summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/confdb/confdb.h1
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/man/sssd.conf.5.xml18
-rw-r--r--src/responder/pam/pamsrv_cmd.c59
5 files changed, 68 insertions, 12 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 5e55f255..7173c9fc 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -82,6 +82,7 @@
#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5
#define CONFDB_PAM_VERBOSITY "pam_verbosity"
#define CONFDB_PAM_ID_TIMEOUT "pam_id_timeout"
+#define CONFDB_PAM_PWD_EXPIRATION_WARNING "pam_pwd_expiration_warning"
/* Data Provider */
#define CONFDB_DP_CONF_ENTRY "config/dp"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 3191ad79..98a5ddad 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -65,6 +65,7 @@ option_strings = {
'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'),
'pam_id_timeout' : _('How many seconds to keep identity information cached for PAM requests'),
+ 'pam_pwd_expiration_warning' : _('How many days before password expiration a warning should be displayed'),
# [provider]
'id_provider' : _('Identity provider'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 426c5142..e9159716 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -35,6 +35,7 @@ offline_failed_login_attempts = int, None, false
offline_failed_login_delay = int, None, false
pam_verbosity = int, None, false
pam_id_timeout = int, None, false
+pam_pwd_expiration_warning = int, None, false
[provider]
#Available provider types
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 449c01f8..6ac9de89 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -462,6 +462,24 @@
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>pam_pwd_expiration_warning (integer)</term>
+ <listitem>
+ <para>
+ Display a warning N days before the password expires.
+ </para>
+ <para>
+ Please note that the backend server has to provide
+ information about the expiration time of the password.
+ If this information is missing, sssd cannot display a
+ warning.
+ </para>
+ <para>
+ Default: 7
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
</refsect1>
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index bb42f712..ba105a55 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -39,6 +39,7 @@ enum pam_verbosity {
};
#define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT
+#define DEFAULT_PAM_PWD_EXPIRATION_WARNING 7
static void pam_reply(struct pam_auth_req *preq);
@@ -327,12 +328,43 @@ fail:
return ret;
}
-static errno_t filter_responses(struct response_data *resp_list,
- int pam_verbosity)
+static errno_t filter_responses(struct confdb_ctx *cdb,
+ struct response_data *resp_list)
{
+ int ret;
struct response_data *resp;
uint32_t user_info_type;
int64_t expire_date;
+ uint32_t expire_warn;
+ TALLOC_CTX *tmp_ctx;
+ int pam_verbosity;
+ int pam_expiration_warning;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(1, ("talloc_new failed.\n"));
+ return ENOMEM;
+ }
+
+ ret = confdb_get_int(cdb, tmp_ctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
+ &pam_verbosity);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n"));
+ pam_verbosity = 0;
+ }
+
+
+ ret = confdb_get_int(cdb, tmp_ctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_PWD_EXPIRATION_WARNING,
+ DEFAULT_PAM_PWD_EXPIRATION_WARNING,
+ &pam_expiration_warning);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to read PAM expiration warning, not fatal.\n"));
+ pam_expiration_warning = DEFAULT_PAM_PWD_EXPIRATION_WARNING;
+ }
+
+ talloc_free(tmp_ctx);
resp = resp_list;
@@ -369,6 +401,18 @@ static errno_t filter_responses(struct response_data *resp_list,
}
break;
+ case SSS_PAM_USER_INFO_EXPIRE_WARN:
+ if (resp->len != 2 * sizeof(uint32_t)) {
+ DEBUG(1, ("User info expire warning entry is "
+ "too short.\n"));
+ return EINVAL;
+ }
+ memcpy(&expire_warn, resp->data + sizeof(uint32_t),
+ sizeof(uint32_t));
+ if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) {
+ resp->do_not_send_to_client = true;
+ }
+ break;
default:
DEBUG(7, ("User info type [%d] not filtered.\n"));
}
@@ -415,7 +459,6 @@ static void pam_reply(struct pam_auth_req *preq)
uint32_t user_info_type;
time_t exp_date = -1;
time_t delay_until = -1;
- int pam_verbosity = 0;
pd = preq->pd;
cctx = preq->cctx;
@@ -516,15 +559,7 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- ret = confdb_get_int(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
- CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
- &pam_verbosity);
- if (ret != EOK) {
- DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n"));
- pam_verbosity = 0;
- }
-
- ret = filter_responses(pd->resp_list, pam_verbosity);
+ ret = filter_responses(pctx->rctx->cdb, pd->resp_list);
if (ret != EOK) {
DEBUG(1, ("filter_responses failed, not fatal.\n"));
}