RSS feed

Re: Expiration/grace warnings bug in nslcd/myldap.c

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Expiration/grace warnings bug in nslcd/myldap.c


> The above will result in any BIND failures (e.g. Invalid credentials)
> to be logged as a success and the user would be allowed to log in. It
> could be argued that overwriting the BIND result could be a good idea
> if the ppolicy control resulted in NEW_AUTHTOK_REQD but I'm not
> confident this is always a good idea and could be dangerous.

I've done some more tests (and modification to the code after your
patch), and I've yet to come to a use case where PAM allow someone to
log in when it gets both NEW_AUTHTOK_REQD and PAM_SUCCESS. It is
actually the only way to allow the users to change their passwords at
expiration time or after a reset.

> The remaining changes mostly consist of making the expire
> (timeBeforeExpiration) value and grace logins (graceAuthNsRemaining)
> not force password change but to just present an informational message
> to the user.

Indeed, that part now works great. One could argue that a more
meaningful message could be displayed (days/hours/...), but the
seconds are just fine as well :-)

> I've done some further testing but I haven't gotten the pwdReset
> attribute working with nslcd yet. If the password is reset slapd will
> allow the BIND but refuse the search (which is part of our
> authentication test) and nslcd will consider the authentication failed.
> There was some discussion on not performing a search after BIND (or
> making it configurable) and I'm more than willing to review and merge
> patches to that effect but disabling the search is not yet possible.
> It does seem that slapd returns PP_passwordExpired together with
> LDAP_INVALID_CREDENTIALS. This means that the return value of
> NEW_AUTHTOK_REQD is ignored in that case. The value is however logged
> for informational purposes.

Enclosed two patches:
- One is to disable ppolicy at client's side, which is useful for some
of my servers
- The other one changes the behaviour of nslcd_pam_authc by
introduction a new flag at the session level.
In a nutshell, this flag is only set at pam authentication phase, and
disable the search (but not the try_bind).
If this preliminary bind is successful AND ppolicy doesn't say
otherwise, the search is performed.

That way I have now nslcd displaying warnings, allowing me to change
my password when it is expired, or when the administrator pwdReset it.

Both patches were tested on the last git version of nslcd, and
generated on a debian server with quilt.


Attachment: pam_sm_authenticate.patch
Description: Binary data

Attachment: pam-lookup-policy.patch
Description: Binary data

To unsubscribe send an email to or see