On 02/05/2016 11:01 AM, Jakub Hrozek wrote:
On Tue, Feb 02, 2016 at 08:48:43PM +0100, Pavel Reichl wrote:
...
I would prefer to split this patch into two, one that patches the LDAP
code to return ERR_ACCOUNT_LOCKED and one that passes on and displays
the message.
Done.
> From 511ef599902827d76193a1e634ace193df15dead Mon Sep 17 00:00:00 2001
> From: Pavel Reichl <preichl(a)redhat.com>
> Date: Tue, 2 Feb 2016 14:35:15 -0500
> Subject: [PATCH] PAM: Notify user of denial due to AD account lockout
>
> Resolves:
>
https://fedorahosted.org/sssd/ticket/2839
> ---
> index
2d9b1184f5d30b9df7f1d3e4b980a7e0107c6830..763c5ed050bd482d334ad617349938dfc89f79da 100644
> --- a/src/providers/ldap/sdap_async_connection.c
> +++ b/src/providers/ldap/sdap_async_connection.c
> @@ -754,6 +754,9 @@ static void simple_bind_done(struct sdap_op *op,
>
> if (result == LDAP_SUCCESS) {
> ret = EOK;
> + } else if (result == LDAP_INVALID_CREDENTIALS
> + && strstr(errmsg, "data 775,") != NULL) {
~~~~~~~~~~~~~~
I don't think this is safe, strstr() doesn't handle NULL input well.
Please add a check for "&& errmgs != NULL" before calling strstr.
Sure.
Otherwise the patch looks good, we just need to also ask some Native
speaker for manpage comments..
I pinged Dan about that.
Please see updated patch set, thanks!