From e45d35b6da24c10137330fccecf681ddf32a628e Mon Sep 17 00:00:00 2001 From: Mathieu Baeumler Date: Thu, 9 Jul 2015 08:59:19 +0200 Subject: [PATCH 19/23] Fix password policy expiration warnings If a password expiration warning (pwdExpireWarning) is set in slapd, and the password is about to expire, slapd sends the timeBeforeExpiration value as part of the passwordPolicyResponse. nslcd would incorrectly instruct the PAM module to require immediate password change. This has been fixed for both timeBeforeExpiration and graceLoginsRemaining. (cherry picked from commit 4302901a2708d55b24880b77437e3d782b0de1cb) --- nslcd/myldap.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/nslcd/myldap.c b/nslcd/myldap.c index e33296f..9a24a27 100644 --- a/nslcd/myldap.c +++ b/nslcd/myldap.c @@ -466,7 +466,7 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr ((session->policy_response == NSLCD_PAM_SUCCESS) || (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) { - session->policy_response = NSLCD_PAM_AUTHTOK_EXPIRED; + session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; mysnprintf(session->policy_message, sizeof(session->policy_message), "%s", ldap_passwordpolicy_err2txt(error)); } @@ -497,14 +497,12 @@ static void handle_ppasswd_controls(MYLDAP_SESSION *session, LDAP *ld, LDAPContr ((session->policy_response == NSLCD_PAM_SUCCESS) || (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) { - session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; mysnprintf(session->policy_message, sizeof(session->policy_message), "Password will expire in %d seconds", expire); } else if ((grace >= 0) && (session->policy_response == NSLCD_PAM_SUCCESS)) { - session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; mysnprintf(session->policy_message, sizeof(session->policy_message), "Password expired, %d grace logins left", grace); } -- 2.20.1