Overview

File 0057-ldap-return-failure-if-there-are-no-grace-logins-lef.patch of Package sssd.30906

From 32d81087203d3e5e189931644b7d9afd8da56ee9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 7 Jun 2023 17:00:33 +0200
Subject: [PATCH] ldap: return failure if there are no grace logins left
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a user's password is expired while changing the LDAP password SSSD
tries to change the password even if the initial bind of the user failed
due to exhausted grace logins.

With this patch the change password request will be aborted if the bind
fails indicating that there are no grace logins left.

Resolves: https://github.com/SSSD/sssd/issues/6768

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d99aa97dae7236fd056e21ea3d48997edf1b9823)
(cherry picked from commit 895d194f3869ee7fa633fca51163afd2cea513c7)
---
 src/providers/ldap/sdap_async_connection.c | 26 +++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 9a7d34363..2258903c7 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -833,15 +833,31 @@ static void simple_bind_done(struct sdap_op *op,
                     }
                 } else if (result == LDAP_INVALID_CREDENTIALS &&
                            pp_error == PP_passwordExpired) {
+                    /* According to
+                     * https://www.ietf.org/archive/id/draft-behera-ldap-password-policy-11.txt
+                     * section 8.1.2.3.2. this condition means "No Remaining
+                     * Grace Authentications". */
                     DEBUG(SSSDBG_TRACE_LIBS,
-                          "Password expired user must set a new password.\n");
-                    ret = ERR_PASSWORD_EXPIRED;
+                          "Password expired, grace logins exhausted.\n");
+                    ret = ERR_AUTH_FAILED;
                 }
             } else if (strcmp(response_controls[c]->ldctl_oid,
                               LDAP_CONTROL_PWEXPIRED) == 0) {
-                DEBUG(SSSDBG_TRACE_LIBS,
-                      "Password expired user must set a new password.\n");
-                ret = ERR_PASSWORD_EXPIRED;
+                /* I haven't found a proper documentation of this control only
+                 * the Red Hat Directory Server documentation has a short
+                 * description in the section "Understanding Password
+                 * Expiration Controls", e.g.
+                 * https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/understanding_password_expiration_controls
+                 */
+                if (result == LDAP_INVALID_CREDENTIALS) {
+                    DEBUG(SSSDBG_TRACE_LIBS,
+                          "Password expired, grace logins exhausted.\n");
+                    ret = ERR_AUTH_FAILED;
+                } else {
+                    DEBUG(SSSDBG_TRACE_LIBS,
+                          "Password expired, user must set a new password.\n");
+                    ret = ERR_PASSWORD_EXPIRED;
+                }
             } else if (strcmp(response_controls[c]->ldctl_oid,
                               LDAP_CONTROL_PWEXPIRING) == 0) {
                 /* ignore controls with suspiciously long values */
-- 
2.42.0
openSUSE Build Service is sponsored by
Places