Bug 470684 - Pam_passthru plugin doesn't verify account activation

https://bugzilla.redhat.com/show_bug.cgi?id=470684
Resolves: bug 470684
Bug Description: Pam passthrough doesn't verify account activation
Reviewed by: rmeggins
Branch: HEAD
Fix Description: The check_account_lock() has been renamed to
slapi_check_account_lock() and moved into libslapd.so so any plugins
can use it. The account_inactivation_only parameter has been replaced
by check_password_policy. A new parameter send_result has been added
to determine whether to send LDAP results.

The pam_passthru plugin has been modified to use this function to
check account activation when the pamIDMapMethod is set to ENTRY.
The plugin will not check password policy.

1 files changed, 0 insertions, 136 deletions

diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index 34afa15b..97b51c8b 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -291,142 +291,6 @@ skip:
 	return( 0 );
 }
 
-/* check_account_lock is called before bind opeation; this could be a pre-op. */
-int
-check_account_lock ( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req, int account_inactivation_only) {
-
-	time_t		unlock_time;
-	time_t		cur_time;
-	char		*cur_time_str = NULL;
-	char *accountUnlockTime;
-	passwdPolicy *pwpolicy = NULL;
-	char *dn = NULL;
-
-	/* kexcoff: account inactivation */
-	int rc = 0;
-	Slapi_ValueSet *values = NULL;
-	int type_name_disposition = 0;
-	char *actual_type_name = NULL;
-	int attr_free_flags = 0;
-	/* kexcoff - end */
-
-	if ( bind_target_entry == NULL ) 
-		return -1;
-
-	if(!account_inactivation_only)
-	{
-		dn = slapi_entry_get_ndn(bind_target_entry);
-		pwpolicy = new_passwdPolicy(pb, dn);
-	}
-
-	/* kexcoff: account inactivation */
-	/* check if the entry is locked by nsAccountLock attribute - account inactivation feature */
-
-	rc = slapi_vattr_values_get(bind_target_entry, "nsAccountLock", 
-								&values, 
-								&type_name_disposition, &actual_type_name,
-								SLAPI_VIRTUALATTRS_REQUEST_POINTERS,
-								&attr_free_flags);
-	if ( rc == 0 )
-	{
-		Slapi_Value *v = NULL;	
-		const struct berval *bvp = NULL;
-
-		if ( (slapi_valueset_first_value( values, &v ) != -1) &&
-				( bvp = slapi_value_get_berval( v )) != NULL )
-		{
-			if ( (bvp != NULL) && (strcasecmp(bvp->bv_val, "true") == 0) )
-			{
-				/* account inactivated */
-				if (!account_inactivation_only && pwresponse_req) {
-					slapi_pwpolicy_make_response_control ( pb, -1, -1,
-							LDAP_PWPOLICY_ACCTLOCKED );
-				}
-				if(!account_inactivation_only)
-					send_ldap_result ( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
-							"Account inactivated. Contact system administrator.",
-							0, NULL );
-				slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
-				goto locked;
-			}
-		} /* else, account "activated", keep on the process */
-
-		if ( values != NULL )
-			slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
-	}
-	/* kexcoff - end */
-
-	/*
-	 * Check if the password policy has to be checked or not
-	 */
-	if ( account_inactivation_only || pwpolicy->pw_lockout == 0 ) {
-		goto notlocked;
-	}
-
-	/*
-	 * Check the attribute of the password policy
-	 */
-
-	/* check if account is locked out.  If so, send result and return 1 */
-	{
-		unsigned int maxfailure= pwpolicy->pw_maxfailure;
-		/* It's locked if passwordRetryCount >= maxfailure */
-		if ( slapi_entry_attr_get_uint(bind_target_entry,"passwordRetryCount") < maxfailure )
-		{
-			/* Not locked */
-			goto notlocked;	
-		}
-	}
-
-	/* locked but maybe it's time to unlock it */
-	accountUnlockTime= slapi_entry_attr_get_charptr(bind_target_entry, "accountUnlockTime");
-	if (accountUnlockTime != NULL)
-	{
-		unlock_time = parse_genTime(accountUnlockTime);
-		slapi_ch_free((void **) &accountUnlockTime );
-
-		if ( pwpolicy->pw_unlock == 0 && 
-			unlock_time == NO_TIME ) {
-
-	        /* account is locked forever. contact admin to reset */
-			if (pwresponse_req) {
-				slapi_pwpolicy_make_response_control ( pb, -1, -1,
-						LDAP_PWPOLICY_ACCTLOCKED );
-			}
-	        send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL,
-	                "Exceed password retry limit. Contact system administrator to reset."
-	                , 0, NULL );
-			goto locked;
-		}
-		cur_time = current_time();
-		cur_time_str = format_genTime( cur_time);
-		if ( difftime ( parse_genTime( cur_time_str ), unlock_time )  < 0 ) {
-
-			/* account is locked, cannot do anything */	
-			if (pwresponse_req) {
-				slapi_pwpolicy_make_response_control ( pb, -1, -1,
-						LDAP_PWPOLICY_ACCTLOCKED );
-			}
-			send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL,
-				"Exceed password retry limit. Please try later."				, 0, NULL );
-			slapi_ch_free((void **) &cur_time_str );
-			goto locked;
-		} 
-		slapi_ch_free((void **) &cur_time_str );
-	}
-
-notlocked:
-	/* account is not locked. */
-        if(!account_inactivation_only)
-		delete_passwdPolicy(&pwpolicy);
-	return ( 0 );	
-locked:
-	if(!account_inactivation_only)
-		delete_passwdPolicy(&pwpolicy);
-	return (1);
-
-}
-
 void
 pw_init ( void ) {
 	slapdFrontendConfig_t *slapdFrontendConfig;