diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2012-05-01 03:36:37 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-05-04 13:36:42 -0400 |
commit | bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11 (patch) | |
tree | ba1da22bd4f400edf1ba50563c80ab290e0987bb /src/responder/pam | |
parent | 9fd2775fe1ced6ff6a9a3ff7db124fcb52dade5d (diff) | |
download | sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.gz sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.bz2 sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.zip |
Modify behavior of pam_pwd_expiration_warning
New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.
If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.
Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter
Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
Diffstat (limited to 'src/responder/pam')
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 35 |
1 files changed, 0 insertions, 35 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index c3e027e3..608a38d4 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -42,7 +42,6 @@ enum pam_verbosity { }; #define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT -#define DEFAULT_PAM_PWD_EXPIRATION_WARNING 7 static void pam_reply(struct pam_auth_req *preq); @@ -515,16 +514,7 @@ static errno_t filter_responses(struct confdb_ctx *cdb, struct response_data *resp; uint32_t user_info_type; int64_t expire_date; - uint32_t expire_warn; - TALLOC_CTX *tmp_ctx; int pam_verbosity; - int pam_expiration_warning; - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - DEBUG(1, ("talloc_new failed.\n")); - return ENOMEM; - } ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY, @@ -534,20 +524,7 @@ static errno_t filter_responses(struct confdb_ctx *cdb, pam_verbosity = DEFAULT_PAM_VERBOSITY; } - - ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, - CONFDB_PAM_PWD_EXPIRATION_WARNING, - DEFAULT_PAM_PWD_EXPIRATION_WARNING, - &pam_expiration_warning); - if (ret != EOK) { - DEBUG(1, ("Failed to read PAM expiration warning, not fatal.\n")); - pam_expiration_warning = DEFAULT_PAM_PWD_EXPIRATION_WARNING; - } - - talloc_free(tmp_ctx); - resp = resp_list; - while(resp != NULL) { if (resp->type == SSS_PAM_USER_INFO) { if (resp->len < sizeof(uint32_t)) { @@ -581,18 +558,6 @@ static errno_t filter_responses(struct confdb_ctx *cdb, } break; - case SSS_PAM_USER_INFO_EXPIRE_WARN: - if (resp->len != 2 * sizeof(uint32_t)) { - DEBUG(1, ("User info expire warning entry is " - "too short.\n")); - return EINVAL; - } - memcpy(&expire_warn, resp->data + sizeof(uint32_t), - sizeof(uint32_t)); - if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) { - resp->do_not_send_to_client = true; - } - break; default: DEBUG(7, ("User info type [%d] not filtered.\n")); } |