From fea0f5ed287b04406afca0835b1a333bd1fe617b Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Sun, 13 Oct 2019 17:24:36 +0200 Subject: [PATCH] Add pam_authc_ppolicy support in pynslcd See https://bugs.debian.org/900253 --- pynslcd/cfg.py | 3 ++- pynslcd/pam.py | 6 ++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/pynslcd/cfg.py b/pynslcd/cfg.py index 877d4427..b970b5a7 100644 --- a/pynslcd/cfg.py +++ b/pynslcd/cfg.py @@ -87,6 +87,7 @@ nss_getgrent_skipmembers = False nss_disable_enumeration = False validnames = re.compile(r'^[a-z0-9._@$][a-z0-9._@$ \\~-]{0,98}[a-z0-9._@$~-]$', re.IGNORECASE) +pam_authc_ppolicy = True pam_authz_searches = [] pam_password_prohibit_message = None reconnect_invalidate = set() @@ -184,7 +185,7 @@ def read(filename): # noqa: C901 (many simple branches) # parse options with a single boolean argument m = re.match( r'(?Preferrals|nss_nested_groups|nss_getgrent_skipmembers|' - r'nss_disable_enumeration)\s+(?P%s)' % ( + r'nss_disable_enumeration|pam_authc_ppolicy)\s+(?P%s)' % ( '|'.join(_boolean_options.keys())), line, re.IGNORECASE) if m: diff --git a/pynslcd/pam.py b/pynslcd/pam.py index b372cdda..5f5486b3 100644 --- a/pynslcd/pam.py +++ b/pynslcd/pam.py @@ -42,8 +42,10 @@ def authenticate(binddn, password): # open a new connection conn = search.Connection() # bind using the specified credentials - pwctrl = PasswordPolicyControl() - res, data, msgid, ctrls = conn.simple_bind_s(binddn, password, serverctrls=[pwctrl]) + serverctrls = [] + if cfg.pam_authc_ppolicy: + serverctrls.append(PasswordPolicyControl()) + res, data, msgid, ctrls = conn.simple_bind_s(binddn, password, serverctrls=serverctrls) # go over bind result server controls for ctrl in ctrls: if ctrl.controlType == PasswordPolicyControl.controlType: