nss-pam-ldapd commit: r1716 - nss-pam-ldapd/pam

[Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>]

Author: arthur
Date: Wed Jul 11 23:21:13 2012
New Revision: 1716
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1716&view=revision

Log:
also check pam_password_prohibit_message in pam_sm_authenticate() because 
Solaris does authentication before pam_sm_chauthtok() (thanks Ted Cheng)

Modified:
   nss-pam-ldapd/pam/pam.c

Modified: nss-pam-ldapd/pam/pam.c
==============================================================================
--- nss-pam-ldapd/pam/pam.c     Sun Jul  8 10:26:32 2012        (r1715)
+++ nss-pam-ldapd/pam/pam.c     Wed Jul 11 23:21:13 2012        (r1716)
@@ -392,12 +392,26 @@
   struct pld_cfg cfg;
   struct pld_ctx *ctx;
   const char *username,*service;
+  char *prohibit_message;
   char *passwd=NULL;
   /* set up configuration */
   cfg_init(pamh,flags,argc,argv,&cfg);
   rc=init(pamh,&cfg,&ctx,&username,&service);
   if (rc!=PAM_SUCCESS)
     return remap_pam_rc(rc,&cfg);
+  /* if service is "passwd" and pwdmod is not allowed alert user */
+  if (!strcmp(service,"passwd"))
+  {
+    
rc=nslcd_request_config_get(pamh,ctx,&cfg,NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE,&prohibit_message);
+    if 
((rc==PAM_SUCCESS)&&(prohibit_message!=NULL)&&(prohibit_message[0]!='\0'))
+    {
+      /* we silently ignore errors to get the configuration option */
+      pam_syslog(pamh,LOG_NOTICE,"password change prohibited: %s; 
user=%s",prohibit_message,username);
+      if (!cfg.no_warn)
+        pam_error(pamh,"%s",prohibit_message);
+      return remap_pam_rc(PAM_PERM_DENIED,&cfg);
+    }
+  }
   /* get the password */
   rc=pam_get_authtok(pamh,PAM_AUTHTOK,(const char **)&passwd,NULL);
   if (rc!=PAM_SUCCESS)
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/