summaryrefslogtreecommitdiff
path: root/src/providers
diff options
context:
space:
mode:
authorJim Collins <github@collins-fam.com>2013-06-27 16:10:44 -0400
committerStephen Gallagher <sgallagh@redhat.com>2013-07-01 09:14:36 -0400
commit1e7275d3f075973f868c480dbfbe1219c1885585 (patch)
tree47e1c6aea330d3cedf276cc95aa5cd835d870479 /src/providers
parent79238f6cb42b9d8d01c9ab510f7d3878f642a02e (diff)
downloadsssd-1e7275d3f075973f868c480dbfbe1219c1885585.tar.gz
sssd-1e7275d3f075973f868c480dbfbe1219c1885585.tar.bz2
sssd-1e7275d3f075973f868c480dbfbe1219c1885585.zip
ldap: only update shadowLastChange when password change is successful
https://fedorahosted.org/sssd/ticket/1999 ldap_auth.c code which was added to SSSD for updating the shadowLastChange when "ldap_chpass_update_last_change" option is enabled updates shadowLastChange even when the PAM password change status reports failure. We should only update shadowLastChange on PAM password change success or we open up a work around for users to avoid changing their passwords periodically as required by policy. The user simply attempts to change password, fails by trying to set new password which invalid (denied due to password history check) yet shadowLastChange is updated, avoiding their need to actually change the password they are using.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ldap/ldap_auth.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 58cc2d35..ea28ba66 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -908,7 +908,8 @@ static void sdap_pam_chpass_done(struct tevent_req *req)
}
}
- if (dp_opt_get_bool(state->ctx->opts->basic,
+ if (state->pd->pam_status == PAM_SUCCESS &&
+ dp_opt_get_bool(state->ctx->opts->basic,
SDAP_CHPASS_UPDATE_LAST_CHANGE)) {
lastchanged_name = state->ctx->opts->user_map[SDAP_AT_SP_LSTCHG].name;