From 3a405096c50fa9e625f3626e42806950a6602ca8 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 14 Dec 2005 20:39:42 +0000
Subject: r12245: eDirectory returns LDAP_UNWILLING_TO_PERFORM if the account
 is disabled. If we get this we can't check the password so have to tell the
 client the account was disabled. Jeremy. (This used to be commit
 43c2d545ab98fef341c7e22d3b82c98bd0afebc2)

---
 source3/passdb/pdb_nds.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'source3/passdb')

diff --git a/source3/passdb/pdb_nds.c b/source3/passdb/pdb_nds.c
index c6d644827c..1ec9693223 100644
--- a/source3/passdb/pdb_nds.c
+++ b/source3/passdb/pdb_nds.c
@@ -824,6 +824,15 @@ static NTSTATUS pdb_nds_update_login_attempts(struct pdb_methods *methods,
 					case LDAP_INVALID_CREDENTIALS:
 						nt_status = NT_STATUS_WRONG_PASSWORD;
 						break;
+					case LDAP_UNWILLING_TO_PERFORM:
+						/* eDir returns this if the account was disabled. */
+						/* The problem is we don't know if the given
+						   password was correct for this account or
+						   not. We have to return more info than we
+						   should and tell the client NT_STATUS_ACCOUNT_DISABLED
+						   so they don't think the password was bad. JRA. */
+						nt_status = NT_STATUS_ACCOUNT_DISABLED;
+						break;
 					default:
 						break;
 				}
-- 
cgit