From c9fb441600acc02952372fc89097cf06a8eaca5f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 17 Sep 2019 09:48:49 +0200
Subject: [PATCH] RHEL-specific: Disable the password policies unless
explicitly enabled
---
nslcd/cfg.c | 1 +
nslcd/myldap.c | 8 ++++++++
2 files changed, 9 insertions(+)
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index e11d03a..66908b2 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -136,6 +136,7 @@ static void cfg_defaults(struct ldap_config *cfg)
parse_validnames_statement(__FILE__,__LINE__,"",
"/^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i",cfg);
cfg->pam_password_prohibit_message=NULL;
+ cfg->pam_authc_ppolicy = 0;
}
/* simple strdup wrapper */
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index 6eb91f8..a07829f 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -689,6 +689,14 @@ static int do_bind(MYLDAP_SESSION *session, LDAP *ld,const char *binddn,const ch
if ((binddn!=NULL)&&(binddn[0]!='\0'))
{
#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)
+ /* RHEL-specific: Don't even call into the ppolicy_bind path unless
+ * the option was set explicitly to 1 to retain backwards compatibility
+ */
+ if (nslcd_cfg->pam_authc_ppolicy == 0) {
+ log_log(LOG_DEBUG,"ldap_simple_bind_s(\"%s\",%s) (uri=\"%s\")",binddn,
+ ((bindpw!=NULL)&&(bindpw[0]!='\0'))?"\"***\"":"\"\"",uri);
+ return ldap_simple_bind_s(ld,binddn,bindpw);
+ }
return do_ppolicy_bind(session, ld, uri);
#else /* no SASL, so no ppolicy */
/* do a simple bind */
--
2.21.0