nss-pam-ldapd branch master updated. 0.8.12-158-gd7990de

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: nss-pam-ldapd branch master updated. 0.8.12-158-gd7990de
Date: Sat, 30 Mar 2013 23:59:24 +0100 (CET)

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nss-pam-ldapd".

The branch, master has been updated
       via  d7990dee92e4e2ece7ede72f15f6ed6057640e1c (commit)
       via  ea6bff3e4490c24f71b803add8bda4e992ec7c0e (commit)
      from  62a409cb43b441c32692f414a1867176d37034ac (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=d7990dee92e4e2ece7ede72f15f6ed6057640e1c

commit d7990dee92e4e2ece7ede72f15f6ed6057640e1c
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Sat Mar 30 23:57:47 2013 +0100

    Update the shadowLastChange on password change in pynslcd

diff --git a/pynslcd/pam.py b/pynslcd/pam.py
index a1a24d0..b2bf50e 100644
--- a/pynslcd/pam.py
+++ b/pynslcd/pam.py
@@ -20,6 +20,7 @@
 
 import logging
 import socket
+import time
 
 from ldap.controls.ppolicy import PasswordPolicyControl, PasswordPolicyError
 from ldap.filter import escape_filter_chars
@@ -30,6 +31,7 @@ import common
 import constants
 import passwd
 import search
+import shadow
 
 
 def authenticate(binddn, password):
@@ -79,6 +81,29 @@ def pwmod(conn, userdn, oldpassword, newpassword):
             raise
 
 
+def update_lastchange(conns, userdn):
+    """Try to update the shadowLastChange attribute of the entry."""
+    attribute = shadow.attmap['shadowLastChange']
+    if attribute == '${shadowLastChange:--1}':
+        attribute = 'shadowLastChange'
+    if not attribute or '$' in attribute:
+        raise ValueError('shadowLastChange has unsupported mapping')
+    # build the value for the new attribute
+    if attribute.lower() == 'pwdlastset':
+        # for AD we use another timestamp */
+        value = '%d000000000' % (time.time() / 100L + (134774L * 864L))
+    else:
+        # time in days since Jan 1, 1970
+        value = '%d' % (time.time() / (60 * 60 * 24))
+    # perform the modification, return at first success
+    for conn in conns:
+        try:
+            conn.modify_s(userdn, [(ldap.MOD_REPLACE, attribute, [value])])
+            return
+        except ldap.LDAPError:
+            pass  # ignore error and try next connection
+
+
 class PAMRequest(common.Request):
 
     def validate(self, parameters):
@@ -268,6 +293,8 @@ class PAMPasswordModificationRequest(PAMRequest):
         try:
             conn, authz, msg = authenticate(binddn, password)
             pwmod(conn, parameters['userdn'], parameters['oldpassword'], 
parameters['newpassword'])
+            # try to update lastchange with normal or user connection
+            update_lastchange((self.conn, conn), parameters['userdn'])
         except ldap.INVALID_CREDENTIALS, e:
             try:
                 msg = e[0]['desc']

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=ea6bff3e4490c24f71b803add8bda4e992ec7c0e

commit ea6bff3e4490c24f71b803add8bda4e992ec7c0e
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Sat Mar 30 23:56:23 2013 +0100

    Implement password modification in pynslcd

diff --git a/pynslcd/pam.py b/pynslcd/pam.py
index 74ae27a..a1a24d0 100644
--- a/pynslcd/pam.py
+++ b/pynslcd/pam.py
@@ -67,6 +67,18 @@ def authenticate(binddn, password):
     raise ldap.NO_SUCH_OBJECT()
 
 
+def pwmod(conn, userdn, oldpassword, newpassword):
+    # perform request without old password
+    try:
+        conn.passwd_s(userdn, None, newpassword)
+    except ldap.LDAPError:
+        # retry with old password
+        if oldpassword:
+            conn.passwd_s(userdn, oldpassword, newpassword)
+        else:
+            raise
+
+
 class PAMRequest(common.Request):
 
     def validate(self, parameters):
@@ -211,6 +223,62 @@ class PAMAuthorisationRequest(PAMRequest):
         self.write()
 
 
+class PAMPasswordModificationRequest(PAMRequest):
+
+    action = constants.NSLCD_ACTION_PAM_PWMOD
+
+    def read_parameters(self, fp):
+        return dict(username=fp.read_string(),
+                    service=fp.read_string(),
+                    ruser=fp.read_string(),
+                    rhost=fp.read_string(),
+                    tty=fp.read_string(),
+                    asroot=fp.read_int32(),
+                    oldpassword=fp.read_string(),
+                    newpassword=fp.read_string())
+        # TODO: log call with parameters
+
+    def write(self, rc=constants.NSLCD_PAM_SUCCESS, msg=''):
+        self.fp.write_int32(constants.NSLCD_RESULT_BEGIN)
+        self.fp.write_int32(rc)
+        self.fp.write_string(msg)
+        self.fp.write_int32(constants.NSLCD_RESULT_END)
+
+    def handle_request(self, parameters):
+        # fill in any missing userdn, etc.
+        self.validate(parameters)
+        # check if pam_password_prohibit_message is set
+        if cfg.pam_password_prohibit_message:
+            self.write(parameters, constants.NSLCD_PAM_PERM_DENIED,
+                       cfg.pam_password_prohibit_message)
+            return
+        # check if the the user passed the rootpwmoddn
+        if parameters['asroot']:
+            binddn = cfg.rootpwmoddn
+            # check if rootpwmodpw should be used
+            if not parameters['oldpassword'] and calleruid == 0 and 
cfg.rootpwmoddn:
+                password = cfg.rootpwmoddn
+            else:
+                password = parameters['oldpassword']
+        else:
+            binddn = parameters['userdn']
+            password = parameters['oldpassword']
+            # TODO: check if shadow properties allow password change
+        # perform password modification
+        try:
+            conn, authz, msg = authenticate(binddn, password)
+            pwmod(conn, parameters['userdn'], parameters['oldpassword'], 
parameters['newpassword'])
+        except ldap.INVALID_CREDENTIALS, e:
+            try:
+                msg = e[0]['desc']
+            except:
+                msg = str(e)
+            logging.debug('pwmod failed: %s', msg)
+            self.write(constants.NSLCD_PAM_PERM_DENIED, msg)
+            return
+        logging.debug('pwmod successful')
+        self.write()
+
+
 #NSLCD_ACTION_PAM_SESS_O
 #NSLCD_ACTION_PAM_SESS_C
-#NSLCD_ACTION_PAM_PWMOD

-----------------------------------------------------------------------

Summary of changes:
 pynslcd/pam.py |   97 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 96 insertions(+), 1 deletions(-)


hooks/post-receive
-- 
nss-pam-ldapd
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/

nss-pam-ldapd branch master updated. 0.8.12-158-gd7990de, Commits of the nss-pam-ldapd project

Prev by Date: nss-pam-ldapd branch master updated. 0.8.12-156-g62a409c
Next by Date: nss-pam-ldapd branch master updated. 0.8.12-160-g1c31305
Previous by thread: nss-pam-ldapd branch master updated. 0.8.12-156-g62a409c
Next by thread: nss-pam-ldapd branch master updated. 0.8.12-160-g1c31305