nss-pam-ldapd branch master updated. 0.9.6-15-g31cd2cf

[Date Prev][Date Next] [Thread Prev][Thread Next]
From: Commits of the nss-pam-ldapd project <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: nss-pam-ldapd branch master updated. 0.9.6-15-g31cd2cf
Date: Wed, 6 Jan 2016 23:56:49 +0100 (CET)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nss-pam-ldapd".

The branch, master has been updated
       via  31cd2cf4dc588f2a11c8223ef9e1962c849466eb (commit)
       via  117c9cbc54c306a31990ede47d83a80fb339320a (commit)
      from  027df03a3b8b8c2753e67c4c38f475f29a3941f0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=31cd2cf4dc588f2a11c8223ef9e1962c849466eb

commit 31cd2cf4dc588f2a11c8223ef9e1962c849466eb
Author: Mathieu Baeumler <mathieu.baeumler@gmail.com>
Date:   Sun Oct 18 18:37:53 2015 +0200

    Add pam_authc_ppolicy option
    
    This option allows completely disabling ppolicy handling.

diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml
index 120aa96..34b0a25 100644
--- a/man/nslcd.conf.5.xml
+++ b/man/nslcd.conf.5.xml
@@ -813,6 +813,18 @@
      </listitem>
     </varlistentry>
 
+    <varlistentry id="pam_authc_ppolicy"> <!-- since 0.9.7 -->
+     <term><option>pam_authc_ppolicy</option> yes|no</term>
+     <listitem>
+      <para>
+       This option specifies whether password policy controls are requested
+       and handled from the <acronym>LDAP</acronym> server when performing
+       user authentication.
+       By default the controls are requested and handled if available.
+      </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry id="pam_authz_search"> <!-- since 0.7.4 -->
      <term><option>pam_authz_search</option>
            <replaceable>FILTER</replaceable></term>
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index fad37d2..c142712 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -1205,6 +1205,9 @@ static void cfg_defaults(struct ldap_config *cfg)
   cfg->scope = LDAP_SCOPE_SUBTREE;
   cfg->deref = LDAP_DEREF_NEVER;
   cfg->referrals = 1;
+#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)
+  cfg->pam_authc_ppolicy = 1;
+#endif
   cfg->bind_timelimit = 10;
   cfg->timelimit = LDAP_NO_LIMIT;
   cfg->idle_timelimit = 0;
@@ -1421,6 +1424,17 @@ static void cfg_read(const char *filename, struct 
ldap_config *cfg)
     {
       handle_map(filename, lnr, keyword, line);
     }
+    else if (strcasecmp(keyword, "pam_authc_ppolicy") == 0)
+    {
+#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)
+      cfg->pam_authc_ppolicy = get_boolean(filename, lnr, keyword, &line);
+      get_eol(filename, lnr, keyword, &line);
+#else
+      log_log(LOG_ERR, "%s:%d: value %s not supported on platform",
+              filename, lnr, value);
+      exit(EXIT_FAILURE);
+#endif
+    }
     /* timing/reconnect options */
     else if (strcasecmp(keyword, "bind_timelimit") == 0)
     {
@@ -1770,6 +1784,9 @@ static void cfg_dump(void)
   LOG_ATTMAP(LM_SHADOW, shadow, shadowInactive);
   LOG_ATTMAP(LM_SHADOW, shadow, shadowExpire);
   LOG_ATTMAP(LM_SHADOW, shadow, shadowFlag);
+#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)
+  log_log(LOG_DEBUG, "CFG: pam_authc_ppolicy %s", 
print_boolean(nslcd_cfg->pam_authc_ppolicy));
+#endif
   log_log(LOG_DEBUG, "CFG: bind_timelimit %d", nslcd_cfg->bind_timelimit);
   log_log(LOG_DEBUG, "CFG: timelimit %d", nslcd_cfg->timelimit);
   log_log(LOG_DEBUG, "CFG: idle_timelimit %d", nslcd_cfg->idle_timelimit);
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index adc812b..8e39705 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -107,6 +107,9 @@ struct ldap_config {
   int deref;      /* dereference aliases/links */
   int referrals;  /* chase referrals */
 
