Modify behavior of pam_pwd_expiration_warning

New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.
author: Jan Zeleny <jzeleny@redhat.com> 2012-05-01 03:36:37 -0400
committer: Stephen Gallagher <sgallagh@redhat.com> 2012-05-04 13:36:42 -0400
commit: bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11 (patch)
tree: ba1da22bd4f400edf1ba50563c80ab290e0987bb /src/providers
parent: 9fd2775fe1ced6ff6a9a3ff7db124fcb52dade5d (diff)
download: sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.gz
sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.xz
sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.zip
2 files changed, 57 insertions, 16 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 0306426cc..986e449fd 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -734,8 +734,16 @@ static void krb5_child_done(struct tevent_req *subreq)
     int32_t msg_len;
     int64_t time_data;
     struct tgt_times tgtt;
+    int pwd_exp_warning;
+    uint32_t *expiration;
+    uint32_t *msg_subtype;
+    bool skip;
 
     memset(&tgtt, 0, sizeof(tgtt));
+    pwd_exp_warning = state->be_ctx->domain->pwd_expiration_warning;
+    if (pwd_exp_warning < 0) {
+        pwd_exp_warning = KERBEROS_PWEXPIRE_WARNING_TIME;
+    }
 
     ret = handle_child_recv(subreq, pd, &buf, &len);
     talloc_zfree(subreq);
@@ -771,6 +779,7 @@ static void krb5_child_done(struct tevent_req *subreq)
     SAFEALIGN_COPY_INT32(&msg_status, buf+p, &p);
 
     while (p < len) {
+        skip = false;
         SAFEALIGN_COPY_INT32(&msg_type, buf+p, &p);
         SAFEALIGN_COPY_INT32(&msg_len, buf+p, &p);
 
@@ -813,10 +822,24 @@ static void krb5_child_done(struct tevent_req *subreq)
                       tgtt.starttime, tgtt.endtime, tgtt.renew_till));
         }
 
-        ret = pam_add_response(pd, msg_type, msg_len, &buf[p]);
-        if (ret != EOK) {
-            /* This is not a fatal error */
-            DEBUG(1, ("pam_add_response failed.\n"));
+        if (msg_type == SSS_PAM_USER_INFO) {
+            msg_subtype = (uint32_t *)&buf[p];
+            if (*msg_subtype == SSS_PAM_USER_INFO_EXPIRE_WARN)
+            {
+                expiration = (uint32_t *)&buf[p+sizeof(uint32_t)];
+                if (pwd_exp_warning > 0 &&
+                    difftime(pwd_exp_warning, *expiration) < 0.0) {
+                    skip = true;
+                }
+            }
+        }
+
+        if (!skip) {
+            ret = pam_add_response(pd, msg_type, msg_len, &buf[p]);
+            if (ret != EOK) {
+                /* This is not a fatal error */
+                DEBUG(1, ("pam_add_response failed.\n"));
+            }
         }
         p += msg_len;
 
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 734249ced..da64f249e 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -47,11 +47,7 @@
 #include "providers/ldap/sdap_async.h"
 #include "providers/ldap/sdap_async_private.h"
 
-/* MIT Kerberos has the same hardcoded warning interval of 7 days. Due to the
- * fact that using the expiration time of a Kerberos password with LDAP
- * authentication is presumably a rare case a separate config option is not
- * necessary. */
-#define KERBEROS_PWEXPIRE_WARNING_TIME (7 * 24 * 60 * 60)
+#define LDAP_PWEXPIRE_WARNING_TIME 0
 
 enum pwexpire {
     PWEXPIRE_NONE = 0,
@@ -90,11 +86,13 @@ static errno_t add_expired_warning(struct pam_data *pd, long exp_time)
 
 static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
                                        struct pam_data *pd,
-                                       enum sdap_result *result)
+                                       enum sdap_result *result,
+                                       int pwd_exp_warning)
 {
     char *end;
     struct tm tm;
     time_t expire_time;
+    int expiration_warning;
     int ret;
 
     memset(&tm, 0, sizeof(tm));
@@ -130,8 +128,14 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
     } else {
         *result = SDAP_AUTH_SUCCESS;
 
