summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2011-08-25 13:15:26 +0200
committerStephen Gallagher <sgallagh@redhat.com>2011-08-25 13:30:37 -0400
commit24a5dc6614f3bd834d1b82c19cca8d3adc6a7653 (patch)
treee9b28000f87a3603e36615181cb6b736fbfb3ca5 /src
parent690ae38fc14acac1e62cac52558eeb263404ceca (diff)
downloadsssd-24a5dc6614f3bd834d1b82c19cca8d3adc6a7653.tar.gz
sssd-24a5dc6614f3bd834d1b82c19cca8d3adc6a7653.tar.xz
sssd-24a5dc6614f3bd834d1b82c19cca8d3adc6a7653.zip
Improve password policy error code and message
Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the requested password policy cannot be found we return PAM_PERM_DENIED. Additionally the log message says that the access is denied.
Diffstat (limited to 'src')
-rw-r--r--src/providers/ldap/ldap_auth.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index ad4549e7c..ef4477cf0 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -278,8 +278,9 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
}
} else {
DEBUG(1, ("No Kerberos password expiration attributes found, "
- "but MIT Kerberos password policy was requested.\n"));
- return EINVAL;
+ "but MIT Kerberos password policy was requested. "
+ "Access will be denied.\n"));
+ return EACCES;
}
} else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) {
mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
@@ -321,8 +322,9 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
return EOK;
} else {
DEBUG(1, ("No shadow password attributes found, "
- "but shadow password policy was requested.\n"));
- return EINVAL;
+ "but shadow password policy was requested. "
+ "Access will be denied.\n"));
+ return EACCES;
}
}
@@ -661,6 +663,9 @@ int auth_recv(struct tevent_req *req,
if (err == ETIMEDOUT) {
*result = SDAP_UNAVAIL;
return EOK;
+ } else if (err == EACCES) {
+ *result = SDAP_AUTH_FAILED;
+ return EOK;
} else {
*result = SDAP_ERROR;
return err;