[389-devel] Please review: [389 Project] #47351: Passsync loops when updating password of locked user
Noriko Hosoi
nhosoi at redhat.com
Mon May 13 20:44:50 UTC 2013
https://fedorahosted.org/389/ticket/47351
https://fedorahosted.org/389/attachment/ticket/47351/0001-Ticket-47351-Passsync-loops-when-updating-password-o.patch
Bug description: If a password of a user is updated/reset, whose
account is disabled/inactivated on both AD and DS, the password
update is endlessly repeated on AD and DS.
Fix description: A method CanBind in syncserv is used to determine
modify password is needed in the first round as well as to check
the modification was successful in the second round. The following
modification in SyncPassword invokes the server side's WinSync
plugin to send the modify back, and SyncPassword is invoked as the
second round. If the return code from CanBind is not LDAP_INVALID_
CREDENTIALS (e.g., LDAP_UNWILLING_TO_PERFORM for the inactivated
account), the second round CanBind wound not return LDAP_SUCCESS
even if the password is correctly updated. That's said, if Can-
Bind returns any error other than LDAP_INVALID_CREDENTIALS, we
should defer the password update.
Note: Changes in passhook.cpp are all indentation fix.
More information about the 389-devel
mailing list