summaryrefslogtreecommitdiffstats
path: root/server/providers/ldap/ldap_auth.c
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2009-12-16 12:53:55 +0100
committerStephen Gallagher <sgallagh@redhat.com>2009-12-18 09:43:26 -0500
commit973bebfc2cb7e77b4fb3687da5c832516543b479 (patch)
tree24b9ff707d01b8ca68f6f5848548a2c232584962 /server/providers/ldap/ldap_auth.c
parent5f0ed91b4d87c01a5e5f24569a457aa29a5e17a8 (diff)
downloadsssd-973bebfc2cb7e77b4fb3687da5c832516543b479.tar.gz
sssd-973bebfc2cb7e77b4fb3687da5c832516543b479.tar.xz
sssd-973bebfc2cb7e77b4fb3687da5c832516543b479.zip
Handle chauthtok with PAM_PRELIM_CHECK separately
If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we generate a separate call to the sssd to validate the old password before asking for a new password and sending the change password request.
Diffstat (limited to 'server/providers/ldap/ldap_auth.c')
-rw-r--r--server/providers/ldap/ldap_auth.c26
1 files changed, 19 insertions, 7 deletions
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
index 88e637b09..28b3240b3 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -661,7 +661,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
pd->pam_status = PAM_SYSTEM_ERR;
- if (pd->cmd != SSS_PAM_CHAUTHTOK) {
+ if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {
DEBUG(2, ("chpass target was called by wrong pam command.\n"));
goto done;
}
@@ -677,12 +677,15 @@ void sdap_pam_chpass_handler(struct be_req *breq)
if (!state->password) goto done;
talloc_set_destructor((TALLOC_CTX *)state->password,
password_destructor);
- state->new_password = talloc_strndup(state,
- (char *)pd->newauthtok,
- pd->newauthtok_size);
- if (!state->new_password) goto done;
- talloc_set_destructor((TALLOC_CTX *)state->new_password,
- password_destructor);
+
+ if (pd->cmd == SSS_PAM_CHAUTHTOK) {
+ state->new_password = talloc_strndup(state,
+ (char *)pd->newauthtok,
+ pd->newauthtok_size);
+ if (!state->new_password) goto done;
+ talloc_set_destructor((TALLOC_CTX *)state->new_password,
+ password_destructor);
+ }
authtok.data = (uint8_t *)state->password;
authtok.length = strlen(state->password);
@@ -717,6 +720,14 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
goto done;
}
+ if (result == SDAP_AUTH_SUCCESS &&
+ state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
+ DEBUG(9, ("Initial authentication for change password operation "
+ "successful.\n"));
+ state->pd->pam_status = PAM_SUCCESS;
+ goto done;
+ }
+
if (result == SDAP_AUTH_SUCCESS) {
switch (pw_expire_type) {
case PWEXPIRE_SHADOW:
@@ -851,6 +862,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
+ case SSS_PAM_CHAUTHTOK_PRELIM:
state = talloc_zero(breq, struct sdap_pam_auth_state);
if (!state) goto done;