Hi,

this patch should fix #279 by ignoring the shadow attributes by
default.

bye,
Sumit
>From 8bcd2646e948a1f05b279196a4e6f4350aa5d5a9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 16 Nov 2009 13:56:57 +0100
Subject: [PATCH] Ignore shadow attributes

---
 server/man/sssd-ldap.5.xml          |   25 +++++++++++++++++++++++++
 server/providers/ldap/ldap_auth.c   |   19 +++++++++++++++++++
 server/providers/ldap/ldap_common.c |    3 ++-
 server/providers/ldap/sdap.h        |    1 +
 4 files changed, 47 insertions(+), 1 deletions(-)

diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml
index a2aa730..c971a2c 100644
--- a/server/man/sssd-ldap.5.xml
+++ b/server/man/sssd-ldap.5.xml
@@ -582,6 +582,31 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ldap_ignore_shadow_attributes (boolean)</term>
+                    <listitem>
+                        <para>
+                            If set to true ignore the LDAP attributes
+                            corresponding to the values describes in
+                            <citerefentry><refentrytitle>shadow</refentrytitle>
+                            <manvolnum>5</manvolnum></citerefentry> during
+                            authentication, i.e. they are not used to evaluate
+                            if the password is expired.
+                        </para>
+                        <para>
+                            Default: true
+                        </para>
+                        <para>
+                            Please note that you should only set this value to
+                            false if there is a password change mechanism
+                            available which can update the last changed time.
+                            The current version of sssd
+                            <emphasis>does not</emphasis> update the
+                            corresponding attribute.
+                        </para>
+                    </listitem>
+                </varlistentry>
+
             </variablelist>
         </para>
     </refsect1>
diff --git a/server/providers/ldap/ldap_auth.c 
b/server/providers/ldap/ldap_auth.c
index a9f03a7..114fc36 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -572,6 +572,7 @@ struct sdap_pam_chpass_state {
     char *password;
     char *new_password;
     struct sdap_handle *sh;
+    struct sdap_auth_ctx *ctx;
 };
 
 static void sdap_auth4chpass_done(struct tevent_req *req);
@@ -611,6 +612,7 @@ void sdap_pam_chpass_handler(struct be_req *breq)
     if (!state) goto done;
 
     state->breq = breq;
+    state->ctx = ctx;
     state->pd = pd;
     state->username = pd->user;
     state->password = talloc_strndup(state,
@@ -661,6 +663,12 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
     if (result == SDAP_AUTH_SUCCESS) {
         switch (pw_expire_type) {
             case PWEXPIRE_SHADOW:
+                if (dp_opt_get_bool(state->ctx->opts->basic,
+                                    SDAP_IGNORE_SHADOW_ATTRIBUTES)) {
+                    DEBUG(5, ("Ignoring shadow attributes.\n"));
+                    pw_expire_type = PWEXPIRE_NONE;
+                    break;
+                }
                 ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
                                             &result);
                 if (ret != EOK) {
@@ -764,6 +772,7 @@ struct sdap_pam_auth_state {
     struct pam_data *pd;
     const char *username;
     struct dp_opt_blob password;
+    struct sdap_auth_ctx *ctx;
 };
 
 static void sdap_pam_auth_done(struct tevent_req *req);
@@ -798,6 +807,7 @@ void sdap_pam_auth_handler(struct be_req *breq)
 
         state->breq = breq;
         state->pd = pd;
+        state->ctx = ctx;
         state->username = pd->user;
         state->password.data = pd->authtok;
         state->password.length = pd->authtok_size;
@@ -846,6 +856,12 @@ static void sdap_pam_auth_done(struct tevent_req *req)
     if (result == SDAP_AUTH_SUCCESS) {
         switch (pw_expire_type) {
             case PWEXPIRE_SHADOW:
+                if (dp_opt_get_bool(state->ctx->opts->basic,
+                                    SDAP_IGNORE_SHADOW_ATTRIBUTES)) {
+                    DEBUG(5, ("Ignoring shadow attributes.\n"));
+                    pw_expire_type = PWEXPIRE_NONE;
+                    break;
+                }
                 ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
                                             &result);
                 if (ret != EOK) {
@@ -883,6 +899,9 @@ static void sdap_pam_auth_done(struct tevent_req *req)
     case SDAP_UNAVAIL:
         state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
         break;
+    case SDAP_ACCT_EXPIRED:
+        state->pd->pam_status = PAM_ACCT_EXPIRED;
+        break;
     case SDAP_AUTH_PW_EXPIRED:
         state->pd->pam_status = PAM_AUTHTOK_EXPIRED;
         break;
diff --git a/server/providers/ldap/ldap_common.c 
b/server/providers/ldap/ldap_common.c
index deffb4a..bec4099 100644
--- a/server/providers/ldap/ldap_common.c
+++ b/server/providers/ldap/ldap_common.c
@@ -54,7 +54,8 @@ struct dp_option default_basic_opts[] = {
     { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     /* use the same parm name as the krb5 module so we set it only once */
-    { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+    { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_ignore_shadow_attributes", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }
 };
 
 struct sdap_attr_map generic_attr_map[] = {
diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h
index 8330bd6..ac25ae7 100644
--- a/server/providers/ldap/sdap.h
+++ b/server/providers/ldap/sdap.h
@@ -117,6 +117,7 @@ enum sdap_basic_opt {
     SDAP_KRB5_KEYTAB,
     SDAP_KRB5_KINIT,
     SDAP_KRB5_REALM,
+    SDAP_IGNORE_SHADOW_ATTRIBUTES,
 
     SDAP_OPTS_BASIC /* opts counter */
 };
-- 
1.6.2.5

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to