diff options
| author | Sumit Bose <sbose@redhat.com> | 2010-12-22 18:25:45 +0100 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-01-19 09:53:20 -0500 |
| commit | d73fcc5183a676aed4fd040714b87274248b784c (patch) | |
| tree | b1ce3d709a7539b7fa16e2bbf3c8aaf2716070c0 /src/providers/ldap/sdap_access.c | |
| parent | 22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18 (diff) | |
| download | sssd-d73fcc5183a676aed4fd040714b87274248b784c.tar.gz sssd-d73fcc5183a676aed4fd040714b87274248b784c.tar.xz sssd-d73fcc5183a676aed4fd040714b87274248b784c.zip | |
Add LDAP expire policy base RHDS/IPA attribute
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked.
Diffstat (limited to 'src/providers/ldap/sdap_access.c')
| -rw-r--r-- | src/providers/ldap/sdap_access.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c index a3c560d44..f5220742d 100644 --- a/src/providers/ldap/sdap_access.c +++ b/src/providers/ldap/sdap_access.c @@ -418,6 +418,35 @@ static errno_t sdap_account_expired_ad(struct pam_data *pd, return EOK; } +#define RHDS_LOCK_MSG "The user account is locked on the server" + +static errno_t sdap_account_expired_rhds(struct pam_data *pd, + struct ldb_message *user_entry, + int *pam_status) +{ + bool locked; + int ret; + + DEBUG(6, ("Performing RHDS access check for user [%s]\n", pd->user)); + + locked = ldb_msg_find_attr_as_bool(user_entry, SYSDB_NS_ACCOUNT_LOCK, false); + DEBUG(9, ("Account for user [%s] is%s locked.\n", pd->user, + locked ? "" : " not" )); + + if (locked) { + ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(RHDS_LOCK_MSG), + (const uint8_t *) RHDS_LOCK_MSG); + if (ret != EOK) { + DEBUG(1, ("pam_add_response failed.\n")); + } + } + + *pam_status = locked ? PAM_PERM_DENIED : PAM_SUCCESS; + + return EOK; +} + struct sdap_account_expired_req_ctx { int pam_status; }; @@ -464,6 +493,15 @@ static struct tevent_req *sdap_account_expired_send(TALLOC_CTX *mem_ctx, DEBUG(1, ("sdap_account_expired_ad failed.\n")); goto done; } + } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_RHDS) == 0 || + strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0 || + strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_389DS) == 0) { + ret = sdap_account_expired_rhds(pd, user_entry, + &state->pam_status); + if (ret != EOK) { + DEBUG(1, ("sdap_account_expired_rhds failed.\n")); + goto done; + } } else { DEBUG(1, ("Unsupported LDAP account expire policy [%s]. " "Access denied.\n", expire)); |