From 289cd5ab7d125c8eb4a5e85800ab8f5f54dc4519 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 13 Aug 2019 22:06:12 +0200 Subject: [PATCH 17/23] Backport of passing expiration controls back to PAM client --- nslcd/myldap.c | 11 +++++++++++ nslcd/myldap.h | 5 +++++ nslcd/pam.c | 15 ++++++++++++--- 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/nslcd/myldap.c b/nslcd/myldap.c index 64b7f13..9f6b4b0 100644 --- a/nslcd/myldap.c +++ b/nslcd/myldap.c @@ -1024,6 +1024,17 @@ void myldap_set_credentials(MYLDAP_SESSION *session,const char *dn, session->bindpw[sizeof(session->bindpw)-1]='\0'; } +/* Get bind ppolicy results from the last bind operation. This function + returns a NSLCD_PAM_* code and optional message. */ +void myldap_get_policy_response(MYLDAP_SESSION *session, int *response, + const char **message) +{ + if (response != NULL) + *response = session->policy_response; + if (message != NULL) + *message = session->policy_message; +} + static int do_try_search(MYLDAP_SEARCH *search) { int rc; diff --git a/nslcd/myldap.h b/nslcd/myldap.h index f118f72..3a99765 100644 --- a/nslcd/myldap.h +++ b/nslcd/myldap.h @@ -72,6 +72,11 @@ MUST_USE MYLDAP_SESSION *myldap_create_session(void); void myldap_set_credentials(MYLDAP_SESSION *session,const char *dn, const char *password); +/* Get bind ppolicy results from the last bind operation. This function + returns a NSLCD_PAM_* code and optional message. */ +void myldap_get_policy_response(MYLDAP_SESSION *session, int *response, + const char **message); + /* Closes all pending searches and deallocates any memory that is allocated with these searches. This does not close the session. */ void myldap_session_cleanup(MYLDAP_SESSION *session); diff --git a/nslcd/pam.c b/nslcd/pam.c index ee28725..40a8687 100644 --- a/nslcd/pam.c +++ b/nslcd/pam.c @@ -41,13 +41,15 @@ /* set up a connection and try to bind with the specified DN and password, returns an LDAP result code */ -static int try_bind(const char *userdn,const char *password) +static int try_bind(const char *userdn,const char *password, + int *authzrc, char *authzmsg, size_t authzmsgsz) { MYLDAP_SESSION *session; MYLDAP_SEARCH *search; MYLDAP_ENTRY *entry; static const char *attrs[2]; int rc; + const char *msg; /* set up a new connection */ session=myldap_create_session(); if (session==NULL) @@ -74,6 +76,13 @@ static int try_bind(const char *userdn,const char *password) log_log(LOG_WARNING,"%s: lookup failed: %s",userdn,ldap_err2string(rc)); } } + /* get any policy response from the bind */ + myldap_get_policy_response(session, authzrc, &msg); + if ((msg != NULL) && (msg[0] != '\0')) + { + mysnprintf(authzmsg, authzmsgsz - 1, "%s", msg); + log_log(LOG_WARNING, "%s: %s", userdn, authzmsg); + } /* close the session */ myldap_session_close(session); /* return results */ @@ -297,7 +306,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid) update_username(entry,username,sizeof(username)); } /* try authentication */ - rc=try_bind(userdn,password); + rc = try_bind(userdn, password, &authzrc, authzmsg, sizeof(authzmsg)); if (rc==LDAP_SUCCESS) log_log(LOG_DEBUG,"bind successful"); /* map result code */ @@ -308,7 +317,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid) default: rc=NSLCD_PAM_AUTH_ERR; } /* perform shadow attribute checks */ - if (*username!='\0') + if ((*username != '\0') && (authzrc == NSLCD_PAM_SUCCESS)) authzrc=check_shadow(session,username,authzmsg,sizeof(authzmsg),1,0); /* write response */ WRITE_INT32(fp,NSLCD_RESULT_BEGIN); -- 2.20.1