From c820e6db26426c9f74a0e8f8ff9d9cf79d57406a Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Tue, 10 Feb 2015 18:21:14 -0500
Subject: SDAP: log expired accounts at lower severity level
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Attempts to log into expired accounts were logged as SSSDBG_CRIT_FAILURE
which is misleading as no real failures were happening.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 src/providers/ldap/sdap_access.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

(limited to 'src/providers')

diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index a6c882cae..52ea50ae2 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -668,26 +668,38 @@ static errno_t sdap_account_expired(struct sdap_access_ctx *access_ctx,
     } else {
         if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_SHADOW) == 0) {
             ret = sdap_account_expired_shadow(pd, user_entry);
-            if (ret != EOK) {
+            if (ret == ERR_ACCOUNT_EXPIRED) {
+                DEBUG(SSSDBG_TRACE_FUNC,
+                      "sdap_account_expired_shadow: %s.\n", sss_strerror(ret));
+            } else if (ret != EOK) {
                 DEBUG(SSSDBG_CRIT_FAILURE,
                       "sdap_account_expired_shadow failed.\n");
             }
         } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_AD) == 0) {
             ret = sdap_account_expired_ad(pd, user_entry);
-            if (ret != EOK) {
+            if (ret == ERR_ACCOUNT_EXPIRED || ret == ERR_ACCESS_DENIED) {
+                DEBUG(SSSDBG_TRACE_FUNC,
+                      "sdap_account_expired_ad: %s.\n", sss_strerror(ret));
+            } else if (ret != EOK) {
                 DEBUG(SSSDBG_CRIT_FAILURE, "sdap_account_expired_ad failed.\n");
             }
         } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_RHDS) == 0 ||
                    strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0 ||
                    strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_389DS) == 0) {
             ret = sdap_account_expired_rhds(pd, user_entry);
-            if (ret != EOK) {
+            if (ret == ERR_ACCESS_DENIED) {
+                DEBUG(SSSDBG_TRACE_FUNC,
+                      "sdap_account_expired_rhds: %s.\n", sss_strerror(ret));
+            } else if (ret != EOK) {
                 DEBUG(SSSDBG_CRIT_FAILURE,
                       "sdap_account_expired_rhds failed.\n");
             }
         } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_NDS) == 0) {
             ret = sdap_account_expired_nds(pd, user_entry);
-            if (ret != EOK) {
+            if (ret == ERR_ACCESS_DENIED) {
+                DEBUG(SSSDBG_TRACE_FUNC,
+                      "sdap_account_expired_nds: %s.\n", sss_strerror(ret));
+            } else if (ret != EOK) {
                 DEBUG(SSSDBG_CRIT_FAILURE,
                       "sdap_account_expired_nds failed.\n");
             }
-- 
cgit