summaryrefslogtreecommitdiff
path: root/src/providers
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/krb5/krb5_auth.c31
-rw-r--r--src/providers/ldap/ldap_auth.c42
2 files changed, 57 insertions, 16 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 0306426c..986e449f 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -734,8 +734,16 @@ static void krb5_child_done(struct tevent_req *subreq)
int32_t msg_len;
int64_t time_data;
struct tgt_times tgtt;
+ int pwd_exp_warning;
+ uint32_t *expiration;
+ uint32_t *msg_subtype;
+ bool skip;
memset(&tgtt, 0, sizeof(tgtt));
+ pwd_exp_warning = state->be_ctx->domain->pwd_expiration_warning;
+ if (pwd_exp_warning < 0) {
+ pwd_exp_warning = KERBEROS_PWEXPIRE_WARNING_TIME;
+ }
ret = handle_child_recv(subreq, pd, &buf, &len);
talloc_zfree(subreq);
@@ -771,6 +779,7 @@ static void krb5_child_done(struct tevent_req *subreq)
SAFEALIGN_COPY_INT32(&msg_status, buf+p, &p);
while (p < len) {
+ skip = false;
SAFEALIGN_COPY_INT32(&msg_type, buf+p, &p);
SAFEALIGN_COPY_INT32(&msg_len, buf+p, &p);
@@ -813,10 +822,24 @@ static void krb5_child_done(struct tevent_req *subreq)
tgtt.starttime, tgtt.endtime, tgtt.renew_till));
}
- ret = pam_add_response(pd, msg_type, msg_len, &buf[p]);
- if (ret != EOK) {
- /* This is not a fatal error */
- DEBUG(1, ("pam_add_response failed.\n"));
+ if (msg_type == SSS_PAM_USER_INFO) {
+ msg_subtype = (uint32_t *)&buf[p];
+ if (*msg_subtype == SSS_PAM_USER_INFO_EXPIRE_WARN)
+ {
+ expiration = (uint32_t *)&buf[p+sizeof(uint32_t)];
+ if (pwd_exp_warning > 0 &&
+ difftime(pwd_exp_warning, *expiration) < 0.0) {
+ skip = true;
+ }
+ }
+ }
+
+ if (!skip) {
+ ret = pam_add_response(pd, msg_type, msg_len, &buf[p]);
+ if (ret != EOK) {
+ /* This is not a fatal error */
+ DEBUG(1, ("pam_add_response failed.\n"));
+ }
}
p += msg_len;
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 734249ce..da64f249 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -47,11 +47,7 @@
#include "providers/ldap/sdap_async.h"
#include "providers/ldap/sdap_async_private.h"
-/* MIT Kerberos has the same hardcoded warning interval of 7 days. Due to the
- * fact that using the expiration time of a Kerberos password with LDAP
- * authentication is presumably a rare case a separate config option is not
- * necessary. */
-#define KERBEROS_PWEXPIRE_WARNING_TIME (7 * 24 * 60 * 60)
+#define LDAP_PWEXPIRE_WARNING_TIME 0
enum pwexpire {
PWEXPIRE_NONE = 0,
@@ -90,11 +86,13 @@ static errno_t add_expired_warning(struct pam_data *pd, long exp_time)
static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
struct pam_data *pd,
- enum sdap_result *result)
+ enum sdap_result *result,
+ int pwd_exp_warning)
{
char *end;
struct tm tm;
time_t expire_time;
+ int expiration_warning;
int ret;
memset(&tm, 0, sizeof(tm));
@@ -130,8 +128,14 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
} else {
*result = SDAP_AUTH_SUCCESS;
+ if (pwd_exp_warning >= 0) {
+ expiration_warning = pwd_exp_warning;
+ } else {
+ expiration_warning = KERBEROS_PWEXPIRE_WARNING_TIME;
+ }
if (pd != NULL &&
- difftime(now + KERBEROS_PWEXPIRE_WARNING_TIME, expire_time) > 0.0) {
+ (difftime(now + expiration_warning, expire_time) > 0.0 ||
+ expiration_warning == 0)) {
ret = add_expired_warning(pd, (long) difftime(expire_time, now));
if (ret != EOK) {
DEBUG(1, ("add_expired_warning failed.\n"));
@@ -202,13 +206,19 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
static errno_t check_pwexpire_ldap(struct pam_data *pd,
struct sdap_ppolicy_data *ppolicy,
- enum sdap_result *result)
+ enum sdap_result *result,
+ int pwd_exp_warning)
{
if (ppolicy->grace > 0 || ppolicy->expire > 0) {
uint32_t *data;
uint32_t *ptr;
+ time_t now = time(NULL);
int ret;
+ if (pwd_exp_warning < 0) {
+ pwd_exp_warning = 0;
+ }
+
data = talloc_size(pd, 2* sizeof(uint32_t));
if (data == NULL) {
DEBUG(1, ("talloc_size failed.\n"));
@@ -221,6 +231,10 @@ static errno_t check_pwexpire_ldap(struct pam_data *pd,
ptr++;
*ptr = ppolicy->grace;
} else if (ppolicy->expire > 0) {
+ if (pwd_exp_warning == 0 ||
+ difftime(now + pwd_exp_warning, ppolicy->expire) > 0.0) {
+ goto done;
+ }
*ptr = SSS_PAM_USER_INFO_EXPIRE_WARN;
ptr++;
*ptr = ppolicy->expire;
@@ -234,6 +248,7 @@ static errno_t check_pwexpire_ldap(struct pam_data *pd,
}
}
+done:
*result = SDAP_AUTH_SUCCESS;
return EOK;
}
@@ -830,8 +845,8 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
}
break;
case PWEXPIRE_KERBEROS:
- ret = check_pwexpire_kerberos(pw_expire_data, time(NULL), NULL,
- &result);
+ ret = check_pwexpire_kerberos(pw_expire_data, time(NULL), NULL, &result,
+ state->breq->domain->pwd_expiration_warning);
if (ret != EOK) {
DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
@@ -1064,6 +1079,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
tevent_req_callback_data(req, struct sdap_pam_auth_state);
enum sdap_result result;
enum pwexpire pw_expire_type;
+ struct be_ctx *be_ctx = state->breq->be_ctx;
void *pw_expire_data;
int dp_err = DP_ERR_OK;
int ret;
@@ -1091,7 +1107,8 @@ static void sdap_pam_auth_done(struct tevent_req *req)
break;
case PWEXPIRE_KERBEROS:
ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),
- state->pd, &result);
+ state->pd, &result,
+ be_ctx->domain->pwd_expiration_warning);
if (ret != EOK) {
DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;
@@ -1099,7 +1116,8 @@ static void sdap_pam_auth_done(struct tevent_req *req)
}
break;
case PWEXPIRE_LDAP_PASSWORD_POLICY:
- ret = check_pwexpire_ldap(state->pd, pw_expire_data, &result);
+ ret = check_pwexpire_ldap(state->pd, pw_expire_data, &result,
+ be_ctx->domain->pwd_expiration_warning);
if (ret != EOK) {
DEBUG(1, ("check_pwexpire_ldap failed.\n"));
state->pd->pam_status = PAM_SYSTEM_ERR;