diff options
author | Sumit Bose <sbose@redhat.com> | 2011-08-25 13:15:26 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-08-25 13:30:37 -0400 |
commit | 24a5dc6614f3bd834d1b82c19cca8d3adc6a7653 (patch) | |
tree | e9b28000f87a3603e36615181cb6b736fbfb3ca5 /src/providers/ldap | |
parent | 690ae38fc14acac1e62cac52558eeb263404ceca (diff) | |
download | sssd-24a5dc6614f3bd834d1b82c19cca8d3adc6a7653.tar.gz sssd-24a5dc6614f3bd834d1b82c19cca8d3adc6a7653.tar.bz2 sssd-24a5dc6614f3bd834d1b82c19cca8d3adc6a7653.zip |
Improve password policy error code and message
Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the
requested password policy cannot be found we return PAM_PERM_DENIED.
Additionally the log message says that the access is denied.
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/ldap_auth.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index ad4549e7..ef4477cf 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -278,8 +278,9 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx, } } else { DEBUG(1, ("No Kerberos password expiration attributes found, " - "but MIT Kerberos password policy was requested.\n")); - return EINVAL; + "but MIT Kerberos password policy was requested. " + "Access will be denied.\n")); + return EACCES; } } else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) { mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL); @@ -321,8 +322,9 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx, return EOK; } else { DEBUG(1, ("No shadow password attributes found, " - "but shadow password policy was requested.\n")); - return EINVAL; + "but shadow password policy was requested. " + "Access will be denied.\n")); + return EACCES; } } @@ -661,6 +663,9 @@ int auth_recv(struct tevent_req *req, if (err == ETIMEDOUT) { *result = SDAP_UNAVAIL; return EOK; + } else if (err == EACCES) { + *result = SDAP_AUTH_FAILED; + return EOK; } else { *result = SDAP_ERROR; return err; |