+#if defined(HAVE_LDAP_SASL_BIND) && defined(LDAP_SASL_SIMPLE)
+  int pam_authc_ppolicy;    /* whether to send password policy controls on 
bind */
+#endif
   int bind_timelimit;       /* bind timelimit */
   int timelimit;            /* search timelimit */
   int idle_timelimit;       /* idle timeout */
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index d775d2e..926a51d 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -529,19 +529,25 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP 
*ld, const char *uri)
   int msgid;
   struct timeval timeout;
   LDAPMessage *result;
-  /* build password policy request control */
-  passwd_policy_req.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
-  passwd_policy_req.ldctl_value.bv_val = NULL; /* none */
-  passwd_policy_req.ldctl_value.bv_len = 0;
-  passwd_policy_req.ldctl_iscritical = 0; /* not critical */
-  requestctrls[0] = &passwd_policy_req;
+  /* build policy request if pam_authc_ppolicy is set */
+  if (nslcd_cfg->pam_authc_ppolicy)
+  {
+    passwd_policy_req.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST;
+    passwd_policy_req.ldctl_value.bv_val = NULL; /* none */
+    passwd_policy_req.ldctl_value.bv_len = 0;
+    passwd_policy_req.ldctl_iscritical = 0; /* not critical */
+    requestctrls[0] = &passwd_policy_req;
+  }
+  else
+    requestctrls[0] = NULL;
   requestctrls[1] = NULL;
   /* build password berval */
   cred.bv_val = (char *)session->bindpw;
   cred.bv_len = strlen(session->bindpw);
   /* do a SASL simple bind with the binddn and bindpw */
-  log_log(LOG_DEBUG, "ldap_sasl_bind(\"%s\",%s) (uri=\"%s\")", session->binddn,
-          (session->bindpw[0] != '\0') ? "\"***\"" : "\"\"", uri);
+  log_log(LOG_DEBUG, "ldap_sasl_bind(\"%s\",%s) (uri=\"%s\") (ppolicy=%s)",
+          session->binddn, (session->bindpw[0] != '\0') ? "\"***\"" : "\"\"",
+          uri, (requestctrls[0] == NULL) ? "no" : "yes");
   rc = ldap_sasl_bind(ld, session->binddn, LDAP_SASL_SIMPLE, &cred, 
requestctrls, NULL, &msgid);
   if (rc != LDAP_SUCCESS)
     return rc;
@@ -571,21 +577,25 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP 
*ld, const char *uri)
       ldap_msgfree(result);
     return LDAP_TIMEOUT;
   }
-  /* parse the result from the bind operation (frees result, gets controls) */
   responsectrls = NULL;
-  parserc = ldap_parse_result(ld, result, &rc, NULL, NULL, NULL, 
&responsectrls, 1);
-  if (parserc != LDAP_SUCCESS)
+  /* ignore any response controls unless we're interested in ppolicy */
+  if (nslcd_cfg->pam_authc_ppolicy)
   {
-    myldap_err(LOG_ERR, ld, parserc, "ldap_parse_result() failed");
+    /* parse the result from the bind operation (frees result, gets controls) 
*/
+    parserc = ldap_parse_result(ld, result, &rc, NULL, NULL, NULL, 
&responsectrls, 1);
+    if (parserc != LDAP_SUCCESS)
+    {
+      myldap_err(LOG_ERR, ld, parserc, "ldap_parse_result() failed");
+      if (responsectrls != NULL)
+        ldap_controls_free(responsectrls);
+      return parserc;
+    }
+    /* handle any returned controls */
     if (responsectrls != NULL)
+    {
+      handle_ppolicy_controls(session, ld, responsectrls);
       ldap_controls_free(responsectrls);
-    return parserc;
-  }
-  /* handle any returned controls */
-  if (responsectrls != NULL)
-  {
-    handle_ppolicy_controls(session, ld, responsectrls);
-    ldap_controls_free(responsectrls);
+    }
   }
   /* return the result of the BIND operation */
   if (rc != LDAP_SUCCESS)

http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=117c9cbc54c306a31990ede47d83a80fb339320a

commit 117c9cbc54c306a31990ede47d83a80fb339320a
Author: Arthur de Jong <arthur@arthurdejong.org>
Date:   Wed Jan 6 21:32:05 2016 +0100

    Fix error handling on credential change
    
    This fixes setting the correct LDAP error code and also fixes formatting
    in 027df03.

diff --git a/nslcd/pam.c b/nslcd/pam.c
index 82656ae..3c7df2c 100644
--- a/nslcd/pam.c
+++ b/nslcd/pam.c
@@ -714,9 +714,11 @@ static int try_pwmod(MYLDAP_SESSION *oldsession,
     {
       /* if user modifies own password, update credentials for the session */
       if (binddn == userdn)
-        if (myldap_set_credentials(session, binddn, newpassword)) {
+        if (myldap_set_credentials(session, binddn, newpassword))
+        {
+          rc = LDAP_LOCAL_ERROR;
           log_log(LOG_WARNING, "%s: shadowLastChange: modification failed: %s",
-                  userdn, ldap_err2string(LDAP_LOCAL_ERROR));
+                  userdn, ldap_err2string(rc));
           myldap_session_close(session);
           return rc;
         }

-----------------------------------------------------------------------

Summary of changes:
 man/nslcd.conf.5.xml | 12 ++++++++++++
 nslcd/cfg.c          | 17 +++++++++++++++++
 nslcd/cfg.h          |  3 +++
 nslcd/myldap.c       | 48 +++++++++++++++++++++++++++++-------------------
 nslcd/pam.c          |  6 ++++--
 5 files changed, 65 insertions(+), 21 deletions(-)


hooks/post-receive
-- 
nss-pam-ldapd
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/
nss-pam-ldapd branch master updated. 0.9.6-15-g31cd2cf, Commits of the nss-pam-ldapd project
Next by Date: nss-pam-ldapd commit: r2145 - debian/nss-pam-ldapd/branches/jessie/debian
Next by thread: nss-pam-ldapd commit: r2145 - debian/nss-pam-ldapd/branches/jessie/debian