From 4861574af285c3ad0188424a567648673cfd7556 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 14 Aug 2019 09:33:59 +0200
Subject: [PATCH 21/23] backport the pam_authc_ppolicy option

---
 man/nslcd.conf.5.xml | 12 ++++++++++++
 nslcd/cfg.c          | 11 +++++++++++
 nslcd/cfg.h          |  3 +++
 nslcd/myldap.c       | 19 +++++++++++--------
 4 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index d7fa9b8..7c2d45a 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -733,6 +733,18 @@
      </listitem>
     </varlistentry>
 
+    <varlistentry id="pam_authc_ppolicy"> <!-- since 0.9.7 -->
+     <term><option>pam_authc_ppolicy</option> yes|no</term>
+     <listitem>
+      <para>
+       This option specifies whether password policy controls are requested
+       and handled from the <acronym>LDAP</acronym> server when performing
+       user authentication.
+       By default the controls are requested and handled if available.
+      </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry id="pam_authz_search">
      <term><option>pam_authz_search</option>
            <replaceable>FILTER</replaceable></term>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index b821fcd..e11d03a 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -1205,6 +1205,17 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
     {
       parse_pam_password_prohibit_message_statement(filename,lnr,keyword,line,cfg);
     }
+    else if (strcasecmp(keyword, "pam_authc_ppolicy") == 0)
+    {
+#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)
+      get_boolean(filename,lnr,keyword,&line,&cfg->pam_authc_ppolicy);
+      get_eol(filename, lnr, keyword, &line);
+#else
+      log_log(LOG_ERR, "%s:%d: value %s not supported on platform",
+              filename, lnr, value);
+      exit(EXIT_FAILURE);
+#endif
+    }
 #ifdef ENABLE_CONFIGFILE_CHECKING
     /* fallthrough */
     else
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index 5356ace..4c044ca 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -156,6 +156,9 @@ struct ldap_config
   /* whether password changing should be denied and user prompted with
      this message */
   char *pam_password_prohibit_message;
+#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)
+  int pam_authc_ppolicy;    /* whether to send password policy controls on bind */
+#endif
 };
 
 /* this is a pointer to the global configuration, it should be available
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index 86a339e..738a782 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -522,18 +522,21 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP *ld, const char *uri)
   int rc, parserc;
   struct berval cred;
   LDAPControl passwd_policy_req;
-  LDAPControl *requestctrls[2];
+  LDAPControl *requestctrls[2] = { NULL, NULL };
   LDAPControl **responsectrls;
   int msgid;
   struct timeval timeout;
   LDAPMessage *result;
-  /* build password policy request control */
-  passwd_policy_req.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
-  passwd_policy_req.ldctl_value.bv_val = NULL; /* none */
-  passwd_policy_req.ldctl_value.bv_len = 0;
-  passwd_policy_req.ldctl_iscritical = 0; /* not critical */
-  requestctrls[0] = &passwd_policy_req;
-  requestctrls[1] = NULL;
+  /* build policy request if pam_authc_ppolicy is set */
+  if (nslcd_cfg->pam_authc_ppolicy)
+  {
+    passwd_policy_req.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
+    passwd_policy_req.ldctl_value.bv_val = NULL; /* none */
+    passwd_policy_req.ldctl_value.bv_len = 0;
+    passwd_policy_req.ldctl_iscritical = 0; /* not critical */
+    requestctrls[0] = &passwd_policy_req;
+    requestctrls[1] = NULL;
+  }
   /* build password berval */
   cred.bv_val = (char *)session->bindpw;
   cred.bv_len = (session->bindpw == NULL) ? 0 : strlen(session->bindpw);
-- 
2.20.1