diff options
author | Arthur de Jong <arthur@arthurdejong.org> | 2012-07-08 10:26:32 +0200 |
---|---|---|
committer | Arthur de Jong <arthur@arthurdejong.org> | 2012-07-08 10:26:32 +0200 |
commit | a7b45e56fd3515435bbbc2b57dae4d6f3b20113f (patch) | |
tree | 536db2d4c36e444351b00d41ec0efffdc395a18b /pam/pam.c | |
parent | c8f4cef2c40a3a84cb83badc65618afa16c9b3ab (diff) |
implement a pam_password_prohibit_message nslcd.conf option to deny password change introducing a NSLCD_ACTION_CONFIG_GET request thanks to Ted Cheng
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1715 ef36b2f9-881f-0410-afb5-c4e39611909c
Diffstat (limited to 'pam/pam.c')
-rw-r--r-- | pam/pam.c | 23 |
1 files changed, 23 insertions, 0 deletions
@@ -363,6 +363,18 @@ static int nslcd_request_pwmod(pam_handle_t *pamh,struct pld_ctx *ctx,struct pld READ_BUF_STRING(fp,ctx->authzmsg);) } +static int nslcd_request_config_get(pam_handle_t *pamh,struct pld_ctx *ctx,struct pld_cfg *cfg, + int cfgopt,char **value) +{ + PAM_REQUEST(NSLCD_ACTION_CONFIG_GET, + /* log debug message */ + pam_syslog(pamh,LOG_DEBUG,"nslcd request config (%d)",cfgopt), + /* write the request parameter */ + WRITE_INT32(fp,cfgopt), + /* read the result entry */ + READ_BUF_STRING(fp,*value);) +} + /* remap the return code based on the configuration */ static int remap_pam_rc(int rc,struct pld_cfg *cfg) { @@ -550,6 +562,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv) struct pld_ctx *ctx; const char *username,*service; const char *oldpassword=NULL,*newpassword=NULL; + char *prohibit_message; struct passwd *pwent; uid_t myuid; /* set up configuration */ @@ -557,6 +570,16 @@ int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv) rc=init(pamh,&cfg,&ctx,&username,&service); if (rc!=PAM_SUCCESS) return remap_pam_rc(rc,&cfg); + /* check if password modification is allowed */ + rc=nslcd_request_config_get(pamh,ctx,&cfg,NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE,&prohibit_message); + if ((rc==PAM_SUCCESS)&&(prohibit_message!=NULL)&&(prohibit_message[0]!='\0')) + { + /* we silently ignore errors to get the configuration option */ + pam_syslog(pamh,LOG_NOTICE,"password change prohibited: %s; user=%s",prohibit_message,username); + if (!cfg.no_warn) + pam_error(pamh,"%s",prohibit_message); + return remap_pam_rc(PAM_PERM_DENIED,&cfg); + } /* see if we are dealing with an LDAP user first */ if (ctx->dn==NULL) { |