From 289cd5ab7d125c8eb4a5e85800ab8f5f54dc4519 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Tue, 13 Aug 2019 22:06:12 +0200

Subject: [PATCH 17/23] Backport of passing expiration controls back to PAM

 client

---

 nslcd/myldap.c | 11 +++++++++++

 nslcd/myldap.h |  5 +++++

 nslcd/pam.c    | 15 ++++++++++++---

 3 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/nslcd/myldap.c b/nslcd/myldap.c

index 64b7f13..9f6b4b0 100644

--- a/nslcd/myldap.c

+++ b/nslcd/myldap.c

@@ -1024,6 +1024,17 @@ void myldap_set_credentials(MYLDAP_SESSION *session,const char *dn,

   session->bindpw[sizeof(session->bindpw)-1]='\0';

 }

+/* Get bind ppolicy results from the last bind operation. This function

+   returns a NSLCD_PAM_* code and optional message. */

+void myldap_get_policy_response(MYLDAP_SESSION *session, int *response,

+                                const char **message)

+{

+  if (response != NULL)

+    *response = session->policy_response;

+  if (message != NULL)

+    *message = session->policy_message;

+}

+

 static int do_try_search(MYLDAP_SEARCH *search)

 {

   int rc;

diff --git a/nslcd/myldap.h b/nslcd/myldap.h

index f118f72..3a99765 100644

--- a/nslcd/myldap.h

+++ b/nslcd/myldap.h

@@ -72,6 +72,11 @@ MUST_USE MYLDAP_SESSION *myldap_create_session(void);

 void myldap_set_credentials(MYLDAP_SESSION *session,const char *dn,

                             const char *password);

+/* Get bind ppolicy results from the last bind operation. This function

+   returns a NSLCD_PAM_* code and optional message. */

+void myldap_get_policy_response(MYLDAP_SESSION *session, int *response,

+                                const char **message);

+

 /* Closes all pending searches and deallocates any memory that is allocated

    with these searches. This does not close the session. */

 void myldap_session_cleanup(MYLDAP_SESSION *session);

diff --git a/nslcd/pam.c b/nslcd/pam.c

index ee28725..40a8687 100644

--- a/nslcd/pam.c

+++ b/nslcd/pam.c

@@ -41,13 +41,15 @@

 /* set up a connection and try to bind with the specified DN and password,

    returns an LDAP result code */

-static int try_bind(const char *userdn,const char *password)

+static int try_bind(const char *userdn,const char *password,

+                    int *authzrc, char *authzmsg, size_t authzmsgsz)

 {

   MYLDAP_SESSION *session;

   MYLDAP_SEARCH *search;

   MYLDAP_ENTRY *entry;

   static const char *attrs[2];

   int rc;

+  const char *msg;

   /* set up a new connection */

   session=myldap_create_session();

   if (session==NULL)

@@ -74,6 +76,13 @@ static int try_bind(const char *userdn,const char *password)

       log_log(LOG_WARNING,"%s: lookup failed: %s",userdn,ldap_err2string(rc));

     }

   }

+  /* get any policy response from the bind */

+  myldap_get_policy_response(session, authzrc, &msg;;

+  if ((msg != NULL) && (msg[0] != '\0'))

+  {

+    mysnprintf(authzmsg, authzmsgsz - 1, "%s", msg);

+    log_log(LOG_WARNING, "%s: %s", userdn, authzmsg);

+  }

   /* close the session */

   myldap_session_close(session);

   /* return results */

@@ -297,7 +306,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid)

     update_username(entry,username,sizeof(username));

   }

   /* try authentication */

-  rc=try_bind(userdn,password);

+  rc = try_bind(userdn, password, &authzrc, authzmsg, sizeof(authzmsg));

   if (rc==LDAP_SUCCESS)

     log_log(LOG_DEBUG,"bind successful");

   /* map result code */

@@ -308,7 +317,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid)

     default:                       rc=NSLCD_PAM_AUTH_ERR;

   }

   /* perform shadow attribute checks */

-  if (*username!='\0')

+  if ((*username != '\0') && (authzrc == NSLCD_PAM_SUCCESS))

     authzrc=check_shadow(session,username,authzmsg,sizeof(authzmsg),1,0);

   /* write response */

   WRITE_INT32(fp,NSLCD_RESULT_BEGIN);

-- 

2.20.1