summaryrefslogtreecommitdiff
path: root/src/providers/krb5
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2012-05-01 03:36:37 -0400
committerStephen Gallagher <sgallagh@redhat.com>2012-05-04 13:36:42 -0400
commitbf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11 (patch)
treeba1da22bd4f400edf1ba50563c80ab290e0987bb /src/providers/krb5
parent9fd2775fe1ced6ff6a9a3ff7db124fcb52dade5d (diff)
downloadsssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.gz
sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.bz2
sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.zip
Modify behavior of pam_pwd_expiration_warning
New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
Diffstat (limited to 'src/providers/krb5')
-rw-r--r--src/providers/krb5/krb5_auth.c31
1 files changed, 27 insertions, 4 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 0306426c..986e449f 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -734,8 +734,16 @@ static void krb5_child_done(struct tevent_req *subreq)
int32_t msg_len;
int64_t time_data;
struct tgt_times tgtt;
+ int pwd_exp_warning;
+ uint32_t *expiration;
+ uint32_t *msg_subtype;
+ bool skip;
memset(&tgtt, 0, sizeof(tgtt));
+ pwd_exp_warning = state->be_ctx->domain->pwd_expiration_warning;
+ if (pwd_exp_warning < 0) {
+ pwd_exp_warning = KERBEROS_PWEXPIRE_WARNING_TIME;
+ }
ret = handle_child_recv(subreq, pd, &buf, &len);
talloc_zfree(subreq);
@@ -771,6 +779,7 @@ static void krb5_child_done(struct tevent_req *subreq)
SAFEALIGN_COPY_INT32(&msg_status, buf+p, &p);
while (p < len) {
+ skip = false;
SAFEALIGN_COPY_INT32(&msg_type, buf+p, &p);
SAFEALIGN_COPY_INT32(&msg_len, buf+p, &p);
@@ -813,10 +822,24 @@ static void krb5_child_done(struct tevent_req *subreq)
tgtt.starttime, tgtt.endtime, tgtt.renew_till));
}
- ret = pam_add_response(pd, msg_type, msg_len, &buf[p]);
- if (ret != EOK) {
- /* This is not a fatal error */
- DEBUG(1, ("pam_add_response failed.\n"));
+ if (msg_type == SSS_PAM_USER_INFO) {
+ msg_subtype = (uint32_t *)&buf[p];
+ if (*msg_subtype == SSS_PAM_USER_INFO_EXPIRE_WARN)
+ {
+ expiration = (uint32_t *)&buf[p+sizeof(uint32_t)];
+ if (pwd_exp_warning > 0 &&
+ difftime(pwd_exp_warning, *expiration) < 0.0) {
+ skip = true;
+ }
+ }
+ }
+
+ if (!skip) {
+ ret = pam_add_response(pd, msg_type, msg_len, &buf[p]);
+ if (ret != EOK) {
+ /* This is not a fatal error */
+ DEBUG(1, ("pam_add_response failed.\n"));
+ }
}
p += msg_len;