From bf8cce77a35cb0a3cdb0d21fb9c39b7b6372bc11 Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Tue, 1 May 2012 03:36:37 -0400 Subject: Modify behavior of pam_pwd_expiration_warning New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider. --- src/util/domain_info_utils.c | 1 + src/util/sss_krb5.h | 5 +++++ 2 files changed, 6 insertions(+) (limited to 'src/util') diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index d9f320d8..45f98d85 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -77,6 +77,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, /* FIXME: get ranges from the server */ dom->id_min = 0; dom->id_max = 0xffffffff; + dom->pwd_expiration_warning = parent->pwd_expiration_warning; dom->cache_credentials = parent->cache_credentials; dom->case_sensitive = parent->case_sensitive; dom->user_timeout = parent->user_timeout; diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h index 50c4b696..6ad80806 100644 --- a/src/util/sss_krb5.h +++ b/src/util/sss_krb5.h @@ -34,6 +34,11 @@ #include "util/util.h" +/* MIT Kerberos has the same hardcoded warning interval of 7 days. Due to the + * fact that using the expiration time of a Kerberos password with LDAP + * authentication is presumably a rare case a separate config option is not + * necessary. */ +#define KERBEROS_PWEXPIRE_WARNING_TIME (7 * 24 * 60 * 60) #define KEYTAB_CLEAN_NAME keytab_name ? keytab_name : "default" const char * KRB5_CALLCONV sss_krb5_get_error_message (krb5_context, -- cgit