summaryrefslogtreecommitdiff
path: root/src/responder/pam
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2011-01-19 08:52:20 +0100
committerStephen Gallagher <sgallagh@redhat.com>2011-01-19 09:53:20 -0500
commit67aa400d9ce91705225e51010e832877511cb7d4 (patch)
treeee9e0641762373bbe4779e1179a1dbd9d2034488 /src/responder/pam
parent56789cfa13f85071f5fb37575fa1f1071f587efc (diff)
downloadsssd-67aa400d9ce91705225e51010e832877511cb7d4.tar.gz
sssd-67aa400d9ce91705225e51010e832877511cb7d4.tar.bz2
sssd-67aa400d9ce91705225e51010e832877511cb7d4.zip
Add pam_pwd_expiration_warning config option
Diffstat (limited to 'src/responder/pam')
-rw-r--r--src/responder/pam/pamsrv_cmd.c59
1 files changed, 47 insertions, 12 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index bb42f712..ba105a55 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -39,6 +39,7 @@ enum pam_verbosity {
};
#define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT
+#define DEFAULT_PAM_PWD_EXPIRATION_WARNING 7
static void pam_reply(struct pam_auth_req *preq);
@@ -327,12 +328,43 @@ fail:
return ret;
}
-static errno_t filter_responses(struct response_data *resp_list,
- int pam_verbosity)
+static errno_t filter_responses(struct confdb_ctx *cdb,
+ struct response_data *resp_list)
{
+ int ret;
struct response_data *resp;
uint32_t user_info_type;
int64_t expire_date;
+ uint32_t expire_warn;
+ TALLOC_CTX *tmp_ctx;
+ int pam_verbosity;
+ int pam_expiration_warning;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(1, ("talloc_new failed.\n"));
+ return ENOMEM;
+ }
+
+ ret = confdb_get_int(cdb, tmp_ctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
+ &pam_verbosity);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n"));
+ pam_verbosity = 0;
+ }
+
+
+ ret = confdb_get_int(cdb, tmp_ctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_PWD_EXPIRATION_WARNING,
+ DEFAULT_PAM_PWD_EXPIRATION_WARNING,
+ &pam_expiration_warning);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to read PAM expiration warning, not fatal.\n"));
+ pam_expiration_warning = DEFAULT_PAM_PWD_EXPIRATION_WARNING;
+ }
+
+ talloc_free(tmp_ctx);
resp = resp_list;
@@ -369,6 +401,18 @@ static errno_t filter_responses(struct response_data *resp_list,
}
break;
+ case SSS_PAM_USER_INFO_EXPIRE_WARN:
+ if (resp->len != 2 * sizeof(uint32_t)) {
+ DEBUG(1, ("User info expire warning entry is "
+ "too short.\n"));
+ return EINVAL;
+ }
+ memcpy(&expire_warn, resp->data + sizeof(uint32_t),
+ sizeof(uint32_t));
+ if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) {
+ resp->do_not_send_to_client = true;
+ }
+ break;
default:
DEBUG(7, ("User info type [%d] not filtered.\n"));
}
@@ -415,7 +459,6 @@ static void pam_reply(struct pam_auth_req *preq)
uint32_t user_info_type;
time_t exp_date = -1;
time_t delay_until = -1;
- int pam_verbosity = 0;
pd = preq->pd;
cctx = preq->cctx;
@@ -516,15 +559,7 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- ret = confdb_get_int(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
- CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
- &pam_verbosity);
- if (ret != EOK) {
- DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n"));
- pam_verbosity = 0;
- }
-
- ret = filter_responses(pd->resp_list, pam_verbosity);
+ ret = filter_responses(pctx->rctx->cdb, pd->resp_list);
if (ret != EOK) {
DEBUG(1, ("filter_responses failed, not fatal.\n"));
}