Modify behavior of pam_pwd_expiration_warning

New option pwd_expiration_warning is introduced which can be set per
domain and can override the value specified by the original
pam_pwd_expiration_warning.

If the value of expiration warning is set to zero, the filter isn't
apllied at all - if backend server returns the warning, it will be
automatically displayed.

Default value for Kerberos: 7 days
Default value for LDAP: don't apply the filter

Technical note: default value when creating the domain is -1. This is
important so we can distinguish between "no value set" and 0. Without
this possibility it would be impossible to set different values for LDAP
and Kerberos provider.

2 files changed, 6 insertions, 0 deletions

diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index d9f320d8..45f98d85 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -77,6 +77,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
     /* FIXME: get ranges from the server */
     dom->id_min = 0;
     dom->id_max = 0xffffffff;
+    dom->pwd_expiration_warning = parent->pwd_expiration_warning;
     dom->cache_credentials = parent->cache_credentials;
     dom->case_sensitive = parent->case_sensitive;
     dom->user_timeout = parent->user_timeout;
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
index 50c4b696..6ad80806 100644
--- a/src/util/sss_krb5.h
+++ b/src/util/sss_krb5.h
@@ -34,6 +34,11 @@
 
 #include "util/util.h"
 
+/* MIT Kerberos has the same hardcoded warning interval of 7 days. Due to the
+ * fact that using the expiration time of a Kerberos password with LDAP
+ * authentication is presumably a rare case a separate config option is not
+ * necessary. */
+#define KERBEROS_PWEXPIRE_WARNING_TIME (7 * 24 * 60 * 60)
 #define KEYTAB_CLEAN_NAME keytab_name ? keytab_name : "default"
 
 const char * KRB5_CALLCONV sss_krb5_get_error_message (krb5_context,