Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/pam/pam.c
diff options
context:
space:
mode:
authorArthur de Jong <arthur@arthurdejong.org>2012-07-08 10:26:32 +0200
committerArthur de Jong <arthur@arthurdejong.org>2012-07-08 10:26:32 +0200
commita7b45e56fd3515435bbbc2b57dae4d6f3b20113f (patch)
tree536db2d4c36e444351b00d41ec0efffdc395a18b /pam/pam.c
parentc8f4cef2c40a3a84cb83badc65618afa16c9b3ab (diff)
implement a pam_password_prohibit_message nslcd.conf option to deny password change introducing a NSLCD_ACTION_CONFIG_GET request thanks to Ted Cheng
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1715 ef36b2f9-881f-0410-afb5-c4e39611909c
Diffstat (limited to 'pam/pam.c')
-rw-r--r--pam/pam.c23
1 files changed, 23 insertions, 0 deletions
diff --git a/pam/pam.c b/pam/pam.c
index 5ef91cc..224b58e 100644
--- a/pam/pam.c
+++ b/pam/pam.c
@@ -363,6 +363,18 @@ static int nslcd_request_pwmod(pam_handle_t *pamh,struct pld_ctx *ctx,struct pld
READ_BUF_STRING(fp,ctx->authzmsg);)
}
+static int nslcd_request_config_get(pam_handle_t *pamh,struct pld_ctx *ctx,struct pld_cfg *cfg,
+ int cfgopt,char **value)
+{
+ PAM_REQUEST(NSLCD_ACTION_CONFIG_GET,
+ /* log debug message */
+ pam_syslog(pamh,LOG_DEBUG,"nslcd request config (%d)",cfgopt),
+ /* write the request parameter */
+ WRITE_INT32(fp,cfgopt),
+ /* read the result entry */
+ READ_BUF_STRING(fp,*value);)
+}
+
/* remap the return code based on the configuration */
static int remap_pam_rc(int rc,struct pld_cfg *cfg)
{
@@ -550,6 +562,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv)
struct pld_ctx *ctx;
const char *username,*service;
const char *oldpassword=NULL,*newpassword=NULL;
+ char *prohibit_message;
struct passwd *pwent;
uid_t myuid;
/* set up configuration */
@@ -557,6 +570,16 @@ int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv)
rc=init(pamh,&cfg,&ctx,&username,&service);
if (rc!=PAM_SUCCESS)
return remap_pam_rc(rc,&cfg);
+ /* check if password modification is allowed */
+ rc=nslcd_request_config_get(pamh,ctx,&cfg,NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE,&prohibit_message);
+ if ((rc==PAM_SUCCESS)&&(prohibit_message!=NULL)&&(prohibit_message[0]!='\0'))
+ {
+ /* we silently ignore errors to get the configuration option */
+ pam_syslog(pamh,LOG_NOTICE,"password change prohibited: %s; user=%s",prohibit_message,username);
+ if (!cfg.no_warn)
+ pam_error(pamh,"%s",prohibit_message);
+ return remap_pam_rc(PAM_PERM_DENIED,&cfg);
+ }
/* see if we are dealing with an LDAP user first */
if (ctx->dn==NULL)
{