warn user if password is about to expire

https://fedorahosted.org/sssd/ticket/1638

If pwd_exp_warning == 0, expiry warning should be printed if it is
returned by server.

If pwd_exp_warning > 0, expiry warning should be printed only if
the password will expire in time <= pwd_exp_warning.

ppolicy->expiry contains period in seconds after which the password
expires. Not the exact timestamp. Thus we should not add 'now' to
pwd_exp_warning.

1 files changed, 4 insertions, 3 deletions

diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 32a2e04e..b78fdb8e 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -212,7 +212,6 @@ static errno_t check_pwexpire_ldap(struct pam_data *pd,
     if (ppolicy->grace > 0 || ppolicy->expire > 0) {
         uint32_t *data;
         uint32_t *ptr;
-        time_t now = time(NULL);
         int ret;
 
         if (pwd_exp_warning < 0) {
@@ -231,10 +230,12 @@ static errno_t check_pwexpire_ldap(struct pam_data *pd,
             ptr++;
             *ptr = ppolicy->grace;
         } else if (ppolicy->expire > 0) {
-            if (pwd_exp_warning == 0 ||
-                difftime(now + pwd_exp_warning, ppolicy->expire) > 0.0) {
+            if (pwd_exp_warning != 0 && ppolicy->expire > pwd_exp_warning) {
+                /* do not warn */
                 goto done;
             }
+
+            /* send warning */
             *ptr = SSS_PAM_USER_INFO_EXPIRE_WARN;
             ptr++;
             *ptr = ppolicy->expire;