diff options
author | Sumit Bose <sbose@redhat.com> | 2010-02-22 09:10:32 +0100 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-02-23 16:16:24 -0500 |
commit | 7343ee3d775303845e2528c676c59ef3582d6b27 (patch) | |
tree | 430a3aff0b029462db53a40272811b3733bbe7b7 /src/providers/ldap | |
parent | 94cafd6f5b63aac3ad084d14fa3be24213374021 (diff) | |
download | sssd-7343ee3d775303845e2528c676c59ef3582d6b27.tar.gz sssd-7343ee3d775303845e2528c676c59ef3582d6b27.tar.bz2 sssd-7343ee3d775303845e2528c676c59ef3582d6b27.zip |
Handle expired passwords like other PAM modules
So far we handled expired password during authentication. Other PAM
modules typically detect expired password during account management and
return PAM_NEW_AUTHTOK_REQD if the password is expired and should be
changed. The PAM library then calls the change password routines. To
meet these standards pam_sss is change accordingly.
As a result it is now possible to update an expired password via ssh if
sssd is running with PasswordAuthentication=yes. One drawback due to
limitations of PAM is that the user now has to type his current password
again before setting a new one.
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/ldap_auth.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index cfe8adb9..ba1136bd 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -983,7 +983,7 @@ static void sdap_pam_auth_done(struct tevent_req *req) state->pd->pam_status = PAM_ACCT_EXPIRED; break; case SDAP_AUTH_PW_EXPIRED: - state->pd->pam_status = PAM_AUTHTOK_EXPIRED; + state->pd->pam_status = PAM_NEW_AUTHTOK_REQD; break; default: state->pd->pam_status = PAM_SYSTEM_ERR; |