On Tue, Feb 02, 2016 at 08:48:43PM +0100, Pavel Reichl wrote:
Hello,
please see attached patch.
To test connect to AD using ldap provider (for both id and auth). Lock
account of AD user by entering invalid password repeatedly. In pam section
of sssd.conf set pam_account_locked_message option. After failing to su as
locked user you should see message containing this information.
Thanks!
I would prefer to split this patch into two, one that patches the LDAP
code to return ERR_ACCOUNT_LOCKED and one that passes on and displays
the message.
From 511ef599902827d76193a1e634ace193df15dead Mon Sep 17 00:00:00
2001
From: Pavel Reichl <preichl(a)redhat.com>
Date: Tue, 2 Feb 2016 14:35:15 -0500
Subject: [PATCH] PAM: Notify user of denial due to AD account lockout
Resolves:
https://fedorahosted.org/sssd/ticket/2839
---
index 2d9b1184f5d30b9df7f1d3e4b980a7e0107c6830..763c5ed050bd482d334ad617349938dfc89f79da
100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -754,6 +754,9 @@ static void simple_bind_done(struct sdap_op *op,
if (result == LDAP_SUCCESS) {
ret = EOK;
+ } else if (result == LDAP_INVALID_CREDENTIALS
+ && strstr(errmsg, "data 775,") != NULL) {
~~~~~~~~~~~~~~
I don't think this is safe, strstr() doesn't handle NULL input well.
Please add a check for "&& errmgs != NULL" before calling strstr.
Otherwise the patch looks good, we just need to also ask some Native
speaker for manpage comments..