Improve password policy error code and message

Instead of returning PAM_SYSTEM_ERR if they necessary attributes for the requested password policy cannot be found we return PAM_PERM_DENIED. Additionally the log message says that the access is denied.
SSSD · Aug 25, 2011 · 24a5dc6 · 24a5dc6
1 parent 690ae38
commit 24a5dc6
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
@@ -278,8 +278,9 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
             }
         } else {
             DEBUG(1, ("No Kerberos password expiration attributes found, "
-                      "but MIT Kerberos password policy was requested.\n"));
-            return EINVAL;
+                      "but MIT Kerberos password policy was requested. "
+                      "Access will be denied.\n"));
+            return EACCES;
         }
     } else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) {
         mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL);
@@ -321,8 +322,9 @@ static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
             return EOK;
         } else {
             DEBUG(1, ("No shadow password attributes found, "
-                      "but shadow password policy was requested.\n"));
-            return EINVAL;
+                      "but shadow password policy was requested. "
+                      "Access will be denied.\n"));
+            return EACCES;
         }
     }
 
@@ -661,6 +663,9 @@ int auth_recv(struct tevent_req *req,
             if (err == ETIMEDOUT) {
                 *result = SDAP_UNAVAIL;
                 return EOK;
+            } else if (err == EACCES) {
+                *result = SDAP_AUTH_FAILED;
+                return EOK;
             } else {
                 *result = SDAP_ERROR;
                 return err;