nss-pam-ldapd branch master updated. 0.9.6-8-g309f127
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss-pam-ldapd branch master updated. 0.9.6-8-g309f127
- From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
- To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: nss-pam-ldapd branch master updated. 0.9.6-8-g309f127
- Date: Sat, 15 Aug 2015 15:53:59 +0200 (CEST)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nss-pam-ldapd".
The branch, master has been updated
via 309f127416cd38f972d28b29f59e784ea5403785 (commit)
via 263a44340badb1e553c997f2dfb4986fb2f4c28b (commit)
via 4302901a2708d55b24880b77437e3d782b0de1cb (commit)
from 89b471bb7bab499d05e1c5e8e269c8a811bb4649 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=309f127416cd38f972d28b29f59e784ea5403785
commit 309f127416cd38f972d28b29f59e784ea5403785
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Fri Aug 14 23:55:35 2015 +0200
Have PAM module log messages to syslog
This logs informational messages that are presented to the user tot
syslog. This normally includes password expiry and grace login
information which may be useful to log.
diff --git a/pam/pam.c b/pam/pam.c
index f927022..d7956ce 100644
--- a/pam/pam.c
+++ b/pam/pam.c
@@ -581,9 +581,17 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
pam_syslog(pamh, LOG_DEBUG, "authorization succeeded");
/* present any informational messages to the user */
if ((authz_resp.msg[0] != '\0') && (!cfg.no_warn))
+ {
pam_info(pamh, "%s", authz_resp.msg);
+ pam_syslog(pamh, LOG_INFO, "%s; user=%s",
+ authz_resp.msg, username);
+ }
if ((ctx->saved_authz.msg[0] != '\0') && (!cfg.no_warn))
+ {
pam_info(pamh, "%s", ctx->saved_authz.msg);
+ pam_syslog(pamh, LOG_INFO, "%s; user=%s",
+ ctx->saved_authz.msg, username);
+ }
return PAM_SUCCESS;
}
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=263a44340badb1e553c997f2dfb4986fb2f4c28b
commit 263a44340badb1e553c997f2dfb4986fb2f4c28b
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Fri Aug 14 23:09:50 2015 +0200
Simplify password policy message handling
This simplifies the check for overwriging pending password expiry and
grace logins warnigns and updates handling of the
LDAP_CONTROL_PWEXPIRING control to be consistent with that of the expire
value of LDAP_CONTROL_PASSWORDPOLICYRESPONSE.
This also corrects the function name, also logs empty password policy
responses in debug mode and documents the meaning of the various
password policy values.
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index 9e9877c..df9a465 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -5,7 +5,7 @@
Copyright (C) 1997-2006 Luke Howard
Copyright (C) 2006-2007 West Consulting
- Copyright (C) 2006-2014 Arthur de Jong
+ Copyright (C) 2006-2015 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -406,7 +406,7 @@ static int do_sasl_interact(LDAP UNUSED(*ld), unsigned
UNUSED(flags),
}
#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)
-static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld,
LDAPControl **ctrls)
+static void handle_ppolicy_controls(MYLDAP_SESSION *session, LDAP *ld,
LDAPControl **ctrls)
{
int i;
int rc;
@@ -434,10 +434,9 @@ static void handle_ppasswd_controls(MYLDAP_SESSION
*session, LDAP *ld, LDAPContr
sec = atol(seconds);
log_log(LOG_DEBUG, "got LDAP_CONTROL_PWEXPIRING (password will expire in
%ld seconds)",
sec);
- /* return this warning to PAM */
- if (session->policy_response == NSLCD_PAM_SUCCESS)
+ /* return this warning so PAM can present it to the user */
+ if (strlen(session->policy_message) == 0)
{
- session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
mysnprintf(session->policy_message, sizeof(session->policy_message),
"password will expire in %ld seconds", sec);
}
@@ -453,9 +452,8 @@ static void handle_ppasswd_controls(MYLDAP_SESSION
*session, LDAP *ld, LDAPContr
else
{
/* log returned control information */
- if (error != PP_noError)
- log_log(LOG_DEBUG, "got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (%s)",
- ldap_passwordpolicy_err2txt(error));
+ log_log(LOG_DEBUG, "got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (%s)",
+ ldap_passwordpolicy_err2txt(error));
if (expire >= 0)
log_log(LOG_DEBUG, "got LDAP_CONTROL_PASSWORDPOLICYRESPONSE
(password will expire in %d seconds)",
expire);
@@ -467,6 +465,7 @@ static void handle_ppasswd_controls(MYLDAP_SESSION
*session, LDAP *ld, LDAPContr
((session->policy_response == NSLCD_PAM_SUCCESS) ||
(session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD)))
{
+ /* this means that the password has expired and must be reset */
session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
mysnprintf(session->policy_message, sizeof(session->policy_message),
"%s", ldap_passwordpolicy_err2txt(error));
@@ -475,6 +474,8 @@ static void handle_ppasswd_controls(MYLDAP_SESSION
*session, LDAP *ld, LDAPContr
