On Mon, 2011-08-01 at 12:19 -0400, Stephen Gallagher wrote: > On Mon, 2011-08-01 at 11:00 -0400, Simo Sorce wrote: > > On Mon, 2011-08-01 at 10:50 -0400, Stephen Gallagher wrote: > > > Previously, we were only displaying expiration warnings if the > > > password was going to expire within a day. We'll allow LDAP to > > > make this decision (by whether it passes us the expiration time). > > > > > > In the future, we can add an option to clamp this down to a > > > shorter period if the local admin prefers it. > > > > > > https://fedorahosted.org/sssd/ticket/940 > > > > ACK. > > > Pushed to master and sssd-1-5
I misread the original code here and have since noticed that the option to clamp this down was in fact already present (due to the fact that Kerberos always reports the expiration time). Unfortunately, by pushing the patch above, we have regressed that behavior. Patch 0001: Revert the patch from earlier in this thread. Patch 0002: Add the ability to always display the expiration and make this the default. I'm a little unsure about patch 0002 as it will require modification for existing Kerberos deployments in order to make LDAP deployments happier. Opinions welcome.
From 07719c284e34e23979772065b2d99ac123e74f0b Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Thu, 4 Aug 2011 10:01:18 -0400 Subject: [PATCH 1/2] Revert "Allow LDAP to decide when an expiration warning is warranted" This reverts commit b0b9c38dfce3e3ccbfaa4d00fdf2ea08a70d41a6. --- src/responder/pam/pamsrv_cmd.c | 7 +++---- 1 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 7fcf9854385c51a9c9721585c940c7d1b387a630..3c9d7600a70465cd087950d775d2f7a78a3ab141 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -409,10 +409,9 @@ static errno_t filter_responses(struct confdb_ctx *cdb, } memcpy(&expire_warn, resp->data + sizeof(uint32_t), sizeof(uint32_t)); - /* TODO: Add an option to limit the display of the - * expiration warning to a specified number of - * days (e.g. 14) - */ + if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) { + resp->do_not_send_to_client = true; + } break; default: DEBUG(7, ("User info type [%d] not filtered.\n")); -- 1.7.6
From db1867ca1ff742c477144c872c9cbacd6a7b5f19 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Thu, 4 Aug 2011 10:06:47 -0400 Subject: [PATCH 2/2] Set the default for pam_pwd_expiration_warning to "always" --- src/man/sssd.conf.5.xml | 2 +- src/responder/pam/pamsrv_cmd.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index e038055619c2d55b13db2cc571e23cda3ac0a3ea..3e45b701aad980d55e44d16b24c2502be1ab9c7e 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -565,7 +565,7 @@ warning. </para> <para> - Default: 7 + Default: 0 (Always display it) </para> </listitem> </varlistentry> diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 3c9d7600a70465cd087950d775d2f7a78a3ab141..4ef34364b6dc8d9e9f8e467a43d38d6198ec0667 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -39,7 +39,7 @@ enum pam_verbosity { }; #define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT -#define DEFAULT_PAM_PWD_EXPIRATION_WARNING 7 +#define DEFAULT_PAM_PWD_EXPIRATION_WARNING 0 static void pam_reply(struct pam_auth_req *preq); @@ -409,7 +409,8 @@ static errno_t filter_responses(struct confdb_ctx *cdb, } memcpy(&expire_warn, resp->data + sizeof(uint32_t), sizeof(uint32_t)); - if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) { + if(pam_expiration_warning + && (expire_warn > pam_expiration_warning * (60 * 60 * 24))) { resp->do_not_send_to_client = true; } break; -- 1.7.6
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
