Re: Expiration/grace warnings bug in nslcd/myldap.c
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: Expiration/grace warnings bug in nslcd/myldap.c
- From: Mathieu <mathieu.baeumler [at] gmail.com>
- To: Arthur de Jong <arthur [at] arthurdejong.org>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Expiration/grace warnings bug in nslcd/myldap.c
- Date: Sat, 31 Oct 2015 17:23:40 +0100
Hello, > The above will result in any BIND failures (e.g. Invalid credentials) > to be logged as a success and the user would be allowed to log in. It > could be argued that overwriting the BIND result could be a good idea > if the ppolicy control resulted in NEW_AUTHTOK_REQD but I'm not > confident this is always a good idea and could be dangerous. I've done some more tests (and modification to the code after your patch), and I've yet to come to a use case where PAM allow someone to log in when it gets both NEW_AUTHTOK_REQD and PAM_SUCCESS. It is actually the only way to allow the users to change their passwords at expiration time or after a reset. > The remaining changes mostly consist of making the expire > (timeBeforeExpiration) value and grace logins (graceAuthNsRemaining) > not force password change but to just present an informational message > to the user. Indeed, that part now works great. One could argue that a more meaningful message could be displayed (days/hours/...), but the seconds are just fine as well :-) > I've done some further testing but I haven't gotten the pwdReset > attribute working with nslcd yet. If the password is reset slapd will > allow the BIND but refuse the search (which is part of our > authentication test) and nslcd will consider the authentication failed. > > There was some discussion on not performing a search after BIND (or > making it configurable) and I'm more than willing to review and merge > patches to that effect but disabling the search is not yet possible. > > It does seem that slapd returns PP_passwordExpired together with > LDAP_INVALID_CREDENTIALS. This means that the return value of > NEW_AUTHTOK_REQD is ignored in that case. The value is however logged > for informational purposes. Enclosed two patches: - One is to disable ppolicy at client's side, which is useful for some of my servers - The other one changes the behaviour of nslcd_pam_authc by introduction a new flag at the session level. In a nutshell, this flag is only set at pam authentication phase, and disable the search (but not the try_bind). If this preliminary bind is successful AND ppolicy doesn't say otherwise, the search is performed. That way I have now nslcd displaying warnings, allowing me to change my password when it is expired, or when the administrator pwdReset it. Both patches were tested on the last git version of nslcd, and generated on a debian server with quilt. -- Mat
Attachment:
pam_sm_authenticate.patch
Description: Binary data
Attachment:
pam-lookup-policy.patch
Description: Binary data
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- Expiration/grace warnings bug in nslcd/myldap.c,
Mathieu
- Re: Expiration/grace warnings bug in nslcd/myldap.c,
Arthur de Jong
- Re: Expiration/grace warnings bug in nslcd/myldap.c, Mathieu
- Re: Expiration/grace warnings bug in nslcd/myldap.c,
Arthur de Jong
- Prev by Date: Re: Mapping question.
- Next by Date: getent gid does not return group name
- Previous by thread: Re: Expiration/grace warnings bug in nslcd/myldap.c
- Next by thread: Disable SASL