From 1ef0ec98b6c91471454647e5f613d26fa015c619 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 11 Mar 2010 14:26:56 -0600
Subject: Bug 470684 - Pam_passthru plugin doesn't verify account activation

https://bugzilla.redhat.com/show_bug.cgi?id=470684
Resolves: bug 470684
Bug Description: Pam passthrough doesn't verify account activation
Reviewed by: rmeggins
Branch: HEAD
Fix Description: The check_account_lock() has been renamed to
slapi_check_account_lock() and moved into libslapd.so so any plugins
can use it. The account_inactivation_only parameter has been replaced
by check_password_policy. A new parameter send_result has been added
to determine whether to send LDAP results.

The pam_passthru plugin has been modified to use this function to
check account activation when the pamIDMapMethod is set to ENTRY.
The plugin will not check password policy.
---
 ldap/servers/slapd/daemon.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'ldap/servers/slapd/daemon.c')

diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index 0db7f136..672a9a4d 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -1922,11 +1922,12 @@ slapd_bind_local_user(Connection *conn)
 				if(entries[0] && 0 == entries[1])
 				{
 					/* observe account locking */
-					ret = check_account_lock(
+					ret = slapi_check_account_lock(
 						0,  /* pb not req */
 						entries[0],
 						0, /* no response control */
-						1  /* inactivation only */
+						0, /* don't check password policy */
+						0  /* don't send ldap result */
 						);
 
 					if(0 == ret)
@@ -1981,11 +1982,12 @@ entry_map_free:
 
 				if(0 == ret && e)
 				{
-					ret = check_account_lock(
+					ret = slapi_check_account_lock(
 						0, /* pb not req */
 						e,
 						0, /* no response control */
-						1  /* inactivation only */
+						0, /* don't check password policy */
+						0  /* don't send ldap result */
 						);
 
 					if(1 == ret)
-- 
cgit