Expiration/grace warnings bug in nslcd/myldap.c

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Mathieu <mathieu.baeumler [at] gmail.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Expiration/grace warnings bug in nslcd/myldap.c
Date: Thu, 9 Jul 2015 09:19:03 +0200

Hi,

I have an issue when implementing password policy on Debian. Both the
client and the server are deployed using a fresh install of Jessie,
with slapd on the server, and nslcd/libpam-ldapd on the client.

If a password expiration warning (pwdExpireWarning) is set in slapd,
and the password is indeed about to expire, slapd sends the correct
control back to the client.

The control is then parsed successfully on the client, but an
incorrect return code is sent back to the underlying PAM, leading to
this kind of messages:

Jul  8 17:02:15 vldap02 su[22501]: pam_ldap(su:account): Password will
expire in 7921505 seconds; user= ploum; err=Authentication token is no
longer valid; new one required

So even if the password has not yet expired, the user is still
required to change it.
The same behavior happens with grace login.

Checking the source code, and comparing with the old pam_ldap library,
I think the patch below fixes the issue. Could you review it please?
Thanks!

Regards,

--
Mat


diff -urNad nss-pam-ldapd-0.9.4/nslcd/myldap.c
nss-pam-ldapd-0.9.4-patched/nslcd/myldap.c
--- nss-pam-ldapd-0.9.4/nslcd/myldap.c    2014-06-06 17:28:40.000000000 +0200
+++ nss-pam-ldapd-0.9.4-patched/nslcd/myldap.c    2015-07-09
08:59:19.772635722 +0200
@@ -467,7 +467,7 @@
             ((session->policy_response == NSLCD_PAM_SUCCESS) ||
              (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD)))
         {
-          session->policy_response = NSLCD_PAM_AUTHTOK_EXPIRED;
+          session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
           mysnprintf(session->policy_message, sizeof(session->policy_message),
                      "%s", ldap_passwordpolicy_err2txt(error));
         }
@@ -498,14 +498,13 @@
                  ((session->policy_response == NSLCD_PAM_SUCCESS) ||
                   (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD)))
         {
-          session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
+          session->policy_response = NSLCD_PAM_SUCCESS;
           mysnprintf(session->policy_message, sizeof(session->policy_message),
                      "Password will expire in %d seconds", expire);
         }
         else if ((grace >= 0) &&
                  (session->policy_response == NSLCD_PAM_SUCCESS))
         {
-          session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
           mysnprintf(session->policy_message, sizeof(session->policy_message),
                      "Password expired, %d grace logins left", grace);
         }
@@ -582,6 +581,9 @@
   {
     handle_ppasswd_controls(session, ld, responsectrls);
     ldap_controls_free(responsectrls);
+    if ((session->policy_response == NSLCD_PAM_SUCCESS) ||
+        (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))
+      rc = LDAP_SUCCESS;
   }
   /* return the result of the BIND operation */
   if (rc != LDAP_SUCCESS)

Attachment: nss-pam-ldapd.patch
Description: Text Data

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Expiration/grace warnings bug in nslcd/myldap.c, Mathieu

Re: Expiration/grace warnings bug in nslcd/myldap.c, Arthur de Jong
- Re: Expiration/grace warnings bug in nslcd/myldap.c, Mathieu

Prev by Date: Re: Using nss-pam-ldapd in a large environment, Part 2: Denial of Service due to open connections
Next by Date: Re: Using nss-pam-ldapd in a large environment, Part 2: Denial of Service due to open connections
Previous by thread: Re: Using nss-pam-ldapd in a large environment, Part 2: Denial of Service due to open connections
Next by thread: Re: Expiration/grace warnings bug in nslcd/myldap.c