summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2011-08-25 13:15:26 +0200
committerStephen Gallagher <sgallagh@redhat.com>2011-08-29 08:15:27 -0400
commitb9450e576d42e8b46d806c5e918f896e889f8361 (patch)
tree1d05fb19f9e6f4c68359c4035a30ae34524d5e29
parent16d81cc8a7f3c5fbb3b64f3d1fa47aff194882eb (diff)
downloadsssd-b9450e576d42e8b46d806c5e918f896e889f8361.tar.gz
sssd-b9450e576d42e8b46d806c5e918f896e889f8361.tar.xz
sssd-b9450e576d42e8b46d806c5e918f896e889f8361.zip
Improve password policy error code and message
Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the requested password policy cannot be found we return PAM_PERM_DENIED. Additionally the log message says that the access is denied.
-rw-r--r--src/providers/ldap/ldap_auth.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 6970d7f69..32c208dc9 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -273,8 +273,9 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
}
} else {
DEBUG(1, ("No Kerberos password expiration attributes found, "
- "but MIT Kerberos password policy was requested.\n"));
- return EINVAL;
+ "but MIT Kerberos password policy was requested. "
+ "Access will be denied.\n"));
+ return EACCES;
}
} else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) {
mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
@@ -316,8 +317,9 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
return EOK;
} else {
DEBUG(1, ("No shadow password attributes found, "
- "but shadow password policy was requested.\n"));
- return EINVAL;
+ "but shadow password policy was requested. "
+ "Access will be denied.\n"));
+ return EACCES;
}
}
@@ -656,6 +658,9 @@ int auth_recv(struct tevent_req *req,
if (err == ETIMEDOUT) {
*result = SDAP_UNAVAIL;
return EOK;
+ } else if (err == EACCES) {
+ *result = SDAP_AUTH_FAILED;
+ return EOK;
} else {
*result = SDAP_ERROR;
return err;