From 820d9053e6cf192a08dea9285429e3165a6b39a0 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 6 Sep 2011 10:55:15 +0200 Subject: Improve error message for LDAP password constraint violation https://fedorahosted.org/sssd/ticket/985 --- src/providers/ldap/ldap_auth.c | 27 ++++++++++++++++----------- src/providers/ldap/sdap.h | 1 + src/providers/ldap/sdap_async.c | 17 ++++++++++++----- 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index 32c208dc9..8109e247d 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -899,7 +899,7 @@ static void sdap_pam_chpass_done(struct tevent_req *req) ret = sdap_exop_modify_passwd_recv(req, state, &result, &user_error_message); talloc_zfree(req); - if (ret) { + if (ret && ret != EIO) { state->pd->pam_status = PAM_SYSTEM_ERR; goto done; } @@ -909,19 +909,24 @@ static void sdap_pam_chpass_done(struct tevent_req *req) state->pd->pam_status = PAM_SUCCESS; dp_err = DP_ERR_OK; break; + case SDAP_AUTH_PW_CONSTRAINT_VIOLATION: + state->pd->pam_status = PAM_NEW_AUTHTOK_REQD; + break; default: state->pd->pam_status = PAM_AUTHTOK_ERR; - if (user_error_message != NULL) { - ret = pack_user_info_chpass_error(state->pd, user_error_message, - &msg_len, &msg); + break; + } + + if (state->pd->pam_status != PAM_SUCCESS && user_error_message != NULL) { + ret = pack_user_info_chpass_error(state->pd, user_error_message, + &msg_len, &msg); + if (ret != EOK) { + DEBUG(1, ("pack_user_info_chpass_error failed.\n")); + } else { + ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len, + msg); if (ret != EOK) { - DEBUG(1, ("pack_user_info_chpass_error failed.\n")); - } else { - ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len, - msg); - if (ret != EOK) { - DEBUG(1, ("pam_add_response failed.\n")); - } + DEBUG(1, ("pam_add_response failed.\n")); } } } diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index ed24e756d..becb50fa1 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -151,6 +151,7 @@ enum sdap_result { SDAP_AUTH_SUCCESS, SDAP_AUTH_FAILED, SDAP_AUTH_PW_EXPIRED, + SDAP_AUTH_PW_CONSTRAINT_VIOLATION, SDAP_ACCT_EXPIRED }; diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index e183855a2..3b2849876 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -615,15 +615,22 @@ int sdap_exop_modify_passwd_recv(struct tevent_req *req, struct sdap_exop_modify_passwd_state *state = tevent_req_data(req, struct sdap_exop_modify_passwd_state); - *result = SDAP_ERROR; *user_error_message = talloc_steal(mem_ctx, state->user_error_message); - TEVENT_REQ_RETURN_ON_ERROR(req); - - if (state->result == LDAP_SUCCESS) { - *result = SDAP_SUCCESS; + switch (state->result) { + case LDAP_SUCCESS: + *result = SDAP_SUCCESS; + break; + case LDAP_CONSTRAINT_VIOLATION: + *result = SDAP_AUTH_PW_CONSTRAINT_VIOLATION; + break; + default: + *result = SDAP_ERROR; + break; } + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; } -- cgit