summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRalf Haferkamp <rhafer@suse.de>2010-03-12 15:06:44 +0100
committerStephen Gallagher <sgallagh@redhat.com>2010-03-15 08:15:28 -0400
commit71c4f9723d2f7ffd8450f4ec28d39dda1e3e42a3 (patch)
treed9671c5872489d739a034abb3e5e7bf4cc5a981c
parent066d9dd078fdd341318d8c8118d845c8c48253b8 (diff)
downloadsssd-71c4f9723d2f7ffd8450f4ec28d39dda1e3e42a3.tar.gz
sssd-71c4f9723d2f7ffd8450f4ec28d39dda1e3e42a3.tar.xz
sssd-71c4f9723d2f7ffd8450f4ec28d39dda1e3e42a3.zip
Fixed check for expired passwords
When the user's password is expired it might also be indicated by the bind operation returning "INVALID_CREDENTIALS" with the ppolicy control's errorcode set to "PP_passwordExpired".
-rw-r--r--src/providers/ldap/sdap_async_connection.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 18e47d3b7..fe8a50182 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -421,8 +421,10 @@ static void simple_bind_done(struct sdap_op *op,
"error [%s].\n", pp_expire, pp_grace,
ldap_passwordpolicy_err2txt(pp_error)));
- if (state->result == LDAP_SUCCESS &&
- (pp_error == PP_changeAfterReset || pp_grace > 0)) {
+ if ((state->result == LDAP_SUCCESS &&
+ (pp_error == PP_changeAfterReset || pp_grace > 0)) ||
+ (state->result == LDAP_INVALID_CREDENTIALS &&
+ pp_error == PP_passwordExpired ) ) {
DEBUG(4, ("User must set a new password.\n"));
state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
}