diff options
author | Sumit Bose <sbose@redhat.com> | 2009-12-16 12:53:55 +0100 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2009-12-18 09:43:26 -0500 |
commit | 973bebfc2cb7e77b4fb3687da5c832516543b479 (patch) | |
tree | 24b9ff707d01b8ca68f6f5848548a2c232584962 /server/providers/ldap/ldap_auth.c | |
parent | 5f0ed91b4d87c01a5e5f24569a457aa29a5e17a8 (diff) | |
download | sssd_unused-973bebfc2cb7e77b4fb3687da5c832516543b479.tar.gz sssd_unused-973bebfc2cb7e77b4fb3687da5c832516543b479.tar.xz sssd_unused-973bebfc2cb7e77b4fb3687da5c832516543b479.zip |
Handle chauthtok with PAM_PRELIM_CHECK separately
If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we
generate a separate call to the sssd to validate the old password before
asking for a new password and sending the change password request.
Diffstat (limited to 'server/providers/ldap/ldap_auth.c')
-rw-r--r-- | server/providers/ldap/ldap_auth.c | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c index 88e637b0..28b3240b 100644 --- a/server/providers/ldap/ldap_auth.c +++ b/server/providers/ldap/ldap_auth.c @@ -661,7 +661,7 @@ void sdap_pam_chpass_handler(struct be_req *breq) pd->pam_status = PAM_SYSTEM_ERR; - if (pd->cmd != SSS_PAM_CHAUTHTOK) { + if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) { DEBUG(2, ("chpass target was called by wrong pam command.\n")); goto done; } @@ -677,12 +677,15 @@ void sdap_pam_chpass_handler(struct be_req *breq) if (!state->password) goto done; talloc_set_destructor((TALLOC_CTX *)state->password, password_destructor); - state->new_password = talloc_strndup(state, - (char *)pd->newauthtok, - pd->newauthtok_size); - if (!state->new_password) goto done; - talloc_set_destructor((TALLOC_CTX *)state->new_password, - password_destructor); + + if (pd->cmd == SSS_PAM_CHAUTHTOK) { + state->new_password = talloc_strndup(state, + (char *)pd->newauthtok, + pd->newauthtok_size); + if (!state->new_password) goto done; + talloc_set_destructor((TALLOC_CTX *)state->new_password, + password_destructor); + } authtok.data = (uint8_t *)state->password; authtok.length = strlen(state->password); @@ -717,6 +720,14 @@ static void sdap_auth4chpass_done(struct tevent_req *req) goto done; } + if (result == SDAP_AUTH_SUCCESS && + state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) { + DEBUG(9, ("Initial authentication for change password operation " + "successful.\n")); + state->pd->pam_status = PAM_SUCCESS; + goto done; + } + if (result == SDAP_AUTH_SUCCESS) { switch (pw_expire_type) { case PWEXPIRE_SHADOW: @@ -851,6 +862,7 @@ void sdap_pam_auth_handler(struct be_req *breq) switch (pd->cmd) { case SSS_PAM_AUTHENTICATE: + case SSS_PAM_CHAUTHTOK_PRELIM: state = talloc_zero(breq, struct sdap_pam_auth_state); if (!state) goto done; |