+        if (pwd_exp_warning >= 0) {
+            expiration_warning = pwd_exp_warning;
+        } else {
+            expiration_warning = KERBEROS_PWEXPIRE_WARNING_TIME;
+        }
         if (pd != NULL &&
-            difftime(now + KERBEROS_PWEXPIRE_WARNING_TIME, expire_time) > 0.0) {
+            (difftime(now + expiration_warning, expire_time) > 0.0 ||
+            expiration_warning == 0)) {
             ret = add_expired_warning(pd, (long) difftime(expire_time, now));
             if (ret != EOK) {
                 DEBUG(1, ("add_expired_warning failed.\n"));
@@ -202,13 +206,19 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
 
 static errno_t check_pwexpire_ldap(struct pam_data *pd,
                                    struct sdap_ppolicy_data *ppolicy,
-                                   enum sdap_result *result)
+                                   enum sdap_result *result,
+                                   int pwd_exp_warning)
 {
     if (ppolicy->grace > 0 || ppolicy->expire > 0) {
         uint32_t *data;
         uint32_t *ptr;
+        time_t now = time(NULL);
         int ret;
 
+        if (pwd_exp_warning < 0) {
+            pwd_exp_warning = 0;
+        }
+
         data = talloc_size(pd, 2* sizeof(uint32_t));
         if (data == NULL) {
             DEBUG(1, ("talloc_size failed.\n"));
@@ -221,6 +231,10 @@ static errno_t check_pwexpire_ldap(struct pam_data *pd,
             ptr++;
             *ptr = ppolicy->grace;
         } else if (ppolicy->expire > 0) {
+            if (pwd_exp_warning == 0 ||
+                difftime(now + pwd_exp_warning, ppolicy->expire) > 0.0) {
+                goto done;
+            }
             *ptr = SSS_PAM_USER_INFO_EXPIRE_WARN;
             ptr++;
             *ptr = ppolicy->expire;
@@ -234,6 +248,7 @@ static errno_t check_pwexpire_ldap(struct pam_data *pd,
         }
     }
 
+done:
     *result = SDAP_AUTH_SUCCESS;
     return EOK;
 }
@@ -830,8 +845,8 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
                 }
                 break;
             case PWEXPIRE_KERBEROS:
-                ret = check_pwexpire_kerberos(pw_expire_data, time(NULL), NULL,
-                                              &result);
+                ret = check_pwexpire_kerberos(pw_expire_data, time(NULL), NULL, &result,
+                                              state->breq->domain->pwd_expiration_warning);
                 if (ret != EOK) {
                     DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
                     state->pd->pam_status = PAM_SYSTEM_ERR;
@@ -1064,6 +1079,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
                     tevent_req_callback_data(req, struct sdap_pam_auth_state);
     enum sdap_result result;
     enum pwexpire pw_expire_type;
+    struct be_ctx *be_ctx = state->breq->be_ctx;
     void *pw_expire_data;
     int dp_err = DP_ERR_OK;
     int ret;
@@ -1091,7 +1107,8 @@ static void sdap_pam_auth_done(struct tevent_req *req)
                 break;
             case PWEXPIRE_KERBEROS:
                 ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),
-                                              state->pd, &result);
+                                              state->pd, &result,
+                                              be_ctx->domain->pwd_expiration_warning);
                 if (ret != EOK) {
                     DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
                     state->pd->pam_status = PAM_SYSTEM_ERR;
@@ -1099,7 +1116,8 @@ static void sdap_pam_auth_done(struct tevent_req *req)
                 }
                 break;
             case PWEXPIRE_LDAP_PASSWORD_POLICY:
-                ret = check_pwexpire_ldap(state->pd, pw_expire_data, &result);
+                ret = check_pwexpire_ldap(state->pd, pw_expire_data, &result,
+                                          be_ctx->domain->pwd_expiration_warning);
                 if (ret != EOK) {
                     DEBUG(1, ("check_pwexpire_ldap failed.\n"));
                     state->pd->pam_status = PAM_SYSTEM_ERR;
author	Jan Zeleny <jzeleny@redhat.com>	2012-05-01 03:36:37 -0400
committer	Stephen Gallagher <sgallagh@redhat.com>	2012-05-04 13:36:42 -0400
commit	bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11 (patch)
tree	ba1da22bd4f400edf1ba50563c80ab290e0987bb /src/providers
parent	9fd2775fe1ced6ff6a9a3ff7db124fcb52dade5d (diff)
download	sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.gz sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.tar.xz sssd-bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11.zip