diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2012-05-01 03:36:37 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-05-04 13:36:42 -0400 |
commit | bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11 (patch) | |
tree | ba1da22bd4f400edf1ba50563c80ab290e0987bb /src/providers/krb5 | |
parent | 9fd2775fe1ced6ff6a9a3ff7db124fcb52dade5d (diff) | |
download | sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.gz sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.bz2 sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.zip |
Modify behavior of pam_pwd_expiration_warning
New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.
If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.
Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter
Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
Diffstat (limited to 'src/providers/krb5')
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 0306426c..986e449f 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -734,8 +734,16 @@ static void krb5_child_done(struct tevent_req *subreq) int32_t msg_len; int64_t time_data; struct tgt_times tgtt; + int pwd_exp_warning; + uint32_t *expiration; + uint32_t *msg_subtype; + bool skip; memset(&tgtt, 0, sizeof(tgtt)); + pwd_exp_warning = state->be_ctx->domain->pwd_expiration_warning; + if (pwd_exp_warning < 0) { + pwd_exp_warning = KERBEROS_PWEXPIRE_WARNING_TIME; + } ret = handle_child_recv(subreq, pd, &buf, &len); talloc_zfree(subreq); @@ -771,6 +779,7 @@ static void krb5_child_done(struct tevent_req *subreq) SAFEALIGN_COPY_INT32(&msg_status, buf+p, &p); while (p < len) { + skip = false; SAFEALIGN_COPY_INT32(&msg_type, buf+p, &p); SAFEALIGN_COPY_INT32(&msg_len, buf+p, &p); @@ -813,10 +822,24 @@ static void krb5_child_done(struct tevent_req *subreq) tgtt.starttime, tgtt.endtime, tgtt.renew_till)); } - ret = pam_add_response(pd, msg_type, msg_len, &buf[p]); - if (ret != EOK) { - /* This is not a fatal error */ - DEBUG(1, ("pam_add_response failed.\n")); + if (msg_type == SSS_PAM_USER_INFO) { + msg_subtype = (uint32_t *)&buf[p]; + if (*msg_subtype == SSS_PAM_USER_INFO_EXPIRE_WARN) + { + expiration = (uint32_t *)&buf[p+sizeof(uint32_t)]; + if (pwd_exp_warning > 0 && + difftime(pwd_exp_warning, *expiration) < 0.0) { + skip = true; + } + } + } + + if (!skip) { + ret = pam_add_response(pd, msg_type, msg_len, &buf[p]); + if (ret != EOK) { + /* This is not a fatal error */ + DEBUG(1, ("pam_add_response failed.\n")); + } } p += msg_len; |