Re: Expiration/grace warnings bug in nslcd/myldap.c

[Mathieu <mathieu.baeumler [at] gmail.com>]

Hi,

Late reply again, sorry!

I spent some time testing the two changes, and I must admit that the
fake scope is definitely more elegant than the global flag. Almost
everything is working well, except the password expiration. With both
patches applied, nslcd ask the user for a new password, but
unfortunately the try_pwmod function cannot succeed as myldap_bind
doesn't return a success...

So, I've added another slight change (pwdmod_expired, to be applied
after both your patches), and again, it uses a flag, set in the
session structure... I trust you'll find a nicer way to do that ;-)

This flag is only set during try_pwdmod, and keeps do_close from
sending an unbind. Just after myldap_bind, the flag is cleared
therefore the session will eventually be cleaned. Meanwhile, the
password is changed if either myldap_bind returns LDAP_SUCCESS, or
NSLCD_PAM_NEW_AUTHTOK_REQD (so as in prefer-authorisation-result-code,
we rely on authzrc if ppolicy is enabled). So far, I didn't detect any
issue with this change..

As a "bonus", I've included another patch, ppolicy-time, which display
a human readable message (days+hours, or hours+minutes, or seconds)
when the password expiring warning is issued.

Regards,

-- 
Mathieu

Attachment: pwdmod_expired.patch
Description: Binary data

Attachment: ppolicy-time.patch
Description: Binary data

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/