From 37449e509f4a4253bacea57adf6c1d860eaaf1bb Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 2 Aug 2019 12:07:07 -0400
Subject: [PATCH] Issue 50529 -  LDAP server returning PWP controls in
 different sequence

Description:  The server returns password policy controls in different orders
              depending on the state of grace logins.  The requested control,
              if any, should be returned first, followed by any controls the
              server might add.

relates: https://pagure.io/389-ds-base/issue/50529

Reviewed by: mreynolds (one line commit rule)
---
 ldap/servers/slapd/pw_mgmt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index befac50cd..ca76fc12f 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -207,10 +207,10 @@ skip:
 
         /* password expired and user exceeded limit of grace attemps.
          * Send result and also the control */
-        slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
         if (pwresponse_req) {
             slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED);
         }
+        slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
         slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
                                "password expired!", 0, NULL);
 
-- 
2.21.1