[PATCH] add support for server side LDAP password policies
by Sumit Bose
Hi,
this patch add support for server side password policies to the LDAP
provider. If the server supports password policies a expired password
can be detected. Please note that currently IPA does not support LDAP
password policies.
As a next step I will add support for the client side evaluation of LDAP
attributes indicating an expired password
bye,
Sumit
14 years, 6 months
[PATCH] allow to add more LDAP user mappings
by Sumit Bose
Hi,
this patch makes it possible to add more user attribute mappings. I need
this (or a similar patch) to read password policy information from a
LDAP server to evaluate if the password is expired on the client if the
LDAP server does not support server side password policies. I have tired
to make the changes in a generic way so they can be use for other areas
as well.
bye,
Sumit
14 years, 6 months
[PATCH] fix for 218
by Simo Sorce
Should fix 218 (tested with non responding ldap server), and also fix
other races and potential memleaks.
Simo.
14 years, 6 months
[PATCH] remove redundant talloc_free
by Sumit Bose
Hi,
this patch is a fix for bug #213. The reason for the bug is a double
free during the call of the sdap timeout handler.
bye,
Sumit
14 years, 6 months
[PATCH] Add handling of expired passwords
by Sumit Bose
Hi,
with the three attached patches pam_sss can handle expired kerberos passwords:
- 0001: kerberos provider returns PAM_AUTHTOK_EXPIRED if KDC returns
KRB5KDC_ERR_KEY_EXP
- 0002: some refactoring of pam_sss
- 0003: query the user for a new password if sssd returns
PAM_AUTHTOK_EXPIRED
All this happens during the pam authentication phase and not as often
seen during the pam account management phase. For this reason I used
PAM_AUTHTOK_EXPIRED instead of PAM_NEW_AUTHTOK_REQD, which is used by
pam_sm_acct_mgmt().
I have two questions about the user experience:
- currently PAM_AUTHTOK_EXPIRED is returned if the password is expired
regardless of the supplied password is correct or not. Would it be
better to return a different error if the password is wrong?
- currently the pam_sss only asks the new password, because the
current/old password is already known. Typically pam modules are
asking for the current password for a second time (because the
password is not know anymore) and the for the new one. I think this
behaviour if often irritation people. Which version shall we use?
bye,
Sumit
14 years, 6 months