Add ldap_pwd_policy option

4 files changed, 92 insertions, 45 deletions

diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
index 6a80df447..81c966662 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -34,6 +34,7 @@
 #undef _XOPEN_SOURCE
 #include <errno.h>
 #include <sys/time.h>
+#include <strings.h>
 
 #include <shadow.h>
 #include <security/pam_modules.h>
@@ -168,16 +169,24 @@ static errno_t string_to_shadowpw_days(const char *s, long *d)
 
 static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
                                                const struct ldb_message *msg,
+                                               struct dp_option *opts,
                                                enum pwexpire *type, void **data)
 {
     const char *mark;
     const char *val;
     struct spwd *spwd;
+    const char *pwd_policy;
     int ret;
 
     *type = PWEXPIRE_NONE;
     *data = NULL;
 
+    pwd_policy = dp_opt_get_string(opts, SDAP_PWD_POLICY);
+    if (pwd_policy == NULL) {
+        DEBUG(1, ("Missing password policy.\n"));
+        return EINVAL;
+    }
+
     mark = ldb_msg_find_attr_as_string(msg, SYSDB_PWD_ATTRIBUTE, NULL);
     if (mark != NULL) {
         DEBUG(9, ("Found pwdAttribute, "
@@ -187,60 +196,73 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
         return EOK;
     }
 
-    mark = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_LASTCHANGE, NULL);
-    if (mark != NULL) {
-        DEBUG(9, ("Found Kerberos password expiration attributes.\n"))
-        val = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_EXPIRATION,
-                                          NULL);
-        if (val != NULL) {
-            *data = talloc_strdup(mem_ctx, val);
-            if (*data == NULL) {
-                DEBUG(1, ("talloc_strdup failed.\n"));
-                return ENOMEM;
-            }
-            *type = PWEXPIRE_KERBEROS;
-
-            return EOK;
-        }
-    }
+    if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) == 0) {
+        DEBUG(9, ("No password policy requested.\n"));
+        return EOK;
+    } else if (strcasecmp(pwd_policy, PWD_POL_OPT_MIT) == 0) {
+        mark = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_LASTCHANGE, NULL);
+        if (mark != NULL) {
+            DEBUG(9, ("Found Kerberos password expiration attributes.\n"))
+            val = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_EXPIRATION,
+                                              NULL);
+            if (val != NULL) {
+                *data = talloc_strdup(mem_ctx, val);
+                if (*data == NULL) {
+                    DEBUG(1, ("talloc_strdup failed.\n"));
+                    return ENOMEM;
+                }
+                *type = PWEXPIRE_KERBEROS;
 
-    mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
-    if (mark != NULL) {
-        DEBUG(9, ("Found shadow password expiration attributes.\n"))
-        spwd = talloc_zero(mem_ctx, struct spwd);
-        if (spwd == NULL) {
-            DEBUG(1, ("talloc failed.\n"));
-            return ENOMEM;
+                return EOK;
+            }
+        } else {
+            DEBUG(1, ("No Kerberos password expiration attributes found, "
+                      "but MIT Kerberos password policy was requested.\n"));
+            return EINVAL;
         }
+    } else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) {
+        mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
+        if (mark != NULL) {
+            DEBUG(9, ("Found shadow password expiration attributes.\n"))
+            spwd = talloc_zero(mem_ctx, struct spwd);
+            if (spwd == NULL) {
+                DEBUG(1, ("talloc failed.\n"));
+                return ENOMEM;
+            }
 
-        val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
-        ret = string_to_shadowpw_days(val, &spwd->sp_lstchg);
-        if (ret != EOK) goto shadow_fail;
+            val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
+            ret = string_to_shadowpw_days(val, &spwd->sp_lstchg);
+            if (ret != EOK) goto shadow_fail;
 
-        val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MIN, NULL);
-        ret = string_to_shadowpw_days(val, &spwd->sp_min);
-        if (ret != EOK) goto shadow_fail;
+            val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MIN, NULL);
+            ret = string_to_shadowpw_days(val, &spwd->sp_min);
+            if (ret != EOK) goto shadow_fail;
 
-        val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MAX, NULL);
-        ret = string_to_shadowpw_days(val, &spwd->sp_max);
-        if (ret != EOK) goto shadow_fail;
+            val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MAX, NULL);
+            ret = string_to_shadowpw_days(val, &spwd->sp_max);
+            if (ret != EOK) goto shadow_fail;
 
-        val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_WARNING, NULL);
-        ret = string_to_shadowpw_days(val, &spwd->sp_warn);
-        if (ret != EOK) goto shadow_fail;
+            val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_WARNING, NULL);
+            ret = string_to_shadowpw_days(val, &spwd->sp_warn);
+            if (ret != EOK) goto shadow_fail;
 
