summaryrefslogtreecommitdiff
path: root/server/providers/ldap
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2009-12-16 12:53:55 +0100
committerStephen Gallagher <sgallagh@redhat.com>2009-12-18 09:46:25 -0500
commit23dc20cd69cfbb2731c36e1610536ba190bbd459 (patch)
tree106d84e5d8f6a2eef8861a07fa662666ca5ab90f /server/providers/ldap
parent66e4134d8be0eb42c645e9730d46bb2c7f561e81 (diff)
downloadsssd-23dc20cd69cfbb2731c36e1610536ba190bbd459.tar.gz
sssd-23dc20cd69cfbb2731c36e1610536ba190bbd459.tar.bz2
sssd-23dc20cd69cfbb2731c36e1610536ba190bbd459.zip
Handle chauthtok with PAM_PRELIM_CHECK separately
If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we generate a separate call to the sssd to validate the old password before asking for a new password and sending the change password request.
Diffstat (limited to 'server/providers/ldap')
-rw-r--r--server/providers/ldap/ldap_auth.c26
1 files changed, 19 insertions, 7 deletions
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
index 88e637b0..28b3240b 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -661,7 +661,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
pd->pam_status = PAM_SYSTEM_ERR;
- if (pd->cmd != SSS_PAM_CHAUTHTOK) {
+ if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {
DEBUG(2, ("chpass target was called by wrong pam command.\n"));
goto done;
}
@@ -677,12 +677,15 @@ void sdap_pam_chpass_handler(struct be_req *breq)
if (!state->password) goto done;
talloc_set_destructor((TALLOC_CTX *)state->password,
password_destructor);
- state->new_password = talloc_strndup(state,
- (char *)pd->newauthtok,
- pd->newauthtok_size);
- if (!state->new_password) goto done;
- talloc_set_destructor((TALLOC_CTX *)state->new_password,
- password_destructor);
+
+ if (pd->cmd == SSS_PAM_CHAUTHTOK) {
+ state->new_password = talloc_strndup(state,
+ (char *)pd->newauthtok,
+ pd->newauthtok_size);
+ if (!state->new_password) goto done;
+ talloc_set_destructor((TALLOC_CTX *)state->new_password,
+ password_destructor);
+ }
authtok.data = (uint8_t *)state->password;
authtok.length = strlen(state->password);
@@ -717,6 +720,14 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
goto done;
}
+ if (result == SDAP_AUTH_SUCCESS &&
+ state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
+ DEBUG(9, ("Initial authentication for change password operation "
+ "successful.\n"));
+ state->pd->pam_status = PAM_SUCCESS;
+ goto done;
+ }
+
if (result == SDAP_AUTH_SUCCESS) {
switch (pw_expire_type) {
case PWEXPIRE_SHADOW:
@@ -851,6 +862,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
+ case SSS_PAM_CHAUTHTOK_PRELIM:
state = talloc_zero(breq, struct sdap_pam_auth_state);
if (!state) goto done;