Re: [SSSD] ldap shadowLastChange update patch

Sun, 30 Jun 2013 02:38:58 -0700 


Reflow of shadowLastChange patch to fit style guidelines.

Thanks.

- Jim Collins

On 6/27/2013 8:01 AM, Stephen Gallagher wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/26/2013 10:02 PM, j...@collins-fam.com wrote:


Thanks,

Jim Collins



Patch looks good to me by inspection, except that it violates our
style guidelines. Please reflow the IF statement so that it will fit
in 79 characters.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHMKZ0ACgkQeiVVYja6o6OJ3ACgo0uI1UlUbvfkqz0H7IXqUBER
PHEAnixzUtOQ7InHnbse/EyxwDtXwnTA
=5RLG
-----END PGP SIGNATURE-----




>From 4f8d83adbbec49455ca3b1039025939e8f594a97 Mon Sep 17 00:00:00 2001
From: Jim Collins <git...@collins-fam.com>
Date: Thu, 27 Jun 2013 16:10:44 -0400
Subject: [PATCH] ldap: only update shadowLastChange when password change is 
successful

https://fedorahosted.org/sssd/ticket/1999

ldap_auth.c code which was added to SSSD for updating the
shadowLastChange when "ldap_chpass_update_last_change" option is
enabled updates shadowLastChange even when the PAM password change
status reports failure.

We should only update shadowLastChange on PAM password change success or
we open up a work around for users to avoid changing their passwords
periodically as required by policy. The user simply attempts to change
password, fails by trying to set new password which invalid (denied due
to password history check) yet shadowLastChange is updated, avoiding
their need to actually change the password they are using.
---
 src/providers/ldap/ldap_auth.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 
58cc2d356d0e2c032f05328247540ba1a556b8ca..ea28ba66b09d6ef8bafb65c51af67e4b3d384908
 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -908,7 +908,8 @@ static void sdap_pam_chpass_done(struct tevent_req *req)
         }
     }
 
-    if (dp_opt_get_bool(state->ctx->opts->basic,
+    if (state->pd->pam_status == PAM_SUCCESS &&
+        dp_opt_get_bool(state->ctx->opts->basic,
                         SDAP_CHPASS_UPDATE_LAST_CHANGE)) {
         lastchanged_name = state->ctx->opts->user_map[SDAP_AT_SP_LSTCHG].name;
 
-- 
1.7.1


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to