summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2010-12-22 18:25:45 +0100
committerStephen Gallagher <sgallagh@redhat.com>2011-01-19 09:53:20 -0500
commitd73fcc5183a676aed4fd040714b87274248b784c (patch)
treeb1ce3d709a7539b7fa16e2bbf3c8aaf2716070c0
parent22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18 (diff)
downloadsssd-d73fcc5183a676aed4fd040714b87274248b784c.tar.gz
sssd-d73fcc5183a676aed4fd040714b87274248b784c.tar.xz
sssd-d73fcc5183a676aed4fd040714b87274248b784c.zip
Add LDAP expire policy base RHDS/IPA attribute
The attribute nsAccountLock is used by RHDS, IPA and other directory servers to indicate that the account is locked.
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf1
-rw-r--r--src/man/sssd-ldap.5.xml20
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ldap/ldap_common.c6
-rw-r--r--src/providers/ldap/ldap_init.c5
-rw-r--r--src/providers/ldap/sdap.h3
-rw-r--r--src/providers/ldap/sdap_access.c38
-rw-r--r--src/providers/ldap/sdap_access.h3
9 files changed, 76 insertions, 4 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index d84509c1b..aed683bd9 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -174,6 +174,7 @@ option_strings = {
'ldap_pwd_attribute' : _('Attribute indicating that server side password policies are active'),
'ldap_user_ad_account_expires' : _('accountExpires attribute of AD'),
'ldap_user_ad_user_account_control' : _('userAccountControl attribute of AD'),
+ 'ldap_ns_account_lock' : _('nsAccountLock attribute'),
'ldap_group_search_base' : _('Base DN for group lookups'),
# not used # 'ldap_group_search_scope' : _('Scope of group lookups'),
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 064438316..440ebff87 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -60,6 +60,7 @@ ldap_user_authorized_service = str, None, false
ldap_pwd_attribute = str, None, false
ldap_user_ad_account_expires = str, None, false
ldap_user_ad_user_account_control = str, None, false
+ldap_ns_account_lock = str, None, false
ldap_group_search_base = str, None, false
ldap_group_search_scope = str, None, false
ldap_group_search_filter = str, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 65c679d61..b133b3bcc 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -464,6 +464,20 @@
</varlistentry>
<varlistentry>
+ <term>ldap_ns_account_lock (string)</term>
+ <listitem>
+ <para>
+ When using ldap_account_expire_policy=rhds or
+ equivalent, this parameter determines if access is
+ allowed or not.
+ </para>
+ <para>
+ Default: nsAccountLock
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_user_principal (string)</term>
<listitem>
<para>
@@ -1163,6 +1177,12 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
expiration time of the account is checked.
</para>
<para>
+ <emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>,
+ <emphasis>389ds</emphasis>:
+ use the value of ldap_ns_account_lock to check if
+ access is allowed or not.
+ </para>
+ <para>
Default: Empty
</para>
</listitem>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index fe1257737..6b4f64f2d 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -117,7 +117,8 @@ struct sdap_attr_map ipa_user_map[] = {
{ "ldap_pwd_attribute", "pwdAttribute", SYSDB_PWD_ATTRIBUTE, NULL },
{ "ldap_user_authorized_service", "authorizedService", SYSDB_AUTHORIZED_SERVICE, NULL },
{ "ldap_user_ad_account_expires", "accountExpires", SYSDB_AD_ACCOUNT_EXPIRES, NULL},
- { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL}
+ { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL},
+ { "ldap_ns_account_lock", "nsAccountLock", SYSDB_NS_ACCOUNT_LOCK, NULL}
};
struct sdap_attr_map ipa_group_map[] = {
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index e98e718b1..48c35638b 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -123,7 +123,8 @@ struct sdap_attr_map rfc2307_user_map[] = {
{ "ldap_pwd_attribute", "pwdAttribute", SYSDB_PWD_ATTRIBUTE, NULL },
{ "ldap_user_authorized_service", "authorizedService", SYSDB_AUTHORIZED_SERVICE, NULL },
{ "ldap_user_ad_account_expires", "accountExpires", SYSDB_AD_ACCOUNT_EXPIRES, NULL},
- { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL}
+ { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL},
