zero(access_ctx, struct sdap_access_ctx); - if (access_ctx->sdap_access_ctx == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); - ret = ENOMEM; + ret = ipa_init_sdap_access_ctx(access_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize sdap access context " + "[%d]: %s\n", ret, sss_strerror(ret)); goto done; } - access_ctx->sdap_access_ctx->id_ctx = access_ctx->sdap_ctx; - access_ctx->sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE; - access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY; - dp_set_method(dp_methods, DPM_ACCESS_HANDLER, ipa_pam_access_handler_send, ipa_pam_access_handler_recv, access_ctx, struct ipa_access_ctx, struct pam_data, struct pam_data *); diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c index 1b898d2448..3bf2c68b4d 100644 --- a/src/providers/ldap/sdap_access.c +++ b/src/providers/ldap/sdap_access.c @@ -120,6 +120,38 @@ static errno_t sdap_access_check_next_rule(struct sdap_access_req_ctx *state, struct tevent_req *req); static void sdap_access_done(struct tevent_req *subreq); +static const char *sdap_rule_to_string(enum ldap_access_rule rule) +{ + switch(rule) { + case LDAP_ACCESS_FILTER: + return LDAP_ACCESS_FILTER_NAME; + case LDAP_ACCESS_EXPIRE: + return LDAP_ACCESS_EXPIRE_NAME; + case LDAP_ACCESS_SERVICE: + return LDAP_ACCESS_SERVICE_NAME; + case LDAP_ACCESS_HOST: + return LDAP_ACCESS_HOST_NAME; + case LDAP_ACCESS_RHOST: + return LDAP_ACCESS_RHOST_NAME; + case LDAP_ACCESS_LOCKOUT: + return LDAP_ACCESS_LOCK_NAME; + case LDAP_ACCESS_EXPIRE_POLICY_REJECT: + return LDAP_ACCESS_EXPIRE_POLICY_REJECT_NAME; + case LDAP_ACCESS_EXPIRE_POLICY_WARN: + return LDAP_ACCESS_EXPIRE_POLICY_WARN_NAME; + case LDAP_ACCESS_EXPIRE_POLICY_RENEW: + return LDAP_ACCESS_EXPIRE_POLICY_RENEW_NAME; + case LDAP_ACCESS_PPOLICY: + return LDAP_ACCESS_PPOLICY_NAME; + case LDAP_ACCESS_LAST: + return "--last--"; + case LDAP_ACCESS_EMPTY: + return "--empty--"; + default: + return "???"; + } +} + struct tevent_req * sdap_access_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -159,6 +191,12 @@ sdap_access_send(TALLOC_CTX *mem_ctx, goto done; } + DEBUG(SSSDBG_TRACE_FUNC, "Processing access rules\n"); + for (int i = 0; access_ctx->access_rule[i] != LDAP_ACCESS_EMPTY; i++) { + DEBUG(SSSDBG_TRACE_FUNC, "Rule [%d] is \"%s\"\n", i, + sdap_rule_to_string(access_ctx->access_rule[i])); + } + /* Get original user DN, domain already points to the right (sub)domain */ ret = sysdb_get_user_attr(state, domain, pd->user, attrs, &res); if (ret != EOK) {
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
