From cd04e6a41c802e89a60f591abe9c8c301afffbd9 Mon Sep 17 00:00:00 2001
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Wed, 11 Jul 2012 21:21:13 +0000
Subject: also check pam_password_prohibit_message in pam_sm_authenticate()
 because Solaris does authentication before pam_sm_chauthtok() (thanks Ted
 Cheng)

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1716 ef36b2f9-881f-0410-afb5-c4e39611909c
---
 pam/pam.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'pam')

diff --git a/pam/pam.c b/pam/pam.c
index 224b58e..c7de0a7 100644
--- a/pam/pam.c
+++ b/pam/pam.c
@@ -392,12 +392,26 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char **argv)
   struct pld_cfg cfg;
   struct pld_ctx *ctx;
   const char *username,*service;
+  char *prohibit_message;
   char *passwd=NULL;
   /* set up configuration */
   cfg_init(pamh,flags,argc,argv,&cfg);
   rc=init(pamh,&cfg,&ctx,&username,&service);
   if (rc!=PAM_SUCCESS)
     return remap_pam_rc(rc,&cfg);
+  /* if service is "passwd" and pwdmod is not allowed alert user */
+  if (!strcmp(service,"passwd"))
+  {
+    rc=nslcd_request_config_get(pamh,ctx,&cfg,NSLCD_CONFIG_PAM_PASSWORD_PROHIBIT_MESSAGE,&prohibit_message);
+    if ((rc==PAM_SUCCESS)&&(prohibit_message!=NULL)&&(prohibit_message[0]!='\0'))
+    {
+      /* we silently ignore errors to get the configuration option */
+      pam_syslog(pamh,LOG_NOTICE,"password change prohibited: %s; user=%s",prohibit_message,username);
+      if (!cfg.no_warn)
+        pam_error(pamh,"%s",prohibit_message);
+      return remap_pam_rc(PAM_PERM_DENIED,&cfg);
+    }
+  }
   /* get the password */
   rc=pam_get_authtok(pamh,PAM_AUTHTOK,(const char **)&passwd,NULL);
   if (rc!=PAM_SUCCESS)
-- 
cgit v1.2.3