From 5f92a563ea89f4fb82401168cf65fff4b85124cc Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhafer@suse.de>
Date: Fri, 12 Mar 2010 15:06:44 +0100
Subject: Fixed check for expired passwords

When the user's password is expired it might also be indicated by
the bind operation returning "INVALID_CREDENTIALS" with the ppolicy
control's errorcode set to "PP_passwordExpired".
---
 src/providers/ldap/sdap_async_connection.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 18e47d3b7..fe8a50182 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -421,8 +421,10 @@ static void simple_bind_done(struct sdap_op *op,
                           "error [%s].\n", pp_expire, pp_grace,
                           ldap_passwordpolicy_err2txt(pp_error)));
 
-                if (state->result == LDAP_SUCCESS &&
-                    (pp_error == PP_changeAfterReset || pp_grace > 0)) {
+                if ((state->result == LDAP_SUCCESS &&
+                        (pp_error == PP_changeAfterReset || pp_grace > 0)) ||
+                    (state->result == LDAP_INVALID_CREDENTIALS &&
+                        pp_error == PP_passwordExpired ) ) {
                     DEBUG(4, ("User must set a new password.\n"));
                     state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
                 }
-- 
cgit