rpms
/
sssd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
sssd/0063-PAM-Pass-account-locko...

199 lines
8.3 KiB
Diff
Raw Blame History

From fdc7e4acad41e7f0dff4926690f14bf94c009e38 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Fri, 5 Feb 2016 07:31:45 -0500
Subject: [PATCH 63/86] PAM: Pass account lockout status and display message
Tested against Windows Server 2012.
Resolves:
https://fedorahosted.org/sssd/ticket/2839
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 4180d485829969d4626cc7d49d2b5f7146512f21)
(cherry picked from commit 1b9f294dab02e6bcd4ce54e3447648d3d664ceaa)
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 21 +++++++++++++++++++++
src/providers/dp_auth_util.c | 19 +++++++++++++++++++
src/responder/pam/pamsrv_cmd.c | 31 +++++++++++++++++++++++--------
6 files changed, 66 insertions(+), 8 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index c6a5e3f61d8bfd045eb2699d0f5e279cb7d89f86..6d8601b31cf4ce1a42f824a8400cef8c4ffadf9a 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -117,6 +117,7 @@
#define CONFDB_PAM_TRUSTED_USERS "pam_trusted_users"
#define CONFDB_PAM_PUBLIC_DOMAINS "pam_public_domains"
#define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message"
+#define CONFDB_PAM_ACCOUNT_LOCKED_MESSAGE "pam_account_locked_message"
#define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 6abdbc3a43cd4dbd74208efa8602b889f6e84d2b..09284fdd7c8e630b3745367b33b8ea0424ff466f 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -90,6 +90,7 @@ option_strings = {
'pam_trusted_users' : _('List of trusted uids or user\'s name'),
'pam_public_domains' : _('List of domains accessible even for untrusted users.'),
'pam_account_expired_message' : _('Message printed when user account is expired.'),
+ 'pam_account_locked_message' : _('Message printed when user account is locked.'),
'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
# [sudo]
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index b6a396a75e564355d0828fa24858337eb06ff4bf..6e00a87918b4c3972c1f05e5d66d0fc8a71a5cf7 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -60,6 +60,7 @@ get_domains_timeout = int, None, false
pam_trusted_users = str, None, false
pam_public_domains = str, None, false
pam_account_expired_message = str, None, false
+pam_account_locked_message = str, None, false
p11_child_timeout = int, None, false
[sudo]
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 7b1c4f0fff9c042ce9ade2473bfe4582909212c4..cf2301f06d03b580f0bd5cea3567599af45eed02 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1024,6 +1024,27 @@ pam_account_expired_message = Account expired, please call help desk.
</listitem>
</varlistentry>
<varlistentry>
+ <term>pam_account_locked_message (string)</term>
+ <listitem>
+ <para>
+ If user is authenticating and
+ account is locked then by default
+ 'Permission denied' is output. This output will
+ be changed to content of this variable if it is
+ set.
+ </para>
+ <para>
+ example:
+ <programlisting>
+pam_account_locked_message = Account locked, please call help desk.
+ </programlisting>
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>p11_child_timeout (integer)</term>
<listitem>
<para>
diff --git a/src/providers/dp_auth_util.c b/src/providers/dp_auth_util.c
index f8a30c5d4e6da7ce6ac28723032241e2458ea473..8e261ef5e4af7479ffce087370844caa1cad43d7 100644
--- a/src/providers/dp_auth_util.c
+++ b/src/providers/dp_auth_util.c
@@ -160,6 +160,14 @@ bool dp_pack_pam_response(DBusMessage *msg, struct pam_data *pd)
return false;
}
+ /* Append the lockout of account */
+ dbret = dbus_message_iter_append_basic(&iter,
+ DBUS_TYPE_UINT32,
+ &pd->account_locked);
+ if (!dbret) {
+ return false;
+ }
+
/* Create an array of response structures */
dbret = dbus_message_iter_open_container(&iter,
DBUS_TYPE_ARRAY, "(uay)",
@@ -246,6 +254,17 @@ bool dp_unpack_pam_response(DBusMessage *msg, struct pam_data *pd, DBusError *db
return false;
}
+ if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_UINT32) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n");
+ return false;
+ }
+ dbus_message_iter_get_basic(&iter, &(pd->account_locked));
+
+ if (!dbus_message_iter_next(&iter)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam response has too few arguments.\n");
+ return false;
+ }
+
/* After this point will be an array of pam data */
if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_ARRAY) {
DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n");
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 38636088e63ede159df0bc9376c255d05bf7de0b..c4ea9cd3e8970db7d281086453d22f3218b05c47 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -53,10 +53,10 @@ pam_get_last_online_auth_with_curr_token(struct sss_domain_info *domain,
static void pam_reply(struct pam_auth_req *preq);
-static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
- const char *user_error_message,
- size_t *resp_len,
- uint8_t **_resp)
+static errno_t pack_user_info_msg(TALLOC_CTX *mem_ctx,
+ const char *user_error_message,
+ size_t *resp_len,
+ uint8_t **_resp)
{
uint32_t resp_type = SSS_PAM_USER_INFO_ACCOUNT_EXPIRED;
size_t err_len;
@@ -83,14 +83,13 @@ static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
return EOK;
}
-static void inform_account_expired(struct pam_data* pd,
- const char *pam_message)
+static void inform_user(struct pam_data* pd, const char *pam_message)
{
size_t msg_len;
uint8_t *msg;
errno_t ret;
- ret = pack_user_info_account_expired(pd, pam_message, &msg_len, &msg);
+ ret = pack_user_info_msg(pd, pam_message, &msg_len, &msg);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"pack_user_info_account_expired failed.\n");
@@ -601,6 +600,7 @@ static void pam_reply(struct pam_auth_req *preq)
time_t exp_date = -1;
time_t delay_until = -1;
char* pam_account_expired_message;
+ char* pam_account_locked_message;
int pam_verbosity;
pd = preq->pd;
@@ -762,7 +762,22 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- inform_account_expired(pd, pam_account_expired_message);
+ inform_user(pd, pam_account_expired_message);
+ }
+
+ if (pd->account_locked) {
+
+ ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_ACCOUNT_LOCKED_MESSAGE, "",
+ &pam_account_locked_message);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to get expiration message: %d:[%s].\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ inform_user(pd, pam_account_locked_message);
}
ret = filter_responses(pctx->rctx->cdb, pd->resp_list);
--
2.5.0
Reference in New Issue View Git Blame Copy Permalink