| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
Print more descriptive message when wrong current password
is given during password change operation.
resolves:
https://fedorahosted.org/sssd/ticket/2029
|
|
https://fedorahosted.org/sssd/ticket/1999
ldap_auth.c code which was added to SSSD for updating the
shadowLastChange when "ldap_chpass_update_last_change" option is
enabled updates shadowLastChange even when the PAM password change
status reports failure.
We should only update shadowLastChange on PAM password change success or
we open up a work around for users to avoid changing their passwords
periodically as required by policy. The user simply attempts to change
password, fails by trying to set new password which invalid (denied due
to password history check) yet shadowLastChange is updated, avoiding
their need to actually change the password they are using.
|
|
Due to a comparison error, the last warning when an LDAP password was in
its grace period was never displayed.
https://fedorahosted.org/sssd/ticket/1890
|
|
Definition of structure sss_auth_token was removed from header file
authtok.h and there left only declaration of this structure.
Therefore only way how to use this structure is to use accessory function from
same header file.
To creating new empty authotok can only be used newly created function
sss_authtok_new(). TALLOC context was removed from copy and setter functions,
because pointer to stuct sss_auth_token is used as a memory context.
All declaration of struct sss_auth_token variables was replaced with
pointer to this structure and related changes was made in source code.
Function copy_pam_data can copy from argument src which was dynamically
allocated with function create_pam_data() or zero initialized struct pam_data
allocated on stack.
https://fedorahosted.org/sssd/ticket/1830
|
|
Simplifies and consolidates error reporting for ldap authentication paths.
Adds 3 new error codes:
ERR_CHPASS_DENIED - Used when password constraints deny password changes
ERR_ACCOUNT_EXPIRED - Account is expired
ERR_PASSWORD_EXPIRED - Password is expired
|
|
In preparation for making struct be_req opaque.
|
|
In preparation for making be_req opaque
|
|
Call it everywhere instead of directly dereferencing be_req->fn
This is in preparation of making be_req opaque.
|
|
|
|
The sysdb context is already available through the 'domain' structure.
|
|
|
|
|
|
Use the new authtok abstraction and interfaces throught the code.
|
|
https://fedorahosted.org/sssd/ticket/1699
We want to continue with the next server on all errors, not only
on ETIMEDOUT.
This particullar ticket was dealing with ECONNREFUSED.
|
|
https://fedorahosted.org/sssd/ticket/1638
If pwd_exp_warning == 0, expiry warning should be printed if it is
returned by server.
If pwd_exp_warning > 0, expiry warning should be printed only if
the password will expire in time <= pwd_exp_warning.
ppolicy->expiry contains period in seconds after which the password
expires. Not the exact timestamp. Thus we should not add 'now' to
pwd_exp_warning.
|
|
The list of resolved servers is allocated on the back end context and
kept in the fo_service structure. However, a single request often
resolves a server and keeps a pointer until the end of a request and
only then gives feedback about the server based on the request result.
This presents a big race condition in case the SRV resolution is used.
When there are requests coming in in parallel, it is possible that an
incoming request will invalidate a server until another request that
holds a pointer to the original server is able to give a feedback.
This patch simply checks if a server is in the list of servers
maintained by a service before reading its status.
https://fedorahosted.org/sssd/ticket/1364
|
|
|
|
New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.
If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.
Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter
Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
|
|
|
|
https://fedorahosted.org/sssd/ticket/1214
|
|
https://fedorahosted.org/sssd/ticket/1019
|
|
|
|
This is mostly a cosmetic patch.
The purpose of wrapping a multi-line macro in a do { } while(0) is to
make the macro usable as a regular statement, not a compound statement.
When the while(0) is terminated with a semicolon, the do { } while(0);
block becomes a compound statement again.
|
|
https://fedorahosted.org/sssd/ticket/985
|
|
Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the
requested password policy cannot be found we return PAM_PERM_DENIED.
Additionally the log message says that the access is denied.
|
|
This patch deletes memory context parameter in those places in sysdb
where it is not necessary. The code using modified functions has been
updated. Tests updated as well.
|
|
The patch also updates code using modified functions. Tests have also
been adjusted.
|
|
|
|
It is not safe to check pwdAttribute to see if server side password
policies are active. Only if a LDAP_CONTROL_PASSWORDPOLICYRESPONSE is
present the bind response we can assume that there is a server side
password policy.
|
|
https://fedorahosted.org/sssd/ticket/798
|
|
Not all LDAP servers are capable of handling dual-encryption with
both TLS and SSL.
https://fedorahosted.org/sssd/ticket/795
|
|
Option is named to discourage use in production environments and
is intentionally not listed in the SSSDConfig API.
|
|
|
|
|
|
|
|
|
|
When the failover code returns that there are no available servers
while we are marked offline, we were returning an error to the PAM
authentication code. Instead, we should return success with a
result value of SDAP_UNAVAIL so that the PAM responder will mark
the domain offline and attempt offline authentication.
|
|
Some LDAP servers allow binding with blank passwords. We should
not allow a blank password to authenticate the SSSD.
|
|
The initial verification of the old password was returning an
error because we were not explicitly setting dp_err to
DP_ERR_SUCCESS and it was initialized earlier in the function to
DP_ERR_FATAL.
|
|
For the shadow and mit_kerberos password policy warnings are sent to the
client if the password is about to expire.
|
|
|
|
|
|
|
|
|
|
This patch removes some tab-indentations from pamsrv.c, too.
|
|
Display warnings about remaining grace logins and password
expiration to the user, when LDAP Password Policies are used.
Improved detection if LDAP Password policies are supported by
LDAP Server.
|
|
When changing passwords, treat SDAP_AUTH_PW_EXPIRED as a successful
authentication in SSS_PAM_CHAUTHTOK_PRELIM.
|
|
So far we handled expired password during authentication. Other PAM
modules typically detect expired password during account management and
return PAM_NEW_AUTHTOK_REQD if the password is expired and should be
changed. The PAM library then calls the change password routines. To
meet these standards pam_sss is change accordingly.
As a result it is now possible to update an expired password via ssh if
sssd is running with PasswordAuthentication=yes. One drawback due to
limitations of PAM is that the user now has to type his current password
again before setting a new one.
|