-        val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_INACTIVE, NULL);
-        ret = string_to_shadowpw_days(val, &spwd->sp_inact);
-        if (ret != EOK) goto shadow_fail;
+            val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_INACTIVE, NULL);
+            ret = string_to_shadowpw_days(val, &spwd->sp_inact);
+            if (ret != EOK) goto shadow_fail;
 
-        val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_EXPIRE, NULL);
-        ret = string_to_shadowpw_days(val, &spwd->sp_expire);
-        if (ret != EOK) goto shadow_fail;
+            val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_EXPIRE, NULL);
+            ret = string_to_shadowpw_days(val, &spwd->sp_expire);
+            if (ret != EOK) goto shadow_fail;
 
-        *data = spwd;
-        *type = PWEXPIRE_SHADOW;
+            *data = spwd;
+            *type = PWEXPIRE_SHADOW;
 
-        return EOK;
+            return EOK;
+        } else {
+            DEBUG(1, ("No shadow password attributes found, "
+                      "but shadow password policy was requested.\n"));
+            return EINVAL;
+        }
     }
 
     DEBUG(9, ("No password expiration attributes found.\n"));
@@ -360,6 +382,7 @@ static void get_user_dn_done(void *pvt, int err, struct ldb_result *res)
         }
 
         ret = find_password_expiration_attributes(state, res->msgs[0],
+                                                  state->ctx->opts->basic,
                                                   &state->pw_expire_type,
                                                   &state->pw_expire_data);
         if (ret != EOK) {
@@ -917,6 +940,9 @@ static void sdap_pam_auth_done(struct tevent_req *req)
     case SDAP_UNAVAIL:
         state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
         break;
+    case SDAP_ACCT_EXPIRED:
+        state->pd->pam_status = PAM_ACCT_EXPIRED;
+        break;
     case SDAP_AUTH_PW_EXPIRED:
         state->pd->pam_status = PAM_AUTHTOK_EXPIRED;
         break;
diff --git a/server/providers/ldap/ldap_common.c b/server/providers/ldap/ldap_common.c
index 6236707fe..58c6d692f 100644
--- a/server/providers/ldap/ldap_common.c
+++ b/server/providers/ldap/ldap_common.c
@@ -55,7 +55,8 @@ struct dp_option default_basic_opts[] = {
     { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     /* use the same parm name as the krb5 module so we set it only once */
-    { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+    { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }
 };
 
 struct sdap_attr_map generic_attr_map[] = {
@@ -157,6 +158,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
     struct sdap_attr_map *default_group_map;
     struct sdap_options *opts;
     char *schema;
+    const char *pwd_policy;
     int ret;
 
     opts = talloc_zero(memctx, struct sdap_options);
@@ -195,6 +197,20 @@ int ldap_get_options(TALLOC_CTX *memctx,
                   dp_opt_get_string(opts->basic, SDAP_GROUP_SEARCH_BASE)));
     }
 
+    pwd_policy = dp_opt_get_string(opts->basic, SDAP_PWD_POLICY);
+    if (pwd_policy == NULL) {
+        DEBUG(1, ("Missing password policy, this may not happen.\n"));
+        ret = EINVAL;
+        goto done;
+    }
+    if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) != 0 &&
+        strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) != 0 &&
+        strcasecmp(pwd_policy, PWD_POL_OPT_MIT) != 0) {
+        DEBUG(1, ("Unsupported password policy [%s].\n", pwd_policy));
+        ret = EINVAL;
+        goto done;
+    }
+
     /* schema type */
     schema = dp_opt_get_string(opts->basic, SDAP_SCHEMA);
     if (strcasecmp(schema, "rfc2307") == 0) {
diff --git a/server/providers/ldap/ldap_common.h b/server/providers/ldap/ldap_common.h
index 6adb785a3..111027672 100644
--- a/server/providers/ldap/ldap_common.h
+++ b/server/providers/ldap/ldap_common.h
@@ -26,6 +26,10 @@
 #include "providers/ldap/sdap.h"
 #include "providers/fail_over.h"
 
+#define PWD_POL_OPT_NONE "none"
+#define PWD_POL_OPT_SHADOW "shadow"
+#define PWD_POL_OPT_MIT "mit_kerberos"
+
 struct sdap_id_ctx {
     struct be_ctx *be;
     struct sdap_options *opts;
diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h
index a63d8580d..2909f4172 100644
--- a/server/providers/ldap/sdap.h
+++ b/server/providers/ldap/sdap.h
@@ -122,6 +122,7 @@ enum sdap_basic_opt {
     SDAP_KRB5_KEYTAB,
     SDAP_KRB5_KINIT,
     SDAP_KRB5_REALM,
+    SDAP_PWD_POLICY,
 
     SDAP_OPTS_BASIC /* opts counter */
 };