From 658e2757fa9559f5dff6d475ae50496429e3d89f Mon Sep 17 00:00:00 2001
From: Pavel Březina <pbrezina@redhat.com>
Date: Mon, 15 Jul 2013 13:44:31 +0200
Subject: print hint about password complexity when new password is rejected

https://fedorahosted.org/sssd/ticket/1827
---
 src/providers/krb5/krb5_child.c |  8 +++++++-
 src/providers/ldap/sdap_async.c | 16 +++++++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 73575b88b..e4dc49327 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1185,7 +1185,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
             }
         }
 
-        if (result_string.length > 0) {
+        if (result_string.length > 0 && result_string.data[0] != '\0') {
             DEBUG(1, ("krb5_change_password failed [%d][%.*s].\n", result_code,
                       result_string.length, result_string.data));
             talloc_free(user_error_message);
@@ -1194,6 +1194,12 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
             if (user_error_message == NULL) {
                 DEBUG(1, ("talloc_strndup failed.\n"));
             }
+        } else if (result_code == KRB5_KPASSWD_SOFTERROR) {
+            user_error_message = talloc_strdup(kr->pd, "Please make sure the "
+                                 "password meets the complexity constraints.");
+            if (user_error_message == NULL) {
+                DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strndup failed.\n"));
+            }
         }
 
         if (user_error_message != NULL) {
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 73b2b64af..32763d2e6 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -641,7 +641,21 @@ static void sdap_exop_modify_passwd_done(struct sdap_op *op,
     DEBUG(3, ("ldap_extended_operation result: %s(%d), %s\n",
             sss_ldap_err2string(state->result), state->result, errmsg));
 
-    if (state->result != LDAP_SUCCESS) {
+    switch (state->result) {
+    case LDAP_SUCCESS:
+        ret = EOK;
+        break;
+    case LDAP_CONSTRAINT_VIOLATION:
+        state->user_error_message = talloc_strdup(state,
+            "Please make sure the password meets the complexity constraints.");
+        if (state->user_error_message == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup failed\n"));
+            ret = ENOMEM;
+            goto done;
+        }
+        ret = EIO;
+        goto done;
+    default:
         if (errmsg) {
             state->user_error_message = talloc_strdup(state, errmsg);
             if (state->user_error_message == NULL) {
-- 
cgit