Perform PAM account validation, not just authentication.

2 files changed, 9 insertions, 0 deletions

diff --git a/README b/README
index e260909..54a8b36 100644
--- a/README
+++ b/README
@@ -85,6 +85,7 @@ http_application_sss example, file /etc/pam.d/http_application_sss
 could be created with content
 
     auth    required   pam_sss.so
+    account required   pam_sss.so
 
 to authenticate against sssd.
 
diff --git a/mod_intercept_form_submit.c b/mod_intercept_form_submit.c
index d5ba62b..110d09f 100644
--- a/mod_intercept_form_submit.c
+++ b/mod_intercept_form_submit.c
@@ -109,6 +109,14 @@ int pam_authenticate_with_login_password(request_rec * r, const char * pam_servi
 		pam_end(pamh, ret);
 		return 0;
 	}
+	if ((ret = pam_acct_mgmt(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK)) != PAM_SUCCESS) {
+		const char * strerr = pam_strerror(pamh, ret);
+		ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
+			"mod_intercept_form_submit: PAM account validation failed for user %s: %s", login, strerr);
+		apr_table_setn(r->subprocess_env, _EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr));
+		pam_end(pamh, ret);
+		return 0;
+	}
 	apr_table_setn(r->subprocess_env, _REMOTE_USER_ENV_NAME, login);
 	r->user = login;
 	ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, r->server, "mod_intercept_form_submit: PAM authentication passed for user %s", login);