From a7b45e56fd3515435bbbc2b57dae4d6f3b20113f Mon Sep 17 00:00:00 2001
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun, 8 Jul 2012 08:26:32 +0000
Subject: implement a pam_password_prohibit_message nslcd.conf option to deny
 password change introducing a NSLCD_ACTION_CONFIG_GET request thanks to Ted
 Cheng

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1715 ef36b2f9-881f-0410-afb5-c4e39611909c
---
 nslcd/Makefile.am |  4 ++--
 nslcd/cfg.c       | 22 ++++++++++++++++++++
 nslcd/cfg.h       |  3 +++
 nslcd/common.h    |  1 +
 nslcd/config.c    | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 nslcd/nslcd.c     |  1 +
 nslcd/pam.c       | 12 +++++++++++
 7 files changed, 102 insertions(+), 2 deletions(-)
 create mode 100644 nslcd/config.c

(limited to 'nslcd')

diff --git a/nslcd/Makefile.am b/nslcd/Makefile.am
index 7a1d4c7..4b866ae 100644
--- a/nslcd/Makefile.am
+++ b/nslcd/Makefile.am
@@ -1,7 +1,7 @@
 # Makefile.am - use automake to generate Makefile.in
 #
 # Copyright (C) 2006, 2007 West Consulting
-# Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Arthur de Jong
+# Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012 Arthur de Jong
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -31,7 +31,7 @@ nslcd_SOURCES = nslcd.c ../nslcd.h ../common/nslcd-prot.h \
                 cfg.c cfg.h \
                 attmap.c attmap.h \
                 nsswitch.c \
-                alias.c ether.c group.c host.c netgroup.c network.c \
+                alias.c config.c ether.c group.c host.c netgroup.c network.c \
                 passwd.c protocol.c rpc.c service.c shadow.c pam.c
 nslcd_LDADD = ../common/libtio.a ../common/libdict.a \
               ../common/libexpr.a ../compat/libcompat.a \
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index 4e828a1..b98ad38 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -131,6 +131,7 @@ static void cfg_defaults(struct ldap_config *cfg)
   cfg->ldc_nss_min_uid=0;
   parse_validnames_statement(__FILE__,__LINE__,"",
                 "/^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i",cfg);
+  cfg->pam_password_prohibit_message=NULL;
 }
 
 /* simple strdup wrapper */
@@ -639,6 +640,23 @@ static void parse_validnames_statement(const char *filename,int lnr,
   }
 }
 
+static void parse_pam_password_prohibit_message_statement(const char *filename,int lnr,
+                   const char *keyword,char *line,struct ldap_config *cfg)
+{
+  char *value;
+  int l;
+  /* the rest of the line should be a message */
+  get_restdup(filename,lnr,keyword,&line,&value);
+  /* strip quotes if they are present */
+  l=strlen(value);
+  if ((value[0]=='\"')&&(value[l-1]=='\"'))
+  {
+    value[l-1]='\0';
+    value++;
+  }
+  cfg->pam_password_prohibit_message=value;
+}
+
 static void parse_base_statement(const char *filename,int lnr,
                                  const char *keyword,char *line,
                                  struct ldap_config *cfg)
@@ -1142,6 +1160,10 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
     {
       parse_validnames_statement(filename,lnr,keyword,line,cfg);
     }
+    else if (strcasecmp(keyword,"pam_password_prohibit_message")==0)
+    {
+      parse_pam_password_prohibit_message_statement(filename,lnr,keyword,line,cfg);
+    }
 #ifdef ENABLE_CONFIGFILE_CHECKING
     /* fallthrough */
     else
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index a7e08b4..0c432ee 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -147,6 +147,9 @@ struct ldap_config
   uid_t ldc_nss_min_uid;
   /* the regular expression to determine valid names */
   regex_t validnames;
+  /* whether password changing should be denied and user prompted with
+     this message */
+  char *pam_password_prohibit_message;
 };
 
