Handle chauthtok with PAM_PRELIM_CHECK separately

If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we generate a separate call to the sssd to validate the old password before asking for a new password and sending the change password request.
author: Sumit Bose <sbose@redhat.com> 2009-12-16 12:53:55 +0100
committer: Stephen Gallagher <sgallagh@redhat.com> 2009-12-18 09:46:25 -0500
commit: 23dc20cd69cfbb2731c36e1610536ba190bbd459 (patch)
tree: 106d84e5d8f6a2eef8861a07fa662666ca5ab90f /server/providers/ldap
parent: 66e4134d8be0eb42c645e9730d46bb2c7f561e81 (diff)
download: sssd-23dc20cd69cfbb2731c36e1610536ba190bbd459.tar.gz
sssd-23dc20cd69cfbb2731c36e1610536ba190bbd459.tar.xz
sssd-23dc20cd69cfbb2731c36e1610536ba190bbd459.zip
1 files changed, 19 insertions, 7 deletions
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
index 88e637b09..28b3240b3 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -661,7 +661,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
 
     pd->pam_status = PAM_SYSTEM_ERR;
 
-    if (pd->cmd != SSS_PAM_CHAUTHTOK) {
+    if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {
         DEBUG(2, ("chpass target was called by wrong pam command.\n"));
         goto done;
     }
@@ -677,12 +677,15 @@ void sdap_pam_chpass_handler(struct be_req *breq)
     if (!state->password) goto done;
     talloc_set_destructor((TALLOC_CTX *)state->password,
                           password_destructor);
-    state->new_password = talloc_strndup(state,
-                                         (char *)pd->newauthtok,
-                                         pd->newauthtok_size);
-    if (!state->new_password) goto done;
-    talloc_set_destructor((TALLOC_CTX *)state->new_password,
-                          password_destructor);
+
+    if (pd->cmd == SSS_PAM_CHAUTHTOK) {
+        state->new_password = talloc_strndup(state,
+                                             (char *)pd->newauthtok,
+                                             pd->newauthtok_size);
+        if (!state->new_password) goto done;
+        talloc_set_destructor((TALLOC_CTX *)state->new_password,
+                              password_destructor);
+    }
 
     authtok.data = (uint8_t *)state->password;
     authtok.length = strlen(state->password);
@@ -717,6 +720,14 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
         goto done;
     }
 
+    if (result == SDAP_AUTH_SUCCESS &&
+        state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
+        DEBUG(9, ("Initial authentication for change password operation "
+                  "successful.\n"));
+        state->pd->pam_status = PAM_SUCCESS;
+        goto done;
+    }
+
     if (result == SDAP_AUTH_SUCCESS) {
         switch (pw_expire_type) {
             case PWEXPIRE_SHADOW:
@@ -851,6 +862,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
 
     switch (pd->cmd) {
     case SSS_PAM_AUTHENTICATE:
+    case SSS_PAM_CHAUTHTOK_PRELIM:
 
         state = talloc_zero(breq, struct sdap_pam_auth_state);
         if (!state) goto done;
author	Sumit Bose <sbose@redhat.com>	2009-12-16 12:53:55 +0100
committer	Stephen Gallagher <sgallagh@redhat.com>	2009-12-18 09:46:25 -0500
commit	23dc20cd69cfbb2731c36e1610536ba190bbd459 (patch)
tree	106d84e5d8f6a2eef8861a07fa662666ca5ab90f /server/providers/ldap
parent	66e4134d8be0eb42c645e9730d46bb2c7f561e81 (diff)
download	sssd-23dc20cd69cfbb2731c36e1610536ba190bbd459.tar.gz sssd-23dc20cd69cfbb2731c36e1610536ba190bbd459.tar.xz sssd-23dc20cd69cfbb2731c36e1610536ba190bbd459.zip