From bd290f62727b8903d889705a9d129ee6c9d62bc9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 21 Apr 2010 14:42:34 +0200
Subject: Display a message if a password reset by root fails

---
 src/providers/ldap/ldap_auth.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/providers/ldap/ldap_auth.c')

diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index e0935da3..95931ac9 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -636,6 +636,14 @@ void sdap_pam_chpass_handler(struct be_req *breq)
         goto done;
     }
 
+    if (pd->priv == 1 && pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM &&
+        pd->authtok_size == 0) {
+        DEBUG(4, ("Password reset by root is not supported.\n"));
+        pd->pam_status = PAM_PERM_DENIED;
+        dp_err = DP_ERR_OK;
+        goto done;
+    }
+
     DEBUG(2, ("starting password change request for user [%s].\n", pd->user));
 
     pd->pam_status = PAM_SYSTEM_ERR;
-- 
cgit