diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/confdb/confdb.h | 1 | ||||
-rw-r--r-- | src/config/SSSDConfig.py | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.conf | 1 | ||||
-rw-r--r-- | src/man/sssd.conf.5.xml | 18 | ||||
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 59 |
5 files changed, 68 insertions, 12 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 5e55f255..7173c9fc 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -82,6 +82,7 @@ #define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5 #define CONFDB_PAM_VERBOSITY "pam_verbosity" #define CONFDB_PAM_ID_TIMEOUT "pam_id_timeout" +#define CONFDB_PAM_PWD_EXPIRATION_WARNING "pam_pwd_expiration_warning" /* Data Provider */ #define CONFDB_DP_CONF_ENTRY "config/dp" diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 3191ad79..98a5ddad 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -65,6 +65,7 @@ option_strings = { 'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'), 'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'), 'pam_id_timeout' : _('How many seconds to keep identity information cached for PAM requests'), + 'pam_pwd_expiration_warning' : _('How many days before password expiration a warning should be displayed'), # [provider] 'id_provider' : _('Identity provider'), diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 426c5142..e9159716 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -35,6 +35,7 @@ offline_failed_login_attempts = int, None, false offline_failed_login_delay = int, None, false pam_verbosity = int, None, false pam_id_timeout = int, None, false +pam_pwd_expiration_warning = int, None, false [provider] #Available provider types diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 449c01f8..6ac9de89 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -462,6 +462,24 @@ </para> </listitem> </varlistentry> + + <varlistentry> + <term>pam_pwd_expiration_warning (integer)</term> + <listitem> + <para> + Display a warning N days before the password expires. + </para> + <para> + Please note that the backend server has to provide + information about the expiration time of the password. + If this information is missing, sssd cannot display a + warning. + </para> + <para> + Default: 7 + </para> + </listitem> + </varlistentry> </variablelist> </refsect2> </refsect1> diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index bb42f712..ba105a55 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -39,6 +39,7 @@ enum pam_verbosity { }; #define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT +#define DEFAULT_PAM_PWD_EXPIRATION_WARNING 7 static void pam_reply(struct pam_auth_req *preq); @@ -327,12 +328,43 @@ fail: return ret; } -static errno_t filter_responses(struct response_data *resp_list, - int pam_verbosity) +static errno_t filter_responses(struct confdb_ctx *cdb, + struct response_data *resp_list) { + int ret; struct response_data *resp; uint32_t user_info_type; int64_t expire_date; + uint32_t expire_warn; + TALLOC_CTX *tmp_ctx; + int pam_verbosity; + int pam_expiration_warning; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(1, ("talloc_new failed.\n")); + return ENOMEM; + } + + ret = confdb_get_int(cdb, tmp_ctx, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY, + &pam_verbosity); + if (ret != EOK) { + DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n")); + pam_verbosity = 0; + } + + + ret = confdb_get_int(cdb, tmp_ctx, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_PWD_EXPIRATION_WARNING, + DEFAULT_PAM_PWD_EXPIRATION_WARNING, + &pam_expiration_warning); + if (ret != EOK) { + DEBUG(1, ("Failed to read PAM expiration warning, not fatal.\n")); + pam_expiration_warning = DEFAULT_PAM_PWD_EXPIRATION_WARNING; + } + + talloc_free(tmp_ctx); resp = resp_list; @@ -369,6 +401,18 @@ static errno_t filter_responses(struct response_data *resp_list, } break; + case SSS_PAM_USER_INFO_EXPIRE_WARN: + if (resp->len != 2 * sizeof(uint32_t)) { + DEBUG(1, ("User info expire warning entry is " + "too short.\n")); + return EINVAL; + } + memcpy(&expire_warn, resp->data + sizeof(uint32_t), + sizeof(uint32_t)); + if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) { + resp->do_not_send_to_client = true; + } + break; default: DEBUG(7, ("User info type [%d] not filtered.\n")); } @@ -415,7 +459,6 @@ static void pam_reply(struct pam_auth_req *preq) uint32_t user_info_type; time_t exp_date = -1; time_t delay_until = -1; - int pam_verbosity = 0; pd = preq->pd; cctx = preq->cctx; @@ -516,15 +559,7 @@ static void pam_reply(struct pam_auth_req *preq) goto done; } - ret = confdb_get_int(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY, - CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY, - &pam_verbosity); - if (ret != EOK) { - DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n")); - pam_verbosity = 0; - } - - ret = filter_responses(pd->resp_list, pam_verbosity); + ret = filter_responses(pctx->rctx->cdb, pd->resp_list); if (ret != EOK) { DEBUG(1, ("filter_responses failed, not fatal.\n")); } |