On Wed, Nov 27, 2013 at 05:13:50PM +0000, Viviano, Brad wrote:
> Changing the pam_verbosity to 2 or 3 had no affect. It doesn't tell the user
> their account is locked but everything shows up in syslog or sssd domain log
> fine.
>
> I've looked through pam_sss.c and if I am understanding correctly, this block
> of code seems to be what is putting the message into syslog:
>
> case SSS_PAM_SYSTEM_INFO:
> if (buf[p + (len -1)] != '\0') {
> D(("system info does not end with \\0."));
> break;
> }
> logger(pamh, LOG_INFO, "system info: [%s]", &buf[p]);
> break;
>
> The the account locked message is coming back from the BE tagged as
> SSS_PAM_SYSTEM_INFO instead of SSS_PAM_USER_INFO which is where the other
> messages related to expired passwords, grace logins, etc get processed. So I
> suspect there is no way to let the user know there account is locked directly
> since there is no corrasponding user message function in pam_sss.c.
>
> But if I am wrong, please let me know :).
You're completely right, I verified that using my setup.
I'd advise to file a RFE, on one hand I don't think the message should
be visible by default, on the other hand, I think that's something we
should allow to be displayed with a higher pam_verbosity.
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
