summaryrefslogtreecommitdiffstats
path: root/src/responder
diff options
context:
space:
mode:
authorPavel Reichl <preichl@redhat.com>2015-07-02 07:28:05 -0400
committerJakub Hrozek <jhrozek@redhat.com>2015-07-06 20:19:02 +0200
commit32cc237aa0f3c70a4e0bc0491ec0cba0016aaf5a (patch)
treecdbc783c946be12b72827eccd27b57d454fb36a6 /src/responder
parent01ec08efd0e166ac6f390f8627c6d08dcc63ccc4 (diff)
downloadsssd-32cc237aa0f3c70a4e0bc0491ec0cba0016aaf5a.tar.gz
sssd-32cc237aa0f3c70a4e0bc0491ec0cba0016aaf5a.tar.xz
sssd-32cc237aa0f3c70a4e0bc0491ec0cba0016aaf5a.zip
sysdb: new attribute lastOnlineAuthWithCurrentToken
Introduce new user attribute lastOnlineAuthWithCurrentToken. This attribute behaves similarly to lastOnlineAuth but is set to NULL after password is changed. This attribute is needed for use-case when cached authentication is used, to request online authentication after password is locally changed. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/responder')
-rw-r--r--src/responder/pam/pamsrv_cmd.c66
1 files changed, 66 insertions, 0 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1ca87a651..3bd676395 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -42,6 +42,9 @@ enum pam_verbosity {
#define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT
+static errno_t
+pam_null_last_online_auth_with_curr_token(struct sss_domain_info *domain,
+ const char *username);
static void pam_reply(struct pam_auth_req *preq);
static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
@@ -426,6 +429,13 @@ static errno_t set_last_login(struct pam_auth_req *preq)
goto fail;
}
+ ret = sysdb_attrs_add_time_t(attrs,
+ SYSDB_LAST_ONLINE_AUTH_WITH_CURR_TOKEN,
+ time(NULL));
+ if (ret != EOK) {
+ goto fail;
+ }
+
ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_LOGIN, time(NULL));
if (ret != EOK) {
goto fail;
@@ -661,6 +671,17 @@ static void pam_reply(struct pam_auth_req *preq)
}
}
+ if (pd->pam_status == PAM_SUCCESS && pd->cmd == SSS_PAM_CHAUTHTOK) {
+ ret = pam_null_last_online_auth_with_curr_token(preq->domain,
+ pd->user);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sysdb_null_last_online_auth_with_curr_token failed: "
+ "%s [%d].\n", sss_strerror(ret), ret);
+ goto done;
+ }
+ }
+
if (pd->response_delay > 0) {
ret = gettimeofday(&tv, NULL);
if (ret != EOK) {
@@ -1519,3 +1540,48 @@ struct sss_cmd_table *get_pam_cmds(void)
return sss_cmds;
}
+
+static errno_t
+pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain,
+ const char *username,
+ uint64_t value)
+{
+ TALLOC_CTX *tmp_ctx;
+ struct sysdb_attrs *attrs;
+ int ret;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ attrs = sysdb_new_attrs(tmp_ctx);
+ if (attrs == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_time_t(attrs,
+ SYSDB_LAST_ONLINE_AUTH_WITH_CURR_TOKEN,
+ value);
+ if (ret != EOK) { goto done; }
+
+ ret = sysdb_set_user_attr(domain, username, attrs, SYSDB_MOD_REP);
+ if (ret != EOK) { goto done; }
+
+done:
+ if (ret != EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Error: %d (%s)\n", ret, sss_strerror(ret));
+ }
+
+ talloc_zfree(tmp_ctx);
+ return ret;
+}
+
+static errno_t
+pam_null_last_online_auth_with_curr_token(struct sss_domain_info *domain,
+ const char *username)
+{
+ return pam_set_last_online_auth_with_curr_token(domain, username, 0);
+}