On (10/02/15 15:39), Pavel Reichl wrote:
Hello,
While working on another patch in related code area I noticed that expected
behaviour (denying access for expired account) is logged as failure. Please
see attached patch.
Thanks.
From 8381c0133925d1e96012379170ce4335c6f97e0e Mon Sep 17 00:00:00
2001
From: Pavel Reichl <preichl(a)redhat.com>
Date: Tue, 10 Feb 2015 18:21:14 -0500
Subject: [PATCH] SDAP: log expired accounts at lower severity level
Attempts to log into expired accounts were logged as SSSDBG_CRIT_FAILURE
which is misleading as no real failures were happening.
---
src/providers/ldap/sdap_access.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index a6c882cae634f080b200fe75f51867e39192bcd9..52ea50ae22dcddde41d9567b21d726e35f8ed542
100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -668,26 +668,38 @@ static errno_t sdap_account_expired(struct sdap_access_ctx
*access_ctx,
} else {
if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_SHADOW) == 0) {
ret = sdap_account_expired_shadow(pd, user_entry);
- if (ret != EOK) {
+ if (ret == ERR_ACCOUNT_EXPIRED) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "sdap_account_expired_shadow: %s.\n",
sss_strerror(ret));
+ } else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
Make sense.
http://sssd-ci.duckdns.org/logs/job/8/39/summary.html
ACK
LS