diff options
| author | Günther Deschner <gd@samba.org> | 2007-02-05 14:43:06 +0000 |
|---|---|---|
| committer | Günther Deschner <gd@samba.org> | 2007-02-05 14:43:06 +0000 |
| commit | 7995bf28d271fb8d42195510a9467eb01942410e (patch) | |
| tree | 15247bb79f79ca05fa7635db514e51117383f83c /source/nsswitch | |
| parent | cfe92b0fe56272e8cbd439ea0a738567398c3774 (diff) | |
| download | samba-7995bf28d271fb8d42195510a9467eb01942410e.tar.gz samba-7995bf28d271fb8d42195510a9467eb01942410e.tar.xz samba-7995bf28d271fb8d42195510a9467eb01942410e.zip | |
r21144: Create more accurate warning message when the pam_winbind chauthtok has
received NT_STATUS_PASSWORD_RESTRICTION.
Guenther
Diffstat (limited to 'source/nsswitch')
| -rw-r--r-- | source/nsswitch/pam_winbind.c | 88 |
1 files changed, 76 insertions, 12 deletions
diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c index afeb3433ad8..ee246acb7a6 100644 --- a/source/nsswitch/pam_winbind.c +++ b/source/nsswitch/pam_winbind.c @@ -460,6 +460,75 @@ static void _pam_warn_password_expires_in_future(pam_handle_t *pamh, struct winb /* no warning sent */ } +/** + * Compose Password Restriction String for a PAM_ERROR_MSG conversation. + * + * @param response The struct winbindd_response. + * + * @return string (caller needs to free). + */ + +static char *_pam_compose_pwd_restriction_string(struct winbindd_response *response) +{ + char *str = NULL; + size_t offset = 0, ret = 0, str_size = 1024; + + str = (char *)malloc(str_size); + if (!str) { + return NULL; + } + + memset(str, '\0', str_size); + + offset = snprintf(str, str_size, "Your password "); + if (offset == -1) { + goto failed; + } + + if (response->data.auth.policy.min_length_password > 0) { + ret = snprintf(str+offset, str_size-offset, + "must be at least %d characters; ", + response->data.auth.policy.min_length_password); + if (ret == -1) { + goto failed; + } + offset += ret; + } + + if (response->data.auth.policy.password_history > 0) { + ret = snprintf(str+offset, str_size-offset, + "cannot repeat any of your previous %d passwords; ", + response->data.auth.policy.password_history); + if (ret == -1) { + goto failed; + } + offset += ret; + } + + if (response->data.auth.policy.password_properties & DOMAIN_PASSWORD_COMPLEX) { + ret = snprintf(str+offset, str_size-offset, + "must contain capitals, numerals or punctuation; " + "and cannot contain your account or full name; "); + if (ret == -1) { + goto failed; + } + offset += ret; + } + + ret = snprintf(str+offset, str_size-offset, + "Please type a different password. " + "Type a password which meets these requirements in both text boxes."); + if (ret == -1) { + goto failed; + } + + return str; + + failed: + SAFE_FREE(str); + return NULL; +} + /* talk to winbindd */ static int winbind_auth_request(pam_handle_t * pamh, int ctrl, @@ -745,6 +814,8 @@ static int winbind_chauthtok_request(pam_handle_t * pamh, if (!strcasecmp(response.data.auth.nt_status_string, "NT_STATUS_PASSWORD_RESTRICTION")) { + char *pwd_restriction_string = NULL; + /* FIXME: avoid to send multiple PAM messages after another */ switch (response.data.auth.reject_reason) { case -1: @@ -771,18 +842,11 @@ static int winbind_chauthtok_request(pam_handle_t * pamh, break; } - _make_remark_format(pamh, PAM_ERROR_MSG, - "Your password must be at least %d characters; " - "cannot repeat any of the your previous %d passwords" - "%s. " - "Please type a different password. " - "Type a password which meets these requirements in both text boxes.", - response.data.auth.policy.min_length_password, - response.data.auth.policy.password_history, - (response.data.auth.policy.password_properties & DOMAIN_PASSWORD_COMPLEX) ? - "; must contain capitals, numerals or punctuation; and cannot contain your account or full name" : - ""); - + pwd_restriction_string = _pam_compose_pwd_restriction_string(&response); + if (pwd_restriction_string) { + _make_remark(pamh, PAM_ERROR_MSG, pwd_restriction_string); + SAFE_FREE(pwd_restriction_string); + } } return ret; |