Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

Test shadowLastChange (LDAP) with pam_script.so

#!/usr/bin/python
# copyright 2011 Michael Weber (michael at xmw dot de )
# /etc/pam.d/sshd
# auth required pam_script.so onerr=fail expose=1

import ldap, os, re, sys, syslog

syslog.openlog('pam-gaf', 0, syslog.LOG_AUTH)
def log(s):
    syslog.syslog(s)
    print(s)

user = os.getenv('PAM_USER', '').replace('\n', '')
if not re.match('^[a-zA-Z0-9\-]+$', user):
    log('PAM_USER is zero-length or contains invalid chars')
    exit(1)

if user == 'root':
    exit()

passwd = os.getenv('PAM_AUTHTOK')
if not passwd:
    log('PAM_AUTHOK is not set')
    exit(1)

conn = ldap.open('ldap.XXX')

conn.simple_bind('uid=ldapauth,dc=XXX',
    file('/etc/pam_ldap.secret').readline())
res = conn.search_st('dc=XXX',
    ldap.SCOPE_SUBTREE,
    filterstr='(&(uid=%s)(objectClass=posixAccount))' % user)
if len(res) != 1:
    log('ldap search returned more or less than 1 uids')
    exit(1)
uid = res[0][0]

conn.simple_bind(uid, passwd)
res = conn.search_st(uid, ldap.SCOPE_BASE, attrlist=('shadowLastChange', ) )
if len(res) != 1 or res[0][0] != uid:
    log('internal error')
    exit(1)
last = int(res[0][1].get('shadowLastChange', ('0', ))[0])

if last < 15127:
    log('user %s rejected, password last changed %i' % (user, last))
    exit(1)
Tags: own linux

Don't be the product, buy the product!

Schweinderl