Univention Bugzilla – Attachment 8492 Details for
Bug 36215
Deny posix logins if user password expiration date has been reached
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 97_shadowbind_overlay.quilt
97_shadowbind_overlay.quilt.patch (text/plain), 3.03 KB, created by
Felix Botner
on 2017-03-03 11:07:53 CET
(
hide
)
Description:
patch for 97_shadowbind_overlay.quilt
Filename:
MIME Type:
Creator:
Felix Botner
Created:
2017-03-03 11:07:53 CET
Size:
3.03 KB
patch
obsolete
>Index: 97_shadowbind_overlay.quilt >=================================================================== >--- 97_shadowbind_overlay.quilt (Revision 17287) >+++ 97_shadowbind_overlay.quilt (Arbeitskopie) >@@ -83,7 +83,7 @@ > diff -Nur openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c > --- openldap-2.4.42+dfsg.o/contrib/slapd-modules/shadowbind/shadowbind.c 1970-01-01 01:00:00.000000000 +0100 > +++ openldap-2.4.42+dfsg/contrib/slapd-modules/shadowbind/shadowbind.c 2016-08-31 20:10:52.747816000 +0200 >-@@ -0,0 +1,358 @@ >+@@ -0,0 +1,380 @@ > +/* shadowbind.c - overlay to deny login based shadow settings */ > + > +/* >@@ -145,10 +145,13 @@ > +#define SLAPD_SHADOW_MAX_ATTR "shadowMax" > +#define SLAPD_SHADOW_LAST_CHANGE_ATTR "shadowLastChange" > +#define SLAPD_SHADOW_EXPIRE_ATTR "shadowExpire" >++#define SLAPD_USER_PASSWORD "userPassword" >++#define KINIT_SCHEME "{KINIT}" > + > +static AttributeDescription *attr_shadowMax; > +static AttributeDescription *attr_shadowLastChange; > +static AttributeDescription *attr_shadowExpire; >++static AttributeDescription *attr_userPassword; > + > +static ObjectClass *oc_shadowAccount; > + >@@ -249,6 +252,15 @@ > + return rc; > + } > + } >++ if (attr_userPassword == NULL) { >++ rc = slap_str2ad( SLAPD_USER_PASSWORD, &attr_userPassword, &err ); >++ if ( rc != LDAP_SUCCESS ) { >++ Debug( LDAP_DEBUG_ANY, "shadowbind_db_open: " >++ "unable to find attribute=\"%s\": %s (%d)\n", >++ SLAPD_USER_PASSWORD, err, rc ); >++ return rc; >++ } >++ } > + > + return 0; > +} >@@ -297,6 +309,16 @@ > + return SLAP_CB_CONTINUE; > + } > + >++ /* ignore objects with userPassword={KINIT}, authentication of these objects is delegated to >++ a (ad) krb5 server and we have nothing to do with authentication/authorization */ >++ a = attr_find(e->e_attrs, attr_userPassword); >++ if ( a != NULL && a->a_nvals[0].bv_val != NULL ) { >++ if (strcmp(a->a_nvals[0].bv_val, KINIT_SCHEME) == 0) { >++ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: ignore %s, found kinit scheme\n", op->o_req_ndn.bv_val, 0, 0); >++ goto done; >++ } >++ } >++ > + /* ignore non shadowAccount objects */ > + if ( !is_entry_objectclass(e, oc_shadowAccount, 0 ) ) { > + Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: ignore non shadowAccount %s\n", op->o_req_ndn.bv_val, 0, 0 ); >@@ -305,7 +327,7 @@ > + > + /* ignore objects that match the ignore filter */ > + if ( cfg->ignore_filter && test_filter( NULL, e, cfg->ignore_filter ) == LDAP_COMPARE_TRUE ) { >-+ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: object %s matches ignore filter", op->o_req_ndn.bv_val, 0, 0 ); >++ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: object %s matches ignore filter\n", op->o_req_ndn.bv_val, 0, 0 ); > + goto done; > + } > + >@@ -346,6 +368,7 @@ > + } > + } > + } >++ Debug( LDAP_DEBUG_ANY, "shadowbind_bind_response: no shadow restrictions, your good to go\n", NULL, 0, 0 ); > + > +done: > + overlay_entry_release_ov(op, e, 0, on); >@@ -441,4 +464,3 @@ > +#endif /* SLAPD_OVER_SHADOWBIND == SLAPD_MOD_DYNAMIC */ > + > +#endif /* SLAPD_OVER_SHADOWBIND */ >-+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8492">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 36215
: 8492