diff options
| -rw-r--r-- | nslcd/myldap.c | 11 | ||||
| -rw-r--r-- | nslcd/myldap.h | 5 | ||||
| -rw-r--r-- | nslcd/pam.c | 15 |
3 files changed, 28 insertions, 3 deletions
diff --git a/nslcd/myldap.c b/nslcd/myldap.c index db58e9a..c564f4b 100644 --- a/nslcd/myldap.c +++ b/nslcd/myldap.c @@ -1037,6 +1037,17 @@ void myldap_set_credentials(MYLDAP_SESSION *session, const char *dn, session->bindpw[sizeof(session->bindpw) - 1] = '\0'; } +/* Get bind ppolicy results from the last bind operation. This function + returns a NSLCD_PAM_* code and optional message. */ +void myldap_get_policy_response(MYLDAP_SESSION *session, int *response, + const char **message) +{ + if (response != NULL) + *response = session->policy_response; + if (message != NULL) + *message = session->policy_message; +} + static int do_try_search(MYLDAP_SEARCH *search) { int rc; diff --git a/nslcd/myldap.h b/nslcd/myldap.h index b2ae841..9367b43 100644 --- a/nslcd/myldap.h +++ b/nslcd/myldap.h @@ -72,6 +72,11 @@ MUST_USE MYLDAP_SESSION *myldap_create_session(void); void myldap_set_credentials(MYLDAP_SESSION *session, const char *dn, const char *password); +/* Get bind ppolicy results from the last bind operation. This function + returns a NSLCD_PAM_* code and optional message. */ +void myldap_get_policy_response(MYLDAP_SESSION *session, int *response, + const char **message); + /* Closes all pending searches and deallocates any memory that is allocated with these searches. This does not close the session. */ void myldap_session_cleanup(MYLDAP_SESSION *session); diff --git a/nslcd/pam.c b/nslcd/pam.c index 40e0069..bdd8729 100644 --- a/nslcd/pam.c +++ b/nslcd/pam.c @@ -41,13 +41,15 @@ /* set up a connection and try to bind with the specified DN and password, returns an LDAP result code */ -static int try_bind(const char *userdn, const char *password) +static int try_bind(const char *userdn, const char *password, + int *authzrc, char *authzmsg, size_t authzmsgsz) { MYLDAP_SESSION *session; MYLDAP_SEARCH *search; MYLDAP_ENTRY *entry; static const char *attrs[2]; int rc; + const char *msg; /* set up a new connection */ session = myldap_create_session(); if (session == NULL) @@ -75,6 +77,13 @@ static int try_bind(const char *userdn, const char *password) log_log(LOG_WARNING, "%s: lookup failed: %s", userdn, ldap_err2string(rc)); } } + /* get any policy response from the bind */ + myldap_get_policy_response(session, authzrc, &msg); + if ((msg != NULL) && (msg[0] != '\0')) + { + mysnprintf(authzmsg, authzmsgsz - 1, "%s", msg); + log_log(LOG_WARNING, "%s: %s", userdn, authzmsg); + } /* close the session */ myldap_session_close(session); /* return results */ @@ -311,7 +320,7 @@ int nslcd_pam_authc(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid) update_username(entry, username, sizeof(username)); } /* try authentication */ - rc = try_bind(userdn, password); + rc = try_bind(userdn, password, &authzrc, authzmsg, sizeof(authzmsg)); if (rc == LDAP_SUCCESS) log_log(LOG_DEBUG, "bind successful"); /* map result code */ @@ -322,7 +331,7 @@ int nslcd_pam_authc(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid) default: rc = NSLCD_PAM_AUTH_ERR; } /* perform shadow attribute checks */ - if (*username != '\0') + if ((*username != '\0') && (authzrc == NSLCD_PAM_SUCCESS)) authzrc = check_shadow(session, username, authzmsg, sizeof(authzmsg), 1, 0); /* write response */ WRITE_INT32(fp, NSLCD_RESULT_BEGIN); |