From 973bebfc2cb7e77b4fb3687da5c832516543b479 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 16 Dec 2009 12:53:55 +0100
Subject: Handle chauthtok with PAM_PRELIM_CHECK separately

If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we
generate a separate call to the sssd to validate the old password before
asking for a new password and sending the change password request.
---
 server/providers/ldap/ldap_auth.c | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

(limited to 'server/providers/ldap/ldap_auth.c')

diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
index 88e637b09..28b3240b3 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -661,7 +661,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
 
     pd->pam_status = PAM_SYSTEM_ERR;
 
-    if (pd->cmd != SSS_PAM_CHAUTHTOK) {
+    if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {
         DEBUG(2, ("chpass target was called by wrong pam command.\n"));
         goto done;
     }
@@ -677,12 +677,15 @@ void sdap_pam_chpass_handler(struct be_req *breq)
     if (!state->password) goto done;
     talloc_set_destructor((TALLOC_CTX *)state->password,
                           password_destructor);
-    state->new_password = talloc_strndup(state,
-                                         (char *)pd->newauthtok,
-                                         pd->newauthtok_size);
-    if (!state->new_password) goto done;
-    talloc_set_destructor((TALLOC_CTX *)state->new_password,
-                          password_destructor);
+
+    if (pd->cmd == SSS_PAM_CHAUTHTOK) {
+        state->new_password = talloc_strndup(state,
+                                             (char *)pd->newauthtok,
+                                             pd->newauthtok_size);
+        if (!state->new_password) goto done;
+        talloc_set_destructor((TALLOC_CTX *)state->new_password,
+                              password_destructor);
+    }
 
     authtok.data = (uint8_t *)state->password;
     authtok.length = strlen(state->password);
@@ -717,6 +720,14 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
         goto done;
     }
 
+    if (result == SDAP_AUTH_SUCCESS &&
+        state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
+        DEBUG(9, ("Initial authentication for change password operation "
+                  "successful.\n"));
+        state->pd->pam_status = PAM_SUCCESS;
+        goto done;
+    }
+
     if (result == SDAP_AUTH_SUCCESS) {
         switch (pw_expire_type) {
             case PWEXPIRE_SHADOW:
@@ -851,6 +862,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
 
     switch (pd->cmd) {
     case SSS_PAM_AUTHENTICATE:
+    case SSS_PAM_CHAUTHTOK_PRELIM:
 
         state = talloc_zero(breq, struct sdap_pam_auth_state);
         if (!state) goto done;
-- 
cgit