diff options
| author | Sumit Bose <sbose@redhat.com> | 2010-12-22 18:25:45 +0100 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-01-19 09:53:20 -0500 |
| commit | d73fcc5183a676aed4fd040714b87274248b784c (patch) | |
| tree | b1ce3d709a7539b7fa16e2bbf3c8aaf2716070c0 /src/providers/ldap | |
| parent | 22f4c1b86dcf5589e63f2ae043dc65a8f72f6f18 (diff) | |
| download | sssd-d73fcc5183a676aed4fd040714b87274248b784c.tar.gz sssd-d73fcc5183a676aed4fd040714b87274248b784c.tar.xz sssd-d73fcc5183a676aed4fd040714b87274248b784c.zip | |
Add LDAP expire policy base RHDS/IPA attribute
The attribute nsAccountLock is used by RHDS, IPA and other directory
servers to indicate that the account is locked.
Diffstat (limited to 'src/providers/ldap')
| -rw-r--r-- | src/providers/ldap/ldap_common.c | 6 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_init.c | 5 | ||||
| -rw-r--r-- | src/providers/ldap/sdap.h | 3 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_access.c | 38 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_access.h | 3 |
5 files changed, 52 insertions, 3 deletions
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index e98e718b1..48c35638b 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -123,7 +123,8 @@ struct sdap_attr_map rfc2307_user_map[] = { { "ldap_pwd_attribute", "pwdAttribute", SYSDB_PWD_ATTRIBUTE, NULL }, { "ldap_user_authorized_service", "authorizedService", SYSDB_AUTHORIZED_SERVICE, NULL }, { "ldap_user_ad_account_expires", "accountExpires", SYSDB_AD_ACCOUNT_EXPIRES, NULL}, - { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL} + { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL}, + { "ldap_ns_account_lock", "nsAccountLock", SYSDB_NS_ACCOUNT_LOCK, NULL} }; struct sdap_attr_map rfc2307_group_map[] = { @@ -165,7 +166,8 @@ struct sdap_attr_map rfc2307bis_user_map[] = { { "ldap_pwd_attribute", "pwdAttribute", SYSDB_PWD_ATTRIBUTE, NULL }, { "ldap_user_authorized_service", "authorizedService", SYSDB_AUTHORIZED_SERVICE, NULL }, { "ldap_user_ad_account_expires", "accountExpires", SYSDB_AD_ACCOUNT_EXPIRES, NULL}, - { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL} + { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL}, + { "ldap_ns_account_lock", "nsAccountLock", SYSDB_NS_ACCOUNT_LOCK, NULL} }; struct sdap_attr_map rfc2307bis_group_map[] = { diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c index 61f923333..6b05690ed 100644 --- a/src/providers/ldap/ldap_init.c +++ b/src/providers/ldap/ldap_init.c @@ -346,7 +346,10 @@ int sssm_ldap_access_init(struct be_ctx *bectx, "All domain users will be denied access.\n")); } else { if (strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_SHADOW) != 0 && - strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_AD) != 0) { + strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_AD) != 0 && + strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_RHDS) != 0 && + strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_IPA) != 0 && + strcasecmp(dummy, LDAP_ACCOUNT_EXPIRE_389DS) != 0) { DEBUG(1, ("Unsupported LDAP account expire policy [%s].\n", dummy)); ret = EINVAL; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 57f849a16..932abca4d 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -122,6 +122,8 @@ struct sdap_ppolicy_data { #define SYSDB_SHADOWPW_EXPIRE "shadowExpire" #define SYSDB_SHADOWPW_FLAG "shadowFlag" +#define SYSDB_NS_ACCOUNT_LOCK "nsAccountLock" + #define SYSDB_KRBPW_LASTCHANGE "krbLastPwdChange" #define SYSDB_KRBPW_EXPIRATION "krbPasswordExpiration" @@ -236,6 +238,7 @@ enum sdap_user_attrs { SDAP_AT_AUTH_SVC, SDAP_AT_AD_ACCOUNT_EXPIRES, SDAP_AT_AD_USER_ACCOUNT_CONTROL, + SDAP_AT_NS_ACCOUNT_LOCK, SDAP_OPTS_USER /* attrs counter */ }; diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c index a3c560d44..f5220742d 100644 --- a/src/providers/ldap/sdap_access.c +++ b/src/providers/ldap/sdap_access.c @@ -418,6 +418,35 @@ static errno_t sdap_account_expired_ad(struct pam_data *pd, return EOK; } +#define RHDS_LOCK_MSG "The user account is locked on the server" + +static errno_t sdap_account_expired_rhds(struct pam_data *pd, + struct ldb_message *user_entry, + int *pam_status) +{ + bool locked; + int ret; + + DEBUG(6, ("Performing RHDS access check for user [%s]\n", pd->user)); + + locked = ldb_msg_find_attr_as_bool(user_entry, SYSDB_NS_ACCOUNT_LOCK, false); + DEBUG(9, ("Account for user [%s] is%s locked.\n", pd->user, + locked ? "" : " not" )); + + if (locked) { + ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(RHDS_LOCK_MSG), + (const uint8_t *) RHDS_LOCK_MSG); + if (ret != EOK) { + DEBUG(1, ("pam_add_response failed.\n")); + } + } + + *pam_status = locked ? PAM_PERM_DENIED : PAM_SUCCESS; + + return EOK; +} + struct sdap_account_expired_req_ctx { int pam_status; }; @@ -464,6 +493,15 @@ static struct tevent_req *sdap_account_expired_send(TALLOC_CTX *mem_ctx, DEBUG(1, ("sdap_account_expired_ad failed.\n")); goto done; } + } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_RHDS) == 0 || + strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0 || + strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_389DS) == 0) { + ret = sdap_account_expired_rhds(pd, user_entry, + &state->pam_status); + if (ret != EOK) { + DEBUG(1, ("sdap_account_expired_rhds failed.\n")); + goto done; + } } else { DEBUG(1, ("Unsupported LDAP account expire policy [%s]. " "Access denied.\n", expire)); diff --git a/src/providers/ldap/sdap_access.h b/src/providers/ldap/sdap_access.h index 28c857f61..32c45b817 100644 --- a/src/providers/ldap/sdap_access.h +++ b/src/providers/ldap/sdap_access.h @@ -35,6 +35,9 @@ #define LDAP_ACCOUNT_EXPIRE_SHADOW "shadow" #define LDAP_ACCOUNT_EXPIRE_AD "ad" +#define LDAP_ACCOUNT_EXPIRE_RHDS "rhds" +#define LDAP_ACCOUNT_EXPIRE_IPA "ipa" +#define LDAP_ACCOUNT_EXPIRE_389DS "389ds" enum ldap_access_rule { LDAP_ACCESS_EMPTY = -1, |