From 54d57d18c14ff219c686ed57f7cdbb1e2c1e000e Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Wed, 6 Jan 2016 23:30:24 +0100 Subject: [PATCH] Prefer authorisation result code --- nslcd/pam.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/nslcd/pam.c b/nslcd/pam.c index af451a2..c00bb2d 100644 --- a/nslcd/pam.c +++ b/nslcd/pam.c @@ -63,7 +63,7 @@ static int try_bind(const char *userdn, const char *password, } /* check that we can bind */ rc = myldap_bind(session, authzrc, &msg); - if (rc == LDAP_SUCCESS) + if ((rc == LDAP_SUCCESS) && (authzrc == NSLCD_PAM_SUCCESS)) { /* perform a search for user object to verify bind */ attrs[0] = "dn"; @@ -336,12 +336,28 @@ int nslcd_pam_authc(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid) log_log(LOG_DEBUG, "bind authc %s authz %s", (rc == LDAP_SUCCESS) ? "successful" : "failed", (authzrc == NSLCD_PAM_SUCCESS) ? "successful" : "failed"); - /* map result code */ - switch (rc) + /* map result code, gives priority to authzrc */ + switch (authzrc) { - case LDAP_SUCCESS: rc = NSLCD_PAM_SUCCESS; break; - case LDAP_INVALID_CREDENTIALS: rc = NSLCD_PAM_AUTH_ERR; break; - default: rc = NSLCD_PAM_AUTH_ERR; + /* we can override the return code to SUCCESS as long as + pam is told that the password MUST be changed right now */ + case NSLCD_PAM_AUTHTOK_EXPIRED: + rc = NSLCD_PAM_SUCCESS; + authzrc = NSLCD_PAM_NEW_AUTHTOK_REQD; + break; + case NSLCD_PAM_NEW_AUTHTOK_REQD: + rc = NSLCD_PAM_SUCCESS; + break; + case NSLCD_PAM_SUCCESS: + switch (rc) + { + case LDAP_SUCCESS: rc = NSLCD_PAM_SUCCESS; break; + default: rc = NSLCD_PAM_AUTH_ERR; + } + break; + /* for all other results, just default to a pam authentication error */ + default: + rc = NSLCD_PAM_AUTH_ERR; } /* perform shadow attribute checks */ if ((*username != '\0') && (authzrc == NSLCD_PAM_SUCCESS)) -- 2.6.4