Modify behavior of pam_pwd_expiration_warning

New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.

If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.

Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter

Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.

1 files changed, 18 insertions, 0 deletions

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index d938d4f61..427101e9b 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -922,6 +922,24 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
         goto done;
     }
 
+    /* Set the PAM warning time, if specified */
+    val = ldb_msg_find_attr_as_int(res->msgs[0],
+                                   CONFDB_DOMAIN_PWD_EXPIRATION_WARNING,
+                                   -1);
+    if (val > 0) {
+        /* The value is in days, transform it to seconds */
+        val *= 24 * 3600;
+    } else {
+        ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY,
+                             CONFDB_PAM_PWD_EXPIRATION_WARNING,
+                             -1, &val);
+        if (ret != EOK) {
+            DEBUG(1, ("Failed to read PAM expiration warning, not fatal.\n"));
+            val = -1;
+        }
+    }
+    domain->pwd_expiration_warning = val;
+
     ret = get_entry_as_uint32(res->msgs[0], &domain->override_gid,
                               CONFDB_DOMAIN_OVERRIDE_GID, 0);
     if (ret != EOK) {