summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/providers/ldap/ldap_auth.c27
-rw-r--r--src/providers/ldap/sdap.h1
-rw-r--r--src/providers/ldap/sdap_async.c17
3 files changed, 29 insertions, 16 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 32c208dc9..8109e247d 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -899,7 +899,7 @@ static void sdap_pam_chpass_done(struct tevent_req *req)
ret = sdap_exop_modify_passwd_recv(req, state, &result, &user_error_message);
talloc_zfree(req);
- if (ret) {
+ if (ret && ret != EIO) {
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
@@ -909,19 +909,24 @@ static void sdap_pam_chpass_done(struct tevent_req *req)
state->pd->pam_status = PAM_SUCCESS;
dp_err = DP_ERR_OK;
break;
+ case SDAP_AUTH_PW_CONSTRAINT_VIOLATION:
+ state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;
+ break;
default:
state->pd->pam_status = PAM_AUTHTOK_ERR;
- if (user_error_message != NULL) {
- ret = pack_user_info_chpass_error(state->pd, user_error_message,
- &msg_len, &msg);
+ break;
+ }
+
+ if (state->pd->pam_status != PAM_SUCCESS && user_error_message != NULL) {
+ ret = pack_user_info_chpass_error(state->pd, user_error_message,
+ &msg_len, &msg);
+ if (ret != EOK) {
+ DEBUG(1, ("pack_user_info_chpass_error failed.\n"));
+ } else {
+ ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len,
+ msg);
if (ret != EOK) {
- DEBUG(1, ("pack_user_info_chpass_error failed.\n"));
- } else {
- ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len,
- msg);
- if (ret != EOK) {
- DEBUG(1, ("pam_add_response failed.\n"));
- }
+ DEBUG(1, ("pam_add_response failed.\n"));
}
}
}
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index ed24e756d..becb50fa1 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -151,6 +151,7 @@ enum sdap_result {
SDAP_AUTH_SUCCESS,
SDAP_AUTH_FAILED,
SDAP_AUTH_PW_EXPIRED,
+ SDAP_AUTH_PW_CONSTRAINT_VIOLATION,
SDAP_ACCT_EXPIRED
};
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index e183855a2..3b2849876 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -615,15 +615,22 @@ int sdap_exop_modify_passwd_recv(struct tevent_req *req,
struct sdap_exop_modify_passwd_state *state = tevent_req_data(req,
struct sdap_exop_modify_passwd_state);
- *result = SDAP_ERROR;
*user_error_message = talloc_steal(mem_ctx, state->user_error_message);
- TEVENT_REQ_RETURN_ON_ERROR(req);
-
- if (state->result == LDAP_SUCCESS) {
- *result = SDAP_SUCCESS;
+ switch (state->result) {
+ case LDAP_SUCCESS:
+ *result = SDAP_SUCCESS;
+ break;
+ case LDAP_CONSTRAINT_VIOLATION:
+ *result = SDAP_AUTH_PW_CONSTRAINT_VIOLATION;
+ break;
+ default:
+ *result = SDAP_ERROR;
+ break;
}
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
return EOK;
}