lists.arthurdejong.org
RSS feed

Re: Expiration/grace warnings bug in nslcd/myldap.c

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Expiration/grace warnings bug in nslcd/myldap.c



Hi Mat,

Sorry for not replying sooner. I've been a bit busy with other stuff so
if anyone has any patches that haven't been reviewed or merged, feel
free to prod me.

On Sat, 2015-10-31 at 17:23 +0100, Mathieu wrote:
> Enclosed two patches:
> - One is to disable ppolicy at client's side, which is useful for 
>   some of my servers

I've merged this change to master. I've renamed the option to
pam_authc_ppolicy. Thanks.

> - The other one changes the behaviour of nslcd_pam_authc by
> introduction a new flag at the session level.
> In a nutshell, this flag is only set at pam authentication phase, and
> disable the search (but not the try_bind).
> If this preliminary bind is successful AND ppolicy doesn't say
> otherwise, the search is performed.

I've took your idea and implemented a myldap_bind() function that
basically integrates this idea and also includes what was previously in
myldap_get_policy_response(). I used a fake search scope instead of a
global variable though.

That leaves the change to the handling of authorisation and
authentication result codes. I want to do some further testing before I
merge that part. Particularly I have some doubts if everything works OK
if authorisation (account) is not configured in the PAM stack but
authentication (auth) is.

Anyway, attached are the two changes. Any testing you could do on that
end is highly appreciated.

Thanks for your patches and your patience ;)

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

Attachment: 0001-implement-myldap_bind-function.patch
Description: Text Data

Attachment: 0002-prefer-authorisation-result-code.patch
Description: Text Data

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/