| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Some LDAP servers allow binding with blank passwords. We should
not allow a blank password to authenticate the SSSD.
|
|
The initial verification of the old password was returning an
error because we were not explicitly setting dp_err to
DP_ERR_SUCCESS and it was initialized earlier in the function to
DP_ERR_FATAL.
|
|
For the shadow and mit_kerberos password policy warnings are sent to the
client if the password is about to expire.
|
|
|
|
|
|
|
|
|
|
This patch removes some tab-indentations from pamsrv.c, too.
|
|
Display warnings about remaining grace logins and password
expiration to the user, when LDAP Password Policies are used.
Improved detection if LDAP Password policies are supported by
LDAP Server.
|
|
When changing passwords, treat SDAP_AUTH_PW_EXPIRED as a successful
authentication in SSS_PAM_CHAUTHTOK_PRELIM.
|
|
So far we handled expired password during authentication. Other PAM
modules typically detect expired password during account management and
return PAM_NEW_AUTHTOK_REQD if the password is expired and should be
changed. The PAM library then calls the change password routines. To
meet these standards pam_sss is change accordingly.
As a result it is now possible to update an expired password via ssh if
sssd is running with PasswordAuthentication=yes. One drawback due to
limitations of PAM is that the user now has to type his current password
again before setting a new one.
|
|
Also update BUILD.txt
|
