From 289cd5ab7d125c8eb4a5e85800ab8f5f54dc4519 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 13 Aug 2019 22:06:12 +0200
Subject: [PATCH 17/23] Backport of passing expiration controls back to PAM
client
---
nslcd/myldap.c | 11 +++++++++++
nslcd/myldap.h | 5 +++++
nslcd/pam.c | 15 ++++++++++++---
3 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index 64b7f13..9f6b4b0 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -1024,6 +1024,17 @@ void myldap_set_credentials(MYLDAP_SESSION *session,const char *dn,
session->bindpw[sizeof(session->bindpw)-1]='\0';
}
+/* Get bind ppolicy results from the last bind operation. This function
+ returns a NSLCD_PAM_* code and optional message. */
+void myldap_get_policy_response(MYLDAP_SESSION *session, int *response,
+ const char **message)
+{
+ if (response != NULL)
+ *response = session->policy_response;
+ if (message != NULL)
+ *message = session->policy_message;
+}
+
static int do_try_search(MYLDAP_SEARCH *search)
{
int rc;
diff --git a/nslcd/myldap.h b/nslcd/myldap.h
index f118f72..3a99765 100644
--- a/nslcd/myldap.h
+++ b/nslcd/myldap.h
@@ -72,6 +72,11 @@ MUST_USE MYLDAP_SESSION *myldap_create_session(void);
void myldap_set_credentials(MYLDAP_SESSION *session,const char *dn,
const char *password);
+/* Get bind ppolicy results from the last bind operation. This function
+ returns a NSLCD_PAM_* code and optional message. */
+void myldap_get_policy_response(MYLDAP_SESSION *session, int *response,
+ const char **message);
+
/* Closes all pending searches and deallocates any memory that is allocated
with these searches. This does not close the session. */
void myldap_session_cleanup(MYLDAP_SESSION *session);
diff --git a/nslcd/pam.c b/nslcd/pam.c
index ee28725..40a8687 100644
--- a/nslcd/pam.c
+++ b/nslcd/pam.c
@@ -41,13 +41,15 @@
/* set up a connection and try to bind with the specified DN and password,
returns an LDAP result code */
-static int try_bind(const char *userdn,const char *password)
+static int try_bind(const char *userdn,const char *password,
+ int *authzrc, char *authzmsg, size_t authzmsgsz)
{
MYLDAP_SESSION *session;
MYLDAP_SEARCH *search;
MYLDAP_ENTRY *entry;
static const char *attrs[2];
int rc;
+ const char *msg;
/* set up a new connection */
session=myldap_create_session();
if (session==NULL)
@@ -74,6 +76,13 @@ static int try_bind(const char *userdn,const char *password)
log_log(LOG_WARNING,"%s: lookup failed: %s",userdn,ldap_err2string(rc));
}
}
+ /* get any policy response from the bind */
+ myldap_get_policy_response(session, authzrc, &msg);
+ if ((msg != NULL) && (msg[0] != '\0'))
+ {
+ mysnprintf(authzmsg, authzmsgsz - 1, "%s", msg);
+ log_log(LOG_WARNING, "%s: %s", userdn, authzmsg);
+ }
/* close the session */
myldap_session_close(session);
/* return results */
@@ -297,7 +306,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid)
update_username(entry,username,sizeof(username));
}
/* try authentication */
- rc=try_bind(userdn,password);
+ rc = try_bind(userdn, password, &authzrc, authzmsg, sizeof(authzmsg));
if (rc==LDAP_SUCCESS)
log_log(LOG_DEBUG,"bind successful");
/* map result code */
@@ -308,7 +317,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid)
default: rc=NSLCD_PAM_AUTH_ERR;
}
/* perform shadow attribute checks */
- if (*username!='\0')
+ if ((*username != '\0') && (authzrc == NSLCD_PAM_SUCCESS))
authzrc=check_shadow(session,username,authzmsg,sizeof(authzmsg),1,0);
/* write response */
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
--
2.20.1