summaryrefslogtreecommitdiff
path: root/src/providers/ldap/ldap_auth.c
AgeCommit message (Collapse)AuthorFilesLines
2013-01-15Add domain argument to sysdb_get_user_attr()Simo Sorce1-3/+4
2013-01-10Change pam data auth tokens.Simo Sorce1-54/+36
Use the new authtok abstraction and interfaces throught the code.
2012-12-15let ldap_chpass_uri failover work when using same hostnamePavel Březina1-11/+4
https://fedorahosted.org/sssd/ticket/1699 We want to continue with the next server on all errors, not only on ETIMEDOUT. This particullar ticket was dealing with ECONNREFUSED.
2012-12-02warn user if password is about to expirePavel Březina1-3/+4
https://fedorahosted.org/sssd/ticket/1638 If pwd_exp_warning == 0, expiry warning should be printed if it is returned by server. If pwd_exp_warning > 0, expiry warning should be printed only if the password will expire in time <= pwd_exp_warning. ppolicy->expiry contains period in seconds after which the password expires. Not the exact timestamp. Thus we should not add 'now' to pwd_exp_warning.
2012-09-13FO: Check server validity before setting statusJakub Hrozek1-1/+3
The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
2012-09-05Retry the next server if bind during LDAP auth times outJakub Hrozek1-1/+6
2012-05-04Modify behavior of pam_pwd_expiration_warningJan Zeleny1-12/+30
New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
2012-03-08Detect cycle in the fail over on subsequent resolve requests onlyJakub Hrozek1-1/+2
2012-03-06Only do one cycle when resolving a serverJakub Hrozek1-2/+3
https://fedorahosted.org/sssd/ticket/1214
2012-02-06Update shadowLastChanged attribute during LDAP password changeJan Zeleny1-0/+46
https://fedorahosted.org/sssd/ticket/1019
2011-11-22Cleanup: Remove unused parametersJakub Hrozek1-2/+1
2011-09-28Multiline macro cleanupJakub Hrozek1-2/+2
This is mostly a cosmetic patch. The purpose of wrapping a multi-line macro in a do { } while(0) is to make the macro usable as a regular statement, not a compound statement. When the while(0) is terminated with a semicolon, the do { } while(0); block becomes a compound statement again.
2011-09-06Improve error message for LDAP password constraint violationJakub Hrozek1-11/+16
https://fedorahosted.org/sssd/ticket/985
2011-08-25Improve password policy error code and messageSumit Bose1-4/+9
Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the requested password policy cannot be found we return PAM_PERM_DENIED. Additionally the log message says that the access is denied.
2011-08-15sysdb refactoring: memory context deletedJan Zeleny1-2/+1
This patch deletes memory context parameter in those places in sysdb where it is not necessary. The code using modified functions has been updated. Tests updated as well.
2011-08-15sysdb refactoring: deleted domain variables in sysdb APIJan Zeleny1-2/+1
The patch also updates code using modified functions. Tests have also been adjusted.
2011-06-30Use ldap_init_fd() instead of ldap_initialize() if availableSumit Bose1-1/+2
2011-06-16Do not check pwdAttributeSumit Bose1-9/+0
It is not safe to check pwdAttribute to see if server side password policies are active. Only if a LDAP_CONTROL_PASSWORDPOLICYRESPONSE is present the bind response we can assume that there is a server side password policy.
2011-04-08Fix unchecked return values of pam_add_responseJakub Hrozek1-2/+7
https://fedorahosted.org/sssd/ticket/798
2011-02-16Do not attempt to use START_TLS on SSL connectionsStephen Gallagher1-9/+17
Not all LDAP servers are capable of handling dual-encryption with both TLS and SSL. https://fedorahosted.org/sssd/ticket/795
2011-01-27Add option to disable TLS for LDAP authStephen Gallagher1-1/+13
Option is named to discourage use in production environments and is intentionally not listed in the SSSDConfig API.
2011-01-19Fix return value checkSumit Bose1-2/+2
2010-12-06Add ldap_chpass_uri config optionSumit Bose1-5/+14
2010-12-06Make string_to_shadowpw_days() publicSumit Bose1-33/+0
2010-11-19Fix offline detection for LDAP auth/chpassSumit Bose1-5/+13
2010-10-04Return offline instead of errorStephen Gallagher1-1/+2
When the failover code returns that there are no available servers while we are marked offline, we were returning an error to the PAM authentication code. Instead, we should return success with a result value of SDAP_UNAVAIL so that the PAM responder will mark the domain offline and attempt offline authentication.
2010-08-24Treat a zero-length password as a failureStephen Gallagher1-0/+7
Some LDAP servers allow binding with blank passwords. We should not allow a blank password to authenticate the SSSD.
2010-08-04Fix chpass operations with LDAP providerStephen Gallagher1-0/+1
The initial verification of the old password was returning an error because we were not explicitly setting dp_err to DP_ERR_SUCCESS and it was initialized earlier in the function to DP_ERR_FATAL.
2010-05-07Add more warnings about nearly expired passwordsSumit Bose1-5/+66
For the shadow and mit_kerberos password policy warnings are sent to the client if the password is about to expire.
2010-05-07Use all available servers in LDAP providerJakub Hrozek1-6/+33
2010-04-26Display a message if a password reset by root failsSumit Bose1-0/+8
2010-04-12sysdb: convert sysdb_get_user_attrSimo Sorce1-134/+69
2010-04-12sysdb: convert sysdb_cache_passwordSimo Sorce1-32/+11
2010-03-25Fix warnings from -Wmissing-field-initializersSumit Bose1-1/+3
This patch removes some tab-indentations from pamsrv.c, too.
2010-03-22Improvements for LDAP Password Policy supportRalf Haferkamp1-2/+50
Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.
2010-03-15Fixed authentication check for CHAUTHTOK_PRELIMRalf Haferkamp1-1/+1
When changing passwords, treat SDAP_AUTH_PW_EXPIRED as a successful authentication in SSS_PAM_CHAUTHTOK_PRELIM.
2010-02-23Handle expired passwords like other PAM modulesSumit Bose1-1/+1
So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.
2010-02-18Rename server/ directory to src/Stephen Gallagher1-0/+1055
Also update BUILD.txt