ldap_acct_mgmt.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2003 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include "ldap_headers.h"
/*ARGSUSED*/
static void
void *data,
int pam_status)
{
}
/*
* warn_user_passwd_will_expire - warn the user when the password will
* expire.
*/
static void
int sec_until_expired)
{
"Your password will expire within one hour."));
else
"Your password will expire in %d hours."),
} else {
"Your password will expire in %d days."),
}
}
/*
* pam_sm_acct_mgmt main account managment routine.
* This routine relies on the LDAP
* directory server to provide the
* password aging and account lockout
* information. This is done by first
* trying to authenticate the user and
* then checking the password status
* returned.
*
* Returns: module error or specific
* error on failure.
*/
int
int flags,
int argc,
const char **argv)
{
int result = PAM_AUTH_ERR;
int debug = 0;
int i;
int nowarn = 0;
int sec_until_expired = 0;
for (i = 0; i < argc; i++) {
debug = 1;
nowarn = 1;
}
else
"pam_ldap pam_sm_acct_mgmt: "
"illegal option %s",
argv[i]);
}
!= PAM_SUCCESS)
goto out;
if (debug)
"ldap pam_sm_acct_mgmt(%s), flags = %x %s",
goto out;
}
/* retrieve the password from the PAM handle */
if (result == PAM_SUCCESS)
goto out;
}
/* Try to authenticate to get password management info */
/*
* process the password management info.
* If user needs to change the password immediately,
* just return the rc.
* Otherwise, reset rc to the appropriate PAM error or
* warn the user about password expiration.
*/
if (result == PAM_MAXTRIES)
/* exceed retry limit: denied access to account */
else if (result == PAM_AUTHTOK_EXPIRED)
/* password expired so account expired */
else if (result == PAM_SUCCESS) {
/*
* warn the user if the password
* is about to expire.
*/
if (!(flags & PAM_SILENT) &&
sec_until_expired > 0)
}
out:
(void) __ns_ldap_freeCred(&credp);
/* store the password aging status in the pam handle */
if (result != PAM_SUCCESS) {
int pam_res;
return (PAM_BUF_ERR);
}
if (pam_res == PAM_SUCCESS)
sizeof (ldap_authtok_data));
!= PAM_SUCCESS) {
return (PAM_SERVICE_ERR);
}
}
return (result);
}