diff -urNad nss-pam-ldapd-0.9.4/nslcd/myldap.c nss-pam-ldapd-0.9.4-patched/nslcd/myldap.c --- nss-pam-ldapd-0.9.4/nslcd/myldap.c 2014-06-06 17:28:40.000000000 +0200 +++ nss-pam-ldapd-0.9.4-patched/nslcd/myldap.c 2015-07-09 08:59:19.772635722 +0200 @@ -467,7 +467,7 @@ ((session->policy_response == NSLCD_PAM_SUCCESS) || (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) { - session->policy_response = NSLCD_PAM_AUTHTOK_EXPIRED; + session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; mysnprintf(session->policy_message, sizeof(session->policy_message), "%s", ldap_passwordpolicy_err2txt(error)); } @@ -498,14 +498,13 @@ ((session->policy_response == NSLCD_PAM_SUCCESS) || (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD))) { - session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; + session->policy_response = NSLCD_PAM_SUCCESS; mysnprintf(session->policy_message, sizeof(session->policy_message), "Password will expire in %d seconds", expire); } else if ((grace >= 0) && (session->policy_response == NSLCD_PAM_SUCCESS)) { - session->policy_response = NSLCD_PAM_NEW_AUTHTOK_REQD; mysnprintf(session->policy_message, sizeof(session->policy_message), "Password expired, %d grace logins left", grace); } @@ -582,6 +581,9 @@ { handle_ppasswd_controls(session, ld, responsectrls); ldap_controls_free(responsectrls); + if ((session->policy_response == NSLCD_PAM_SUCCESS) || + (session->policy_response == NSLCD_PAM_NEW_AUTHTOK_REQD)) + rc = LDAP_SUCCESS; } /* return the result of the BIND operation */ if (rc != LDAP_SUCCESS)