Improvements for LDAP Password Policy support

Display warnings about remaining grace logins and password
expiration to the user, when LDAP Password Policies are used.

Improved detection if LDAP Password policies are supported by
LDAP Server.

2 files changed, 98 insertions, 7 deletions

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 2ba6f158e..07ed4e721 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -3,6 +3,7 @@
         Sumit Bose <sbose@redhat.com>
 
     Copyright (C) 2009 Red Hat
+    Copyright (C) 2010, rhafer@suse.de, Novell Inc.
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU Lesser General Public License as published by
@@ -436,6 +437,81 @@ static int user_info_offline_auth(pam_handle_t *pamh, size_t buflen,
     return PAM_SUCCESS;
 }
 
+static int user_info_grace_login(pam_handle_t *pamh,
+                                 size_t buflen,
+                                 uint8_t *buf)
+{
+    int ret;
+    uint32_t grace;
+    char user_msg[256];
+
+    if (buflen != 2* sizeof(uint32_t)) {
+        D(("User info response data has the wrong size"));
+        return PAM_BUF_ERR;
+    }
+    memcpy(&grace, buf + sizeof(uint32_t), sizeof(uint32_t));
+    ret = snprintf(user_msg, sizeof(user_msg),
+                   _("Your password has expired. "
+                     "You have %d grace login(s) remaining."),
+                   grace);
+    if (ret < 0 || ret >= sizeof(user_msg)) {
+        D(("snprintf failed."));
+        return PAM_SYSTEM_ERR;
+    }
+    ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL);
+
+    if (ret != PAM_SUCCESS) {
+        D(("do_pam_conversation failed."));
+        return PAM_SYSTEM_ERR;
+    }
+
+    return PAM_SUCCESS;
+}
+
+#define MINSEC 60
+#define HOURSEC (60*MINSEC)
+#define DAYSEC (24*HOURSEC)
+static int user_info_expire_warn(pam_handle_t *pamh,
+                                 size_t buflen,
+                                 uint8_t *buf)
+{
+    int ret;
+    uint32_t expire;
+    char user_msg[256];
+    const char* unit="second(s)";
+
+    if (buflen != 2* sizeof(uint32_t)) {
+        D(("User info response data has the wrong size"));
+        return PAM_BUF_ERR;
+    }
+    memcpy(&expire, buf + sizeof(uint32_t), sizeof(uint32_t));
+    if (expire >= DAYSEC) {
+        expire /= DAYSEC;
+        unit = "day(s)";
+    } else if (expire >= HOURSEC) {
+        expire /= HOURSEC;
+        unit = "hour(s)";
+    } else if (expire >= MINSEC) {
+        expire /= MINSEC;
+        unit = "minute(s)";
+    }
+
+    ret = snprintf(user_msg, sizeof(user_msg),
+                   _("Your password will expire in %d %s."), expire, unit);
+    if (ret < 0 || ret >= sizeof(user_msg)) {
+        D(("snprintf failed."));
+        return PAM_SYSTEM_ERR;
+    }
+    ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL);
+
+    if (ret != PAM_SUCCESS) {
+        D(("do_pam_conversation failed."));
+        return PAM_SYSTEM_ERR;
+    }
+
+    return PAM_SUCCESS;
+}
+
 static int user_info_offline_auth_delayed(pam_handle_t *pamh, size_t buflen,
                                   uint8_t *buf)
 {
@@ -563,6 +639,12 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen,
         case SSS_PAM_USER_INFO_OFFLINE_AUTH:
             ret = user_info_offline_auth(pamh, buflen, buf);
             break;
+        case SSS_PAM_USER_INFO_GRACE_LOGIN:
+            ret = user_info_grace_login(pamh, buflen, buf);
+            break;
+        case SSS_PAM_USER_INFO_EXPIRE_WARN:
+            ret = user_info_expire_warn(pamh, buflen, buf);
+            break;
         case SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED:
             ret = user_info_offline_auth_delayed(pamh, buflen, buf);
             break;
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 2edd158db..f38726579 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -377,13 +377,22 @@ enum user_info_type {
                                        * possible to change the password while
                                        * the system is offline. This message
                                        * is generated by the PAM responder. */
-    SSS_PAM_USER_INFO_CHPASS_ERROR /**< Tell the user that a password change
-                                    * failed and optionally give a reason.
-                                    * @param Size of the message as unsigned
-                                    * 32-bit integer value. A value of 0
-                                    * indicates that no message is following.
-                                    * @param String with the specified
-                                    * length. */
+    SSS_PAM_USER_INFO_CHPASS_ERROR, /**< Tell the user that a password change
+                                     * failed and optionally give a reason.
+                                     * @param Size of the message as unsigned
+                                     * 32-bit integer value. A value of 0
+                                     * indicates that no message is following.
+                                     * @param String with the specified
+                                     * length. */
+    SSS_PAM_USER_INFO_GRACE_LOGIN, /**< Warn the user that the password is
+                                    * expired and inform about the remaining
+                                    * number of grace logins.
+                                    * @param The number of remaining grace
+                                    * logins as uint32_t */
+    SSS_PAM_USER_INFO_EXPIRE_WARN /**< Warn the user that the password will
+                                   * expire soon.
+                                   * @param Number of seconds before the user's
+                                   * password will expire. */
 };
 /**
  * @}