Hello list, the attached patch fixes: https://fedorahosted.org/sssd/ticket/3109
There was missing condition for offline state of sssd at ldap code for password changing. If sssd is offline it returns PAM_AUTHINFO_UNAVAIL now and not PAM_PERM_DENIED.
Regards -- Petr^4 Čech
>From 5b9c1a166f0050544c55c6a5813906add185d7bf Mon Sep 17 00:00:00 2001 From: Petr Cech <pc...@redhat.com> Date: Tue, 2 Aug 2016 10:11:14 +0200 Subject: [PATCH] LDAP: Fixing wrong pam error code for passwd This patch adds right pam error code for sssd offline state. Resolves: https://fedorahosted.org/sssd/ticket/3109 --- src/providers/ldap/ldap_auth.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index 107f6ded1a903904e088f0b6b0320fe82a52af52..1b4366f547398319afe5e4e9c11131c407851e27 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -1101,6 +1101,11 @@ sdap_pam_chpass_handler_send(TALLOC_CTX *mem_ctx, state->auth_ctx = auth_ctx; state->ev = params->ev; + if (state->be_ctx->offstat.offline == true) { + pd->pam_status = PAM_AUTHINFO_UNAVAIL; + goto immediately; + } + if ((pd->priv == 1) && (pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) && (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) { DEBUG(SSSDBG_CONF_SETTINGS, -- 2.7.4
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org