diff options
| author | Pavel Reichl <preichl@redhat.com> | 2015-07-02 07:28:05 -0400 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-07-06 20:19:02 +0200 |
| commit | 32cc237aa0f3c70a4e0bc0491ec0cba0016aaf5a (patch) | |
| tree | cdbc783c946be12b72827eccd27b57d454fb36a6 | |
| parent | 01ec08efd0e166ac6f390f8627c6d08dcc63ccc4 (diff) | |
| download | sssd-32cc237aa0f3c70a4e0bc0491ec0cba0016aaf5a.tar.gz sssd-32cc237aa0f3c70a4e0bc0491ec0cba0016aaf5a.tar.xz sssd-32cc237aa0f3c70a4e0bc0491ec0cba0016aaf5a.zip | |
sysdb: new attribute lastOnlineAuthWithCurrentToken
Introduce new user attribute lastOnlineAuthWithCurrentToken.
This attribute behaves similarly to lastOnlineAuth but is set to NULL
after password is changed.
This attribute is needed for use-case when cached authentication is used, to
request online authentication after password is locally changed.
Resolves:
https://fedorahosted.org/sssd/ticket/1807
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
| -rw-r--r-- | src/db/sysdb.h | 1 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 66 |
2 files changed, 67 insertions, 0 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h index fbc01851e..48dd26dd2 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -87,6 +87,7 @@ #define SYSDB_LAST_ONLINE_AUTH "lastOnlineAuth" #define SYSDB_LAST_FAILED_LOGIN "lastFailedLogin" #define SYSDB_FAILED_LOGIN_ATTEMPTS "failedLoginAttempts" +#define SYSDB_LAST_ONLINE_AUTH_WITH_CURR_TOKEN "lastOnlineAuthWithCurrentToken" #define SYSDB_LAST_UPDATE "lastUpdate" #define SYSDB_CACHE_EXPIRE "dataExpireTimestamp" diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 1ca87a651..3bd676395 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -42,6 +42,9 @@ enum pam_verbosity { #define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT +static errno_t +pam_null_last_online_auth_with_curr_token(struct sss_domain_info *domain, + const char *username); static void pam_reply(struct pam_auth_req *preq); static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx, @@ -426,6 +429,13 @@ static errno_t set_last_login(struct pam_auth_req *preq) goto fail; } + ret = sysdb_attrs_add_time_t(attrs, + SYSDB_LAST_ONLINE_AUTH_WITH_CURR_TOKEN, + time(NULL)); + if (ret != EOK) { + goto fail; + } + ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_LOGIN, time(NULL)); if (ret != EOK) { goto fail; @@ -661,6 +671,17 @@ static void pam_reply(struct pam_auth_req *preq) } } + if (pd->pam_status == PAM_SUCCESS && pd->cmd == SSS_PAM_CHAUTHTOK) { + ret = pam_null_last_online_auth_with_curr_token(preq->domain, + pd->user); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_null_last_online_auth_with_curr_token failed: " + "%s [%d].\n", sss_strerror(ret), ret); + goto done; + } + } + if (pd->response_delay > 0) { ret = gettimeofday(&tv, NULL); if (ret != EOK) { @@ -1519,3 +1540,48 @@ struct sss_cmd_table *get_pam_cmds(void) return sss_cmds; } + +static errno_t +pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain, + const char *username, + uint64_t value) +{ + TALLOC_CTX *tmp_ctx; + struct sysdb_attrs *attrs; + int ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + attrs = sysdb_new_attrs(tmp_ctx); + if (attrs == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_time_t(attrs, + SYSDB_LAST_ONLINE_AUTH_WITH_CURR_TOKEN, + value); + if (ret != EOK) { goto done; } + + ret = sysdb_set_user_attr(domain, username, attrs, SYSDB_MOD_REP); + if (ret != EOK) { goto done; } + +done: + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Error: %d (%s)\n", ret, sss_strerror(ret)); + } + + talloc_zfree(tmp_ctx); + return ret; +} + +static errno_t +pam_null_last_online_auth_with_curr_token(struct sss_domain_info *domain, + const char *username) +{ + return pam_set_last_online_auth_with_curr_token(domain, username, 0); +} |