 /* this is a pointer to the global configuration, it should be available
diff --git a/nslcd/common.h b/nslcd/common.h
index bd30fee..1938c9f 100644
--- a/nslcd/common.h
+++ b/nslcd/common.h
@@ -182,6 +182,7 @@ void shadow_init(void);
 
 /* these are the different functions that handle the database
    specific actions, see nslcd.h for the action descriptions */
+int nslcd_config_get(TFILE *fp,MYLDAP_SESSION *session);
 int nslcd_alias_byname(TFILE *fp,MYLDAP_SESSION *session);
 int nslcd_alias_all(TFILE *fp,MYLDAP_SESSION *session);
 int nslcd_ether_byname(TFILE *fp,MYLDAP_SESSION *session);
diff --git a/nslcd/config.c b/nslcd/config.c
new file mode 100644
index 0000000..d493abc
--- /dev/null
+++ b/nslcd/config.c
@@ -0,0 +1,61 @@
+/*
+   config.c - pam processing routines
+
+   Copyright (C) 2012 Arthur de Jong
+
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+   02110-1301 USA
+*/
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif /* HAVE_STDINT_H */
+#include <unistd.h>
+
+#include "common.h"
+#include "log.h"
+#include "cfg.h"
+
+int nslcd_config_get(TFILE *fp,MYLDAP_SESSION *session)
+{
+  int32_t tmpint32;
+  int32_t cfgopt;
+  /* read request parameters */
+  READ_INT32(fp,cfgopt);
+  /* log call */
+  log_setrequest("config=%d",(int)cfgopt);
+  log_log(LOG_DEBUG,"nslcd_config_get(%d)",(int)cfgopt);
+  /* write the response header */
+  WRITE_INT32(fp,NSLCD_VERSION);
+  WRITE_INT32(fp,NSLCD_ACTION_CONFIG_GET);
+  WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
+  /* validate request */
+  switch (cfgopt)
+  {
+    case NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE:
+      WRITE_STRING(fp,nslcd_cfg->pam_password_prohibit_message);
+      break;
+    default:
+      /* all other config options are ignored */
+      break;
+  }
+  WRITE_INT32(fp,NSLCD_RESULT_END);
+  return 0;
+}
diff --git a/nslcd/nslcd.c b/nslcd/nslcd.c
index 732775c..773d6db 100644
--- a/nslcd/nslcd.c
+++ b/nslcd/nslcd.c
@@ -413,6 +413,7 @@ static void handleconnection(int sock,MYLDAP_SESSION *session)
   /* handle request */
   switch (action)
   {
+    case NSLCD_ACTION_CONFIG_GET:       (void)nslcd_config_get(fp,session); break;
     case NSLCD_ACTION_ALIAS_BYNAME:     (void)nslcd_alias_byname(fp,session); break;
     case NSLCD_ACTION_ALIAS_ALL:        (void)nslcd_alias_all(fp,session); break;
     case NSLCD_ACTION_ETHER_BYNAME:     (void)nslcd_ether_byname(fp,session); break;
diff --git a/nslcd/pam.c b/nslcd/pam.c
index bcc5d4f..cef908d 100644
--- a/nslcd/pam.c
+++ b/nslcd/pam.c
@@ -647,6 +647,18 @@ int nslcd_pam_pwmod(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid)
     }
     return -1;
   }
+  /* check if pam_password_prohibit_message is set */
+  if (nslcd_cfg->pam_password_prohibit_message!=NULL)
+  {
+    log_log(LOG_NOTICE,"password change prohibited");
+    WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
+    WRITE_STRING(fp,username);
+    WRITE_STRING(fp,"");
+    WRITE_INT32(fp,NSLCD_PAM_PERM_DENIED);
+    WRITE_STRING(fp,nslcd_cfg->pam_password_prohibit_message);
+    WRITE_INT32(fp,NSLCD_RESULT_END);
+    return 0;
+  }
   /* check if the the user passed the rootpwmoddn */
   if (asroot)
   {
-- 
cgit v1.2.3