((session->policy_response == NSLCD_PAM_SUCCESS) ||
(session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD)))
{
+ /* this means that the account is locked and the user cannot log
+ in (the bind probably failed already) */
session->policy_response = NSLCD_PAM_ACCT_EXPIRED;
mysnprintf(session->policy_message, sizeof(session->policy_message),
"%s", ldap_passwordpolicy_err2txt(error));
@@ -482,6 +483,8 @@ static void handle_ppasswd_controls(MYLDAP_SESSION
*session, LDAP *ld, LDAPContr
else if ((error == PP_changeAfterReset) &&
(session->policy_response == NSLCD_PAM_SUCCESS))
{
+ /* this indicates that the password must be changed before the
+ user is allowed to perform any other operation */
session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
mysnprintf(session->policy_message, sizeof(session->policy_message),
"%s", ldap_passwordpolicy_err2txt(error));
@@ -490,20 +493,23 @@ static void handle_ppasswd_controls(MYLDAP_SESSION
*session, LDAP *ld, LDAPContr
((session->policy_response == NSLCD_PAM_SUCCESS) ||
(session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD)))
{
+ /* any other error is assumed to mean that the operation failed */
session->policy_response = NSLCD_PAM_PERM_DENIED;
mysnprintf(session->policy_message, sizeof(session->policy_message),
"%s", ldap_passwordpolicy_err2txt(error));
}
- else if ((expire >= 0) &&
- ((session->policy_response == NSLCD_PAM_SUCCESS) ||
- (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD)))
+ /* both expire and grace should just be warnings to the user */
+ if ((expire >= 0) && (strlen(session->policy_message) == 0))
{
+ /* if no other error has happened, this indicates that the password
+ will soon expire (number of seconds) */
mysnprintf(session->policy_message, sizeof(session->policy_message),
"Password will expire in %d seconds", expire);
}
- else if ((grace >= 0) &&
- (session->policy_response == NSLCD_PAM_SUCCESS))
+ else if ((grace >= 0) && (strlen(session->policy_message) == 0))
{
+ /* this indicates the number of grace logins that are left before
+ no further login attempts will be allowed */
mysnprintf(session->policy_message, sizeof(session->policy_message),
"Password expired, %d grace logins left", grace);
}
@@ -578,7 +584,7 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP
*ld, const char *uri)
/* handle any returned controls */
if (responsectrls != NULL)
{
- handle_ppasswd_controls(session, ld, responsectrls);
+ handle_ppolicy_controls(session, ld, responsectrls);
ldap_controls_free(responsectrls);
}
/* return the result of the BIND operation */
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=4302901a2708d55b24880b77437e3d782b0de1cb
commit 4302901a2708d55b24880b77437e3d782b0de1cb
Author: Mathieu Baeumler <mathieu.baeumler@gmail.com>
Date: Thu Jul 9 08:59:19 2015 +0200
Fix password policy expiration warnings
If a password expiration warning (pwdExpireWarning) is set in slapd, and
the password is about to expire, slapd sends the timeBeforeExpiration
value as part of the passwordPolicyResponse.
nslcd would incorrectly instruct the PAM module to require immediate
password change. This has been fixed for both timeBeforeExpiration and
graceLoginsRemaining.
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index 8fe0bd9..9e9877c 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -467,7 +467,7 @@ static void handle_ppasswd_controls(MYLDAP_SESSION
*session, LDAP *ld, LDAPContr
((session->policy_response == NSLCD_PAM_SUCCESS) ||
(session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD)))
{
- session->policy_response = NSLCD_PAM_AUTHTOK_EXPIRED;
+ session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
mysnprintf(session->policy_message, sizeof(session->policy_message),
"%s", ldap_passwordpolicy_err2txt(error));
}
@@ -498,14 +498,12 @@ static void handle_ppasswd_controls(MYLDAP_SESSION
*session, LDAP *ld, LDAPContr
((session->policy_response == NSLCD_PAM_SUCCESS) ||
(session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD)))
{
- session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
mysnprintf(session->policy_message, sizeof(session->policy_message),
"Password will expire in %d seconds", expire);
}
else if ((grace >= 0) &&
(session->policy_response == NSLCD_PAM_SUCCESS))
{
- session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
mysnprintf(session->policy_message, sizeof(session->policy_message),
"Password expired, %d grace logins left", grace);
}
-----------------------------------------------------------------------
Summary of changes:
nslcd/myldap.c | 38 +++++++++++++++++++++-----------------
pam/pam.c | 8 ++++++++
2 files changed, 29 insertions(+), 17 deletions(-)
hooks/post-receive
--
nss-pam-ldapd
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/
- nss-pam-ldapd branch master updated. 0.9.6-8-g309f127,
Commits of the nss-pam-ldapd project
