On Mon, Feb 08, 2016 at 01:56:07PM +0100, Pavel Reichl wrote:
On 02/08/2016 10:48 AM, Jakub Hrozek wrote:
>On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote:
>>
>>
>>On 02/05/2016 03:16 PM, Lukas Slebodnik wrote:
>>>>
>>>The ticket is about "SSSD should be about to display message to the user
when
>>>the account in Active Directory is 'locked out'"
>>>
>>>If the string is not standardized among AD versions
>>>than this ticket is NOT solved.
>>
>>So what do you propose? Rename ticket to contain version of tested AD? Or should
we say user that although we have fix that would work for him it might not work for all AD
versions so we won't provide it?
>
>It would be nice to mention what we tested with in the commit message.
OK, done.
>
>>
>>Can we ask our QA to test on all AD version they can lay their hands on?
>
>Yes, I think we can test 2012 and 2008. Probably not worth testing 2003
>anymore.
>
I updated the relevant BZ.
From 5a4ca73e16e4eec023108387cd8c572c34496e9b Mon Sep 17 00:00:00
2001
From: Pavel Reichl <preichl(a)redhat.com>
Date: Fri, 5 Feb 2016 07:27:38 -0500
Subject: [PATCH 1/2] SDAP: Add return code ERR_ACCOUNT_LOCKED
ACK. This made pam_sss return "6 (Permission denied)".
From 637766eb543a54d4a96ae5c9692566a02522a742 Mon Sep 17 00:00:00
2001
From: Pavel Reichl <preichl(a)redhat.com>
Date: Fri, 5 Feb 2016 07:31:45 -0500
Subject: [PATCH 2/2] PAM: Pass account lockout status and display message
Tested against Windows Server 2012.
Yes, me too, I don't have 2008 around.
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 73a21bfa0049bc4d3cfacb49201707868c87e533..2dbc58a451686beda0faa9e9366bbc3b3b4c253e
100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1040,6 +1040,27 @@ pam_account_expired_message = Account expired, please call help
desk.
</listitem>
</varlistentry>
<varlistentry>
+ <term>pam_account_locked_message (string)</term>
+ <listitem>
+ <para>
+ If user is authenticating and
Please ask someone for an English review (I know Dan started, but I
didn't see a fixed version yet). At the very least, this should read "a
user".
+ account is locked then by default
+ 'Permission denied' is output. This output will
+ be changed to content of this variable if it is
+ set.
+ </para>
+ <para>
+ example:
+ <programlisting>
+pam_account_locked_message = Account locked, please call help desk.
+ </programlisting>
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>p11_child_timeout (integer)</term>
<listitem>
<para>
The rest of the patch looks good to me and seems to work as advertized.