From e45d35b6da24c10137330fccecf681ddf32a628e Mon Sep 17 00:00:00 2001
From: Mathieu Baeumler <mathieu.baeumler@gmail.com>
Date: Thu, 9 Jul 2015 08:59:19 +0200
Subject: [PATCH 19/23] Fix password policy expiration warnings
If a password expiration warning (pwdExpireWarning) is set in slapd, and
the password is about to expire, slapd sends the timeBeforeExpiration
value as part of the passwordPolicyResponse.
nslcd would incorrectly instruct the PAM module to require immediate
password change. This has been fixed for both timeBeforeExpiration and
graceLoginsRemaining.
(cherry picked from commit 4302901a2708d55b24880b77437e3d782b0de1cb)
---
nslcd/myldap.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index e33296f..9a24a27 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -466,7 +466,7 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr
((session->policy_response == NSLCD_PAM_SUCCESS) ||
(session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD)))
{
- session->policy_response = NSLCD_PAM_AUTHTOK_EXPIRED;
+ session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
mysnprintf(session->policy_message, sizeof(session->policy_message),
"%s", ldap_passwordpolicy_err2txt(error));
}
@@ -497,14 +497,12 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr
((session->policy_response == NSLCD_PAM_SUCCESS) ||
(session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD)))
{
- session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
mysnprintf(session->policy_message, sizeof(session->policy_message),
"Password will expire in %d seconds", expire);
}
else if ((grace >= 0) &&
(session->policy_response == NSLCD_PAM_SUCCESS))
{
- session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD;
mysnprintf(session->policy_message, sizeof(session->policy_message),
"Password expired, %d grace logins left", grace);
}
--
2.20.1