From 4861574af285c3ad0188424a567648673cfd7556 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Wed, 14 Aug 2019 09:33:59 +0200

Subject: [PATCH 21/23] backport the pam_authc_ppolicy option

---

 man/nslcd.conf.5.xml | 12 ++++++++++++

 nslcd/cfg.c          | 11 +++++++++++

 nslcd/cfg.h          |  3 +++

 nslcd/myldap.c       | 19 +++++++++++--------

 4 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml

index d7fa9b8..7c2d45a 100644

--- a/man/nslcd.conf.5.xml

+++ b/man/nslcd.conf.5.xml

@@ -733,6 +733,18 @@

      </listitem>

     </varlistentry>

+    <varlistentry id="pam_authc_ppolicy"> 

+     <term><option>pam_authc_ppolicy</option> yes|no</term>

+     <listitem>

+      <para>

+       This option specifies whether password policy controls are requested

+       and handled from the LDAP server when performing

+       user authentication.

+       By default the controls are requested and handled if available.

+      </para>

+     </listitem>

+    </varlistentry>

+

     <varlistentry id="pam_authz_search">

      <term><option>pam_authz_search</option>

            <replaceable>FILTER</replaceable></term>

diff --git a/nslcd/cfg.c b/nslcd/cfg.c

index b821fcd..e11d03a 100644

--- a/nslcd/cfg.c

+++ b/nslcd/cfg.c

@@ -1205,6 +1205,17 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)

     {

       parse_pam_password_prohibit_message_statement(filename,lnr,keyword,line,cfg);

     }

+    else if (strcasecmp(keyword, "pam_authc_ppolicy") == 0)

+    {

+#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)

+      get_boolean(filename,lnr,keyword,&line,&cfg->pam_authc_ppolicy);

+      get_eol(filename, lnr, keyword, &line);

+#else

+      log_log(LOG_ERR, "%s:%d: value %s not supported on platform",

+              filename, lnr, value);

+      exit(EXIT_FAILURE);

+#endif

+    }

 #ifdef ENABLE_CONFIGFILE_CHECKING

     /* fallthrough */

     else

diff --git a/nslcd/cfg.h b/nslcd/cfg.h

index 5356ace..4c044ca 100644

--- a/nslcd/cfg.h

+++ b/nslcd/cfg.h

@@ -156,6 +156,9 @@ struct ldap_config

   /* whether password changing should be denied and user prompted with

      this message */

   char *pam_password_prohibit_message;

+#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)

+  int pam_authc_ppolicy;    /* whether to send password policy controls on bind */

+#endif

 };

 /* this is a pointer to the global configuration, it should be available

diff --git a/nslcd/myldap.c b/nslcd/myldap.c

index 86a339e..738a782 100644

--- a/nslcd/myldap.c

+++ b/nslcd/myldap.c

@@ -522,18 +522,21 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP *ld, const char *uri)

   int rc, parserc;

   struct berval cred;

   LDAPControl passwd_policy_req;

-  LDAPControl *requestctrls[2];

+  LDAPControl *requestctrls[2] = { NULL, NULL };

   LDAPControl **responsectrls;

   int msgid;

   struct timeval timeout;

   LDAPMessage *result;

-  /* build password policy request control */

-  passwd_policy_req.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;

-  passwd_policy_req.ldctl_value.bv_val = NULL; /* none */

-  passwd_policy_req.ldctl_value.bv_len = 0;

-  passwd_policy_req.ldctl_iscritical = 0; /* not critical */

-  requestctrls[0] = &passwd_policy_req;

-  requestctrls[1] = NULL;

+  /* build policy request if pam_authc_ppolicy is set */

+  if (nslcd_cfg->pam_authc_ppolicy)

+  {

+    passwd_policy_req.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;

+    passwd_policy_req.ldctl_value.bv_val = NULL; /* none */

+    passwd_policy_req.ldctl_value.bv_len = 0;

+    passwd_policy_req.ldctl_iscritical = 0; /* not critical */

+    requestctrls[0] = &passwd_policy_req;

+    requestctrls[1] = NULL;

+  }

   /* build password berval */

   cred.bv_val = (char *)session->bindpw;

   cred.bv_len = (session->bindpw == NULL) ? 0 : strlen(session->bindpw);

-- 

2.20.1