From 606b7b6a45f6e2014119d0716774323f30862e0c Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 2 Aug 2019 12:07:07 -0400
Subject: [PATCH] Issue 50529 -  LDAP server returning PWP controls in
 different sequence

Description:  The server returns password policy controls in different orders
              depending on the state of grace logins.  The requested control,
              if any, should be returned first, followed by any controls the
              server might add.

relates: https://pagure.io/389-ds-base/issue/50529

Reviewed by: mreynolds (one line commit rule)
---
 ldap/servers/slapd/pw_mgmt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index befac50cd..ca76fc12f 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -207,10 +207,10 @@ skip:
 
         /* password expired and user exceeded limit of grace attemps.
          * Send result and also the control */
-        slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
         if (pwresponse_req) {
             slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED);
         }
+        slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
         slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
                                "password expired!", 0, NULL);
 
-- 
2.21.0