Re: Support for pam_ldap configuration

[Ted Cheng <tedcheng [at] symas.com>]

I have added checking "passwd" prohibit msg in pam_sm_authenticate(). Solaris 
"passwd" does invoke pam_sm_authenticate():

Index: pam.c
===================================================================
RCS file: /var/CVSROOT/nss-pam-ldapd-0.8.3/pam/pam.c,v
retrieving revision 1.4
diff -u -r1.4 pam.c
--- pam.c       10 Jul 2012 17:35:19 -0000      1.4
+++ pam.c       11 Jul 2012 14:56:10 -0000
@@ -398,13 +398,30 @@
   int rc;
   struct pld_cfg cfg;
   struct pld_ctx *ctx;
-  const char *username,*service;
+  const char *username,*service,*prohibit_message;
   char *passwd=NULL;
   /* set up configuration */
   cfg_init(pamh,flags,argc,argv,&cfg);
   rc=init(pamh,&cfg,&ctx,&username,&service);
   if (rc!=PAM_SUCCESS)
     return remap_pam_rc(rc,&cfg);
+
+  /* if service is "passwd" and pwdmod is not allowed */
+  /* alert user */
+  if (!strcmp(service, "passwd")) {
+     /* check if password modification is allowed */
+     rc = nslcd_request_config_get(pamh, ctx, &cfg,
+          NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE, &prohibit_message);
+     if ((rc==PAM_SUCCESS)&&(prohibit_message!=NULL)
+        &&(prohibit_message[0]!='\0')) {
+        /* silently ignore errors when configuration not available */
+        pam_syslog(pamh,LOG_NOTICE,"password change prohibited: %s;user=%s",
+               prohibit_message, username);
+        if (!cfg.no_warn)
+           pam_error(pamh,"%s",prohibit_message);
+        return remap_pam_rc(PAM_PERM_DENIED,&cfg);
+     }
+  }
   /* get the password */


Cheers, 

Ted C. Cheng
Symas Corporation


-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/