Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/pam
diff options
context:
space:
mode:
authorArthur de Jong <arthur@arthurdejong.org>2012-07-11 23:21:13 +0200
committerArthur de Jong <arthur@arthurdejong.org>2012-07-11 23:21:13 +0200
commitcd04e6a41c802e89a60f591abe9c8c301afffbd9 (patch)
tree749a1a1799cbfd7da2dd96a0f9f2f0c6e6c7d8c9 /pam
parenta7b45e56fd3515435bbbc2b57dae4d6f3b20113f (diff)
also check pam_password_prohibit_message in pam_sm_authenticate() because Solaris does authentication before pam_sm_chauthtok() (thanks Ted Cheng)
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1716 ef36b2f9-881f-0410-afb5-c4e39611909c
Diffstat (limited to 'pam')
-rw-r--r--pam/pam.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/pam/pam.c b/pam/pam.c
index 224b58e..c7de0a7 100644
--- a/pam/pam.c
+++ b/pam/pam.c
@@ -392,12 +392,26 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char **argv)
struct pld_cfg cfg;
struct pld_ctx *ctx;
const char *username,*service;
+ char *prohibit_message;
char *passwd=NULL;
/* set up configuration */
cfg_init(pamh,flags,argc,argv,&cfg);
rc=init(pamh,&cfg,&ctx,&username,&service);
if (rc!=PAM_SUCCESS)
return remap_pam_rc(rc,&cfg);
+ /* if service is "passwd" and pwdmod is not allowed alert user */
+ if (!strcmp(service,"passwd"))
+ {
+ rc=nslcd_request_config_get(pamh,ctx,&cfg,NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE,&prohibit_message);
+ if ((rc==PAM_SUCCESS)&&(prohibit_message!=NULL)&&(prohibit_message[0]!='\0'))
+ {
+ /* we silently ignore errors to get the configuration option */
+ pam_syslog(pamh,LOG_NOTICE,"password change prohibited: %s; user=%s",prohibit_message,username);
+ if (!cfg.no_warn)
+ pam_error(pamh,"%s",prohibit_message);
+ return remap_pam_rc(PAM_PERM_DENIED,&cfg);
+ }
+ }
/* get the password */
rc=pam_get_authtok(pamh,PAM_AUTHTOK,(const char **)&passwd,NULL);
if (rc!=PAM_SUCCESS)