diff options
author | Jan Pazdziora <jpazdziora@redhat.com> | 2015-04-24 10:16:06 +0200 |
---|---|---|
committer | Jan Pazdziora <jpazdziora@redhat.com> | 2015-04-24 10:16:06 +0200 |
commit | 2de8600b1118e3632eae41bcbeb9f0393178ab55 (patch) | |
tree | b096295d3533024c714ec7aa9fedb8575be009bf | |
parent | db6c9f4a414ed19419c1405854cd8da1e18e819f (diff) | |
download | mod_authnz_pam-2de8600b1118e3632eae41bcbeb9f0393178ab55.tar.gz mod_authnz_pam-2de8600b1118e3632eae41bcbeb9f0393178ab55.tar.xz mod_authnz_pam-2de8600b1118e3632eae41bcbeb9f0393178ab55.zip |
Add support for AuthPAMExpiredRedirect, to redirect to URL where user can reset their password.
-rw-r--r-- | README | 14 | ||||
-rw-r--r-- | mod_authnz_pam.c | 20 |
2 files changed, 30 insertions, 4 deletions
@@ -68,6 +68,18 @@ tlwiki example, file /etc/pam.d/tlwiki could be created with content to authenticate against sssd. +Handling expired password: + + AuthPAMExpiredRedirect <URL> + +For both the authorization and HTTP Basic authentication case, if the +password the user has presented has expired (PAM return codes +PAM_CRED_EXPIRED or PAM_NEW_AUTHTOK_REQD), when AuthPAMExpiredRedirect +is specified with a URL, redirect is made to that locations. For +FreeIPA server, the setting would be + + AuthPAMExpiredRedirect https://<IPA-server>/ipa/ui/reset_password.html + On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to be enabled: @@ -85,7 +97,7 @@ should build and install the module. License ------- -Copyright 2014 Jan Pazdziora +Copyright 2014--2015 Jan Pazdziora Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/mod_authnz_pam.c b/mod_authnz_pam.c index 739ae93..0568fdf 100644 --- a/mod_authnz_pam.c +++ b/mod_authnz_pam.c @@ -1,6 +1,6 @@ /* - * Copyright 2014 Jan Pazdziora + * Copyright 2014--2015 Jan Pazdziora * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,6 +32,7 @@ typedef struct { char * pam_service; + char * expired_redirect_url; } authnz_pam_config_rec; static void * create_dir_conf(apr_pool_t * pool, char * dir) { @@ -43,6 +44,9 @@ static const command_rec authnz_pam_cmds[] = { AP_INIT_TAKE1("AuthPAMService", ap_set_string_slot, (void *)APR_OFFSETOF(authnz_pam_config_rec, pam_service), OR_AUTHCFG, "PAM service to authenticate against"), + AP_INIT_TAKE1("AuthPAMExpiredRedirect", ap_set_string_slot, + (void *)APR_OFFSETOF(authnz_pam_config_rec, expired_redirect_url), + OR_AUTHCFG, "URL to redirect to user credentials expired have expired"), {NULL} }; @@ -67,6 +71,8 @@ static int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, s return PAM_SUCCESS; } +module AP_MODULE_DECLARE_DATA authnz_pam_module; + #define _REMOTE_USER_ENV_NAME "REMOTE_USER" #define _EXTERNAL_AUTH_ERROR_ENV_NAME "EXTERNAL_AUTH_ERROR" #define _PAM_STEP_AUTH 1 @@ -97,6 +103,16 @@ static authn_status pam_authenticate_with_login_password(request_rec * r, const param = login; stage = "PAM account validation failed for user"; ret = pam_acct_mgmt(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); + if (ret == PAM_NEW_AUTHTOK_REQD) { + authnz_pam_config_rec * conf = ap_get_module_config(r->per_dir_config, &authnz_pam_module); + if (conf && conf->expired_redirect_url) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "mod_authnz_pam: PAM_NEW_AUTHTOK_REQD: redirect to [%s]", + conf->expired_redirect_url); + apr_table_addn(r->headers_out, "Location", conf->expired_redirect_url); + return HTTP_TEMPORARY_REDIRECT; + } + } } } if (ret != PAM_SUCCESS) { @@ -117,8 +133,6 @@ APR_DECLARE_OPTIONAL_FN(authn_status, pam_authenticate_with_login_password, (request_rec * r, const char * pam_service, const char * login, const char * password, int steps)); -module AP_MODULE_DECLARE_DATA authnz_pam_module; - static authn_status pam_auth_account(request_rec * r, const char * login, const char * password) { authnz_pam_config_rec * conf = ap_get_module_config(r->per_dir_config, &authnz_pam_module); |