From e5a7c13c7aa70ebe59764761020fc509dd0ec33a Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Sun, 4 May 2014 23:16:03 +0200 Subject: [PATCH 18/23] Also extract policy controls on BIND failure This ensures that controls returned by an LDAP server as part of a failed BIND operation are also returned. This makes it possible to distinguish between a wrong password and an expired password. This also only logs the BIND operation result on DEBUG level (the error is logged later on). (cherry picked from commit ca36a50143eb38c9040c2567172b9bfb9dba1838) --- nslcd/myldap.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/nslcd/myldap.c b/nslcd/myldap.c index 9f6b4b0..e33296f 100644 --- a/nslcd/myldap.c +++ b/nslcd/myldap.c @@ -565,7 +565,7 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP *ld, const char *uri) ldap_msgfree(result); return LDAP_TIMEOUT; } - /* parse the result from the bind operation (frees result, get controls) */ + /* parse the result from the bind operation (frees result, gets controls) */ responsectrls = NULL; parserc = ldap_parse_result(ld, result, &rc, NULL, NULL, NULL, &responsectrls, 1); if (parserc != LDAP_SUCCESS) @@ -575,20 +575,19 @@ static int do_ppolicy_bind(MYLDAP_SESSION *session, LDAP *ld, const char *uri) ldap_controls_free(responsectrls); return parserc; } - if (rc != LDAP_SUCCESS) - { - myldap_err(LOG_ERR, ld, rc, "ldap_parse_result() failed"); - if (responsectrls != NULL) - ldap_controls_free(responsectrls); - return rc; - } - /* check the returned controls */ + /* handle any returned controls */ if (responsectrls != NULL) { handle_ppasswd_controls(session, ld, responsectrls); - /* free controls */ ldap_controls_free(responsectrls); } + /* return the result of the BIND operation */ + if (rc != LDAP_SUCCESS) + { + myldap_err(LOG_DEBUG, ld, rc, "ldap_parse_result() result"); + return rc; + } + /* check the returned controls */ return LDAP_SUCCESS; } #endif /* no SASL, so no ppolicy */ -- 2.20.1