New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sdap: respect passwordGracelimit #621
Conversation
/* ... and that's the reason why we have to set | ||
* on_grace_login_limit to true here! ... | ||
*/ | ||
on_grace_login_limit = pp_grace >= 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is already a block which evaluates pp_grace >= 0 below, do you think it makes sense to move setting on_grace_login_limit=true there? Or did you want the variable to be set to false as well explicitly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we add the check on the if, for cases where pp_grace < 0 we won't set on_grace_login_limit
to false
.
I thought about it, but then we'd have to, most likely, add an else there and it would make the code less clear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
alternatively, set the variable to false where the pp_grace >= 0
is now and only to true in the block where pp_grace is already tested for >=0
Since recent changes in 389-ds two response controls are end when passwordGracelimit is set and about to expire: - [1.3.6.1.4.1.42.2.27.8.5.1] for the GraceLimit itself - [2.16.840.1.113730.3.4.4] for the PasswordExpired Whenever the former is returned and the GraceLimit is still valid, we shouldn't report the latter to the users. Resolves: https://pagure.io/SSSD/sssd/issue/3597 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This version of the patch looks good to me.
before adding the accepted label I will run some downstream tests |
|
Since recent changes in 389-ds two response controls are end when
passwordGracelimit is set and about to expire:
Whenever the former is returned and the GraceLimit is still valid, we
shouldn't report the latter to the users.
Resolves:
https://pagure.io/SSSD/sssd/issue/3597
Signed-off-by: Fabiano Fidêncio fidencio@redhat.com