summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2011-09-06 10:55:15 +0200
committerStephen Gallagher <sgallagh@redhat.com>2011-09-06 14:52:23 -0400
commit14765d35f9440e3ca4fe771f162daf5c066ddd87 (patch)
treed1f41f81268b47857692938cbc81f6e68aa20900
parent52059070ca9c2d7a28df2620e915e2164bfd89a1 (diff)
downloadsssd_unused-14765d35f9440e3ca4fe771f162daf5c066ddd87.tar.gz
sssd_unused-14765d35f9440e3ca4fe771f162daf5c066ddd87.tar.xz
sssd_unused-14765d35f9440e3ca4fe771f162daf5c066ddd87.zip
Improve error message for LDAP password constraint violation
https://fedorahosted.org/sssd/ticket/985
-rw-r--r--src/providers/ldap/ldap_auth.c27
-rw-r--r--src/providers/ldap/sdap.h1
-rw-r--r--src/providers/ldap/sdap_async.c17
3 files changed, 29 insertions, 16 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 43492607..f01c23d6 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -904,7 +904,7 @@ static void sdap_pam_chpass_done(struct tevent_req *req)
ret = sdap_exop_modify_passwd_recv(req, state, &result, &user_error_message);
talloc_zfree(req);
- if (ret) {
+ if (ret && ret != EIO) {
state->pd->pam_status = PAM_SYSTEM_ERR;
goto done;
}
@@ -914,19 +914,24 @@ static void sdap_pam_chpass_done(struct tevent_req *req)
state->pd->pam_status = PAM_SUCCESS;
dp_err = DP_ERR_OK;
break;
+ case SDAP_AUTH_PW_CONSTRAINT_VIOLATION:
+ state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;
+ break;
default:
state->pd->pam_status = PAM_AUTHTOK_ERR;
- if (user_error_message != NULL) {
- ret = pack_user_info_chpass_error(state->pd, user_error_message,
- &msg_len, &msg);
+ break;
+ }
+
+ if (state->pd->pam_status != PAM_SUCCESS && user_error_message != NULL) {
+ ret = pack_user_info_chpass_error(state->pd, user_error_message,
+ &msg_len, &msg);
+ if (ret != EOK) {
+ DEBUG(1, ("pack_user_info_chpass_error failed.\n"));
+ } else {
+ ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len,
+ msg);
if (ret != EOK) {
- DEBUG(1, ("pack_user_info_chpass_error failed.\n"));
- } else {
- ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len,
- msg);
- if (ret != EOK) {
- DEBUG(1, ("pam_add_response failed.\n"));
- }
+ DEBUG(1, ("pam_add_response failed.\n"));
}
}
}
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 49ddbe98..44b2eab1 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -141,6 +141,7 @@ enum sdap_result {
SDAP_AUTH_SUCCESS,
SDAP_AUTH_FAILED,
SDAP_AUTH_PW_EXPIRED,
+ SDAP_AUTH_PW_CONSTRAINT_VIOLATION,
SDAP_ACCT_EXPIRED
};
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 325edd6a..a45adbed 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -615,15 +615,22 @@ int sdap_exop_modify_passwd_recv(struct tevent_req *req,
struct sdap_exop_modify_passwd_state *state = tevent_req_data(req,
struct sdap_exop_modify_passwd_state);
- *result = SDAP_ERROR;
*user_error_message = talloc_steal(mem_ctx, state->user_error_message);
- TEVENT_REQ_RETURN_ON_ERROR(req);
-
- if (state->result == LDAP_SUCCESS) {
- *result = SDAP_SUCCESS;
+ switch (state->result) {
+ case LDAP_SUCCESS:
+ *result = SDAP_SUCCESS;
+ break;
+ case LDAP_CONSTRAINT_VIOLATION:
+ *result = SDAP_AUTH_PW_CONSTRAINT_VIOLATION;
+ break;
+ default:
+ *result = SDAP_ERROR;
+ break;
}
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
return EOK;
}