From bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11 Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzeleny@redhat.com>
Date: Tue, 1 May 2012 03:36:37 -0400
Subject: Modify behavior of pam_pwd_expiration_warning

New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.

If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.

Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter

Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.
---
 src/confdb/confdb.c | 18 ++++++++++++++++++
 src/confdb/confdb.h |  3 +++
 2 files changed, 21 insertions(+)

(limited to 'src/confdb')

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index d938d4f61..427101e9b 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -922,6 +922,24 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
         goto done;
     }
 
+    /* Set the PAM warning time, if specified */
+    val = ldb_msg_find_attr_as_int(res->msgs[0],
+                                   CONFDB_DOMAIN_PWD_EXPIRATION_WARNING,
+                                   -1);
+    if (val > 0) {
+        /* The value is in days, transform it to seconds */
+        val *= 24 * 3600;
+    } else {
+        ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY,
+                             CONFDB_PAM_PWD_EXPIRATION_WARNING,
+                             -1, &val);
+        if (ret != EOK) {
+            DEBUG(1, ("Failed to read PAM expiration warning, not fatal.\n"));
+            val = -1;
+        }
+    }
+    domain->pwd_expiration_warning = val;
+
     ret = get_entry_as_uint32(res->msgs[0], &domain->override_gid,
                               CONFDB_DOMAIN_OVERRIDE_GID, 0);
     if (ret != EOK) {
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index b90db303a..5ec9f721c 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -152,6 +152,7 @@
 #define CONFDB_DOMAIN_NETGROUP_CACHE_TIMEOUT "entry_cache_netgroup_timeout"
 #define CONFDB_DOMAIN_SERVICE_CACHE_TIMEOUT "entry_cache_service_timeout"
 #define CONFDB_DOMAIN_AUTOFS_CACHE_TIMEOUT "entry_cache_autofs_timeout"
+#define CONFDB_DOMAIN_PWD_EXPIRATION_WARNING "pwd_expiration_warning"
 
 /* Local Provider */
 #define CONFDB_LOCAL_DEFAULT_SHELL   "default_shell"
@@ -199,6 +200,8 @@ struct sss_domain_info {
     uint32_t service_timeout;
     uint32_t autofsmap_timeout;
 
+    int pwd_expiration_warning;
+
     struct sysdb_ctx *sysdb;
 
     struct sss_domain_info **subdomains;
-- 
cgit