summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2010-04-22 15:28:50 +0200
committerStephen Gallagher <sgallagh@redhat.com>2010-05-07 17:14:32 -0400
commit96a6aa73a6ea0982b349ac10b82aaf86d03ec5f5 (patch)
tree887910bc2e599f3297990210ac6dc1a066b0b46c
parent3f70f0c29b85f2c3f660f5cb99f2854cc8c62c21 (diff)
downloadsssd-96a6aa73a6ea0982b349ac10b82aaf86d03ec5f5.tar.gz
sssd-96a6aa73a6ea0982b349ac10b82aaf86d03ec5f5.tar.bz2
sssd-96a6aa73a6ea0982b349ac10b82aaf86d03ec5f5.zip
Add more warnings about nearly expired passwords
For the shadow and mit_kerberos password policy warnings are sent to the client if the password is about to expire.
-rw-r--r--src/providers/ldap/ldap_auth.c71
1 files changed, 66 insertions, 5 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 231ae2e9..533db8e2 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -46,6 +46,12 @@
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap_async.h"
+/* MIT Kerberos has the same hardcoded warning interval of 7 days. Due to the
+ * fact that using the expiration time of a Kerberos password with LDAP
+ * authentication is presumably a rare case a separate config option is not
+ * necessary. */
+#define KERBEROS_PWEXPIRE_WARNING_TIME (7 * 24 * 60 * 60)
+
enum pwexpire {
PWEXPIRE_NONE = 0,
PWEXPIRE_LDAP_PASSWORD_POLICY,
@@ -53,12 +59,42 @@ enum pwexpire {
PWEXPIRE_SHADOW
};
+static errno_t add_expired_warning(struct pam_data *pd, long exp_time)
+{
+ int ret;
+ uint32_t *data;
+
+ if (exp_time < 0 || exp_time > UINT32_MAX) {
+ DEBUG(1, ("Time to expire out of range.\n"));
+ return EINVAL;
+ }
+
+ data = talloc_array(pd, uint32_t, 2);
+ if (data == NULL) {
+ DEBUG(1, ("talloc_size failed.\n"));
+ return ENOMEM;
+ }
+
+ data[0] = SSS_PAM_USER_INFO_EXPIRE_WARN;
+ data[1] = (uint32_t) exp_time;
+
+ ret = pam_add_response(pd, SSS_PAM_USER_INFO, 2 * sizeof(uint32_t),
+ (uint8_t *) data);
+ if (ret != EOK) {
+ DEBUG(1, ("pam_add_response failed.\n"));
+ }
+
+ return EOK;
+}
+
static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
+ struct pam_data *pd,
enum sdap_result *result)
{
char *end;
struct tm tm;
time_t expire_time;
+ int ret;
memset(&tm, 0, sizeof(tm));
@@ -92,16 +128,27 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
*result = SDAP_AUTH_PW_EXPIRED;
} else {
*result = SDAP_AUTH_SUCCESS;
+
+ if (pd != NULL &&
+ difftime(now + KERBEROS_PWEXPIRE_WARNING_TIME, expire_time) > 0.0) {
+ ret = add_expired_warning(pd, (long) difftime(expire_time, now));
+ if (ret != EOK) {
+ DEBUG(1, ("add_expired_warning failed.\n"));
+ }
+ }
}
return EOK;
}
static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
+ struct pam_data *pd,
enum sdap_result *result)
{
long today;
long password_age;
+ long exp;
+ int ret;
if (spwd->sp_lstchg <= 0) {
DEBUG(4, ("Last change day is not set, new password needed.\n"));
@@ -132,7 +179,21 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
return EOK;
}
-/* TODO: evaluate spwd->min and spwd->warn */
+ if (pd != NULL && spwd->sp_max != -1 && spwd->sp_warn != -1 &&
+ password_age > spwd->sp_max - spwd->sp_warn ) {
+
+ /* add_expired_warning() expects time in seconds */
+ exp = (spwd->sp_max - password_age) * (60 * 60 * 24);
+ if (exp == 0) {
+ /* Seconds until next midnight */
+ exp = ((today + 1) * (60 * 60 * 24)) - now;
+ }
+
+ ret = add_expired_warning(pd, exp);
+ if (ret != EOK) {
+ DEBUG(1, ("add_expired_warning failed.\n"));
+ }
+ }
*result = SDAP_AUTH_SUCCESS;
return EOK;
@@ -745,7 +806,7 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
if (result == SDAP_AUTH_SUCCESS) {
switch (pw_expire_type) {
case PWEXPIRE_SHADOW:
- ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
+ ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL,
&result);
if (ret != EOK) {
DEBUG(1, ("check_pwexpire_shadow failed.\n"));
@@ -754,7 +815,7 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
}
break;
case PWEXPIRE_KERBEROS:
- ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),
+ ret = check_pwexpire_kerberos(pw_expire_data, time(NULL), NULL,
&result);
if (ret != EOK) {
DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
@@ -954,7 +1015,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
switch (pw_expire_type) {
case PWEXPIRE_SHADOW:
ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
- &result);
+ state->pd, &result);
if (ret != EOK) {
DEBUG(1, ("check_pwexpire_shadow failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
@@ -963,7 +1024,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
break;
case PWEXPIRE_KERBEROS:
ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),
- &result);
+ state->pd, &result);
if (ret != EOK) {
DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;