+ { "ldap_ns_account_lock", "nsAccountLock", SYSDB_NS_ACCOUNT_LOCK, NULL}
};
struct sdap_attr_map rfc2307_group_map[] = {
@@ -165,7 +166,8 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
{ "ldap_pwd_attribute", "pwdAttribute", SYSDB_PWD_ATTRIBUTE, NULL },
{ "ldap_user_authorized_service", "authorizedService", SYSDB_AUTHORIZED_SERVICE, NULL },
{ "ldap_user_ad_account_expires", "accountExpires", SYSDB_AD_ACCOUNT_EXPIRES, NULL},
- { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL}
+ { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL},
+ { "ldap_ns_account_lock", "nsAccountLock", SYSDB_NS_ACCOUNT_LOCK, NULL}
};
struct sdap_attr_map rfc2307bis_group_map[] = {
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 61f923333..6b05690ed 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -346,7 +346,10 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
"All domain users will be denied access.\n"));
} else {
if (strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_SHADOW) != 0 &&
- strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_AD) != 0) {
+ strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_AD) != 0 &&
+ strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_RHDS) != 0 &&
+ strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_IPA) != 0 &&
+ strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_389DS) != 0) {
DEBUG(1, ("Unsupported LDAP account expire policy [%s].\n",
dummy));
ret = EINVAL;
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 57f849a16..932abca4d 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -122,6 +122,8 @@ struct sdap_ppolicy_data {
#define SYSDB_SHADOWPW_EXPIRE "shadowExpire"
#define SYSDB_SHADOWPW_FLAG "shadowFlag"
+#define SYSDB_NS_ACCOUNT_LOCK "nsAccountLock"
+
#define SYSDB_KRBPW_LASTCHANGE "krbLastPwdChange"
#define SYSDB_KRBPW_EXPIRATION "krbPasswordExpiration"
@@ -236,6 +238,7 @@ enum sdap_user_attrs {
SDAP_AT_AUTH_SVC,
SDAP_AT_AD_ACCOUNT_EXPIRES,
SDAP_AT_AD_USER_ACCOUNT_CONTROL,
+ SDAP_AT_NS_ACCOUNT_LOCK,
SDAP_OPTS_USER /* attrs counter */
};
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index a3c560d44..f5220742d 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -418,6 +418,35 @@ static errno_t sdap_account_expired_ad(struct pam_data *pd,
return EOK;
}
+#define RHDS_LOCK_MSG "The user account is locked on the server"
+
+static errno_t sdap_account_expired_rhds(struct pam_data *pd,
+ struct ldb_message *user_entry,
+ int *pam_status)
+{
+ bool locked;
+ int ret;
+
+ DEBUG(6, ("Performing RHDS access check for user [%s]\n", pd->user));
+
+ locked = ldb_msg_find_attr_as_bool(user_entry, SYSDB_NS_ACCOUNT_LOCK, false);
+ DEBUG(9, ("Account for user [%s] is%s locked.\n", pd->user,
+ locked ? "" : " not" ));
+
+ if (locked) {
+ ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO,
+ sizeof(RHDS_LOCK_MSG),
+ (const uint8_t *) RHDS_LOCK_MSG);
+ if (ret != EOK) {
+ DEBUG(1, ("pam_add_response failed.\n"));
+ }
+ }
+
+ *pam_status = locked ? PAM_PERM_DENIED : PAM_SUCCESS;
+
+ return EOK;
+}
+
struct sdap_account_expired_req_ctx {
int pam_status;
};
@@ -464,6 +493,15 @@ static struct tevent_req *sdap_account_expired_send(TALLOC_CTX *mem_ctx,
DEBUG(1, ("sdap_account_expired_ad failed.\n"));
goto done;
}
+ } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_RHDS) == 0 ||
+ strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0 ||
+ strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_389DS) == 0) {
+ ret = sdap_account_expired_rhds(pd, user_entry,
+ &state->pam_status);
+ if (ret != EOK) {
+ DEBUG(1, ("sdap_account_expired_rhds failed.\n"));
+ goto done;
+ }
} else {
DEBUG(1, ("Unsupported LDAP account expire policy [%s]. "
"Access denied.\n", expire));
diff --git a/src/providers/ldap/sdap_access.h b/src/providers/ldap/sdap_access.h
index 28c857f61..32c45b817 100644
--- a/src/providers/ldap/sdap_access.h
+++ b/src/providers/ldap/sdap_access.h
@@ -35,6 +35,9 @@
#define LDAP_ACCOUNT_EXPIRE_SHADOW "shadow"
#define LDAP_ACCOUNT_EXPIRE_AD "ad"
+#define LDAP_ACCOUNT_EXPIRE_RHDS "rhds"
+#define LDAP_ACCOUNT_EXPIRE_IPA "ipa"
+#define LDAP_ACCOUNT_EXPIRE_389DS "389ds"
enum ldap_access_rule {
LDAP_ACCESS_EMPTY = -1,