From 4861574af285c3ad0188424a567648673cfd7556 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 14 Aug 2019 09:33:59 +0200
Subject: [PATCH 21/23] backport the pam_authc_ppolicy option
---
man/nslcd.conf.5.xml | 12 ++++++++++++
nslcd/cfg.c | 11 +++++++++++
nslcd/cfg.h | 3 +++
nslcd/myldap.c | 19 +++++++++++--------
4 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index d7fa9b8..7c2d45a 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -733,6 +733,18 @@
</listitem>
</varlistentry>
+ <varlistentry id="pam_authc_ppolicy"> <!-- since 0.9.7 -->
+ <term><option>pam_authc_ppolicy</option> yes|no</term>
+ <listitem>
+ <para>
+ This option specifies whether password policy controls are requested
+ and handled from the <acronym>LDAP</acronym> server when performing
+ user authentication.
+ By default the controls are requested and handled if available.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry id="pam_authz_search">
<term><option>pam_authz_search</option>
<replaceable>FILTER</replaceable></term>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index b821fcd..e11d03a 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -1205,6 +1205,17 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
{
parse_pam_password_prohibit_message_statement(filename,lnr,keyword,line,cfg);
}
+ else if (strcasecmp(keyword, "pam_authc_ppolicy") == 0)
+ {
+#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)
+ get_boolean(filename,lnr,keyword,&line,&cfg->pam_authc_ppolicy);
+ get_eol(filename, lnr, keyword, &line);
+#else
+ log_log(LOG_ERR, "%s:%d: value %s not supported on platform",
+ filename, lnr, value);
+ exit(EXIT_FAILURE);
+#endif
+ }
#ifdef ENABLE_CONFIGFILE_CHECKING
/* fallthrough */
else
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index 5356ace..4c044ca 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -156,6 +156,9 @@ struct ldap_config
/* whether password changing should be denied and user prompted with
this message */
char *pam_password_prohibit_message;
+#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)
+ int pam_authc_ppolicy; /* whether to send password policy controls on bind */
+#endif
};
/* this is a pointer to the global configuration, it should be available
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index 86a339e..738a782 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -522,18 +522,21 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP *ld, const char *uri)
int rc, parserc;
struct berval cred;
LDAPControl passwd_policy_req;
- LDAPControl *requestctrls[2];
+ LDAPControl *requestctrls[2] = { NULL, NULL };
LDAPControl **responsectrls;
int msgid;
struct timeval timeout;
LDAPMessage *result;
- /* build password policy request control */
- passwd_policy_req.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
- passwd_policy_req.ldctl_value.bv_val = NULL; /* none */
- passwd_policy_req.ldctl_value.bv_len = 0;
- passwd_policy_req.ldctl_iscritical = 0; /* not critical */
- requestctrls[0] = &passwd_policy_req;
- requestctrls[1] = NULL;
+ /* build policy request if pam_authc_ppolicy is set */
+ if (nslcd_cfg->pam_authc_ppolicy)
+ {
+ passwd_policy_req.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
+ passwd_policy_req.ldctl_value.bv_val = NULL; /* none */
+ passwd_policy_req.ldctl_value.bv_len = 0;
+ passwd_policy_req.ldctl_iscritical = 0; /* not critical */
+ requestctrls[0] = &passwd_policy_req;
+ requestctrls[1] = NULL;
+ }
/* build password berval */
cred.bv_val = (char *)session->bindpw;
cred.bv_len = (session->bindpw == NULL) ? 0 : strlen(session->bindpw);
--
2.20.1