diff options
author | Jim Collins <github@collins-fam.com> | 2013-06-27 16:10:44 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2013-07-01 09:14:36 -0400 |
commit | 1e7275d3f075973f868c480dbfbe1219c1885585 (patch) | |
tree | 47e1c6aea330d3cedf276cc95aa5cd835d870479 /src | |
parent | 79238f6cb42b9d8d01c9ab510f7d3878f642a02e (diff) | |
download | sssd-1e7275d3f075973f868c480dbfbe1219c1885585.tar.gz sssd-1e7275d3f075973f868c480dbfbe1219c1885585.tar.bz2 sssd-1e7275d3f075973f868c480dbfbe1219c1885585.zip |
ldap: only update shadowLastChange when password change is successful
https://fedorahosted.org/sssd/ticket/1999
ldap_auth.c code which was added to SSSD for updating the
shadowLastChange when "ldap_chpass_update_last_change" option is
enabled updates shadowLastChange even when the PAM password change
status reports failure.
We should only update shadowLastChange on PAM password change success or
we open up a work around for users to avoid changing their passwords
periodically as required by policy. The user simply attempts to change
password, fails by trying to set new password which invalid (denied due
to password history check) yet shadowLastChange is updated, avoiding
their need to actually change the password they are using.
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/ldap/ldap_auth.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index 58cc2d35..ea28ba66 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -908,7 +908,8 @@ static void sdap_pam_chpass_done(struct tevent_req *req) } } - if (dp_opt_get_bool(state->ctx->opts->basic, + if (state->pd->pam_status == PAM_SUCCESS && + dp_opt_get_bool(state->ctx->opts->basic, SDAP_CHPASS_UPDATE_LAST_CHANGE)) { lastchanged_name = state->ctx->opts->user_map[SDAP_AT_SP_LSTCHG].name; |