Re: [SSSD] [PATCH] Convert ldap_auth to new error codes

Mon, 04 Mar 2013 10:35:00 -0800 

On Mon, 2013-03-04 at 13:29 -0500, Simo Sorce wrote:
> On Mon, 2013-03-04 at 13:10 +0100, Pavel Březina wrote:
> > On 02/28/2013 12:29 AM, Simo Sorce wrote:
> > > This patch removes yet another set of custom and parallel error codes
> > > specified in the sdap_result enumeration, and instead uses the new
> > > unified error codes.
> > >
> > > This is to be applied on top of the previous patchset that adds SSSD
> > > specific error codes.
> > >
> > > I have done minimal testing with my IPA install and it seems to work
> > > fine as far as ldap+SASL/GSSAPI auth goes.
> > >
> > > Simo.
> > >
> > 
> > Hi,
> > 
> > > @@ -771,14 +776,19 @@ static struct tevent_req *sasl_bind_send(TALLOC_CTX 
> > > *memctx,
> > >           if (ret) goto fail;
> > >       }
> > >
> > > +    /* This is a hack, relies on the fact that tevent_req_done() will 
> > > only set
> > > +     * the state if no callback has been set yet
> > 
> > This is not true. tevent_req_done() always sets the state, even if
> > there is no callback yet.
> 
> I think my wording was misleading.
> 
> What I meant here is that tevent_req_done *only* sets they state, and if
> no callback is set nothing bad will happen. I will reword it so that it
> more clear.
> 
> > and then the immediate event
> > > +     * set up by tevent_req_post() will call the async callback set by 
> > > the
> > > +     * caller right after we return */
> > > +    tevent_req_done(req);
> > >       tevent_req_post(req, ev);
> > >       return req;
> > >
> > >   fail:
> > > -    if (ret == LDAP_SERVER_DOWN) {
> > > +    if (ret == LDAP_SERVER_DOWN || ret == LDAP_TIMEOUT) {
> > >           tevent_req_error(req, ETIMEDOUT);
> > >       } else {
> > > -        tevent_req_error(req, EIO);
> > > +        tevent_req_error(req, ERR_AUTH_FAILED);
> > >       }
> > >       tevent_req_post(req, ev);
> > >       return req;
> > 
> > Otherwise it seems to be working correctly. I correct password,
> > incorrect password, changing password, password expiration,
> > enable/disable user with both LDAP (without kerberos) and IPA.
> 
> Excellent, thanks!

Patch with reworded comment attached.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

>From ed7e3d100b88e73e876768fa77c40402269c73ba Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Tue, 26 Feb 2013 16:25:07 -0500
Subject: [PATCH] Use common error facility instead of sdap_result

Simplifies and consolidates error reporting for ldap authentication paths.

Adds 3 new error codes:
    ERR_CHPASS_DENIED  - Used when password constraints deny password changes
    ERR_ACCOUNT_EXPIRED  - Account is expired
    ERR_PASSWORD_EXPIRED  - Password is expired
---
 src/providers/ipa/ipa_auth.c               |  24 +--
 src/providers/ipa/ipa_s2n_exop.c           |  34 ++--
 src/providers/ldap/ldap_auth.c             | 274 ++++++++++++-----------------
 src/providers/ldap/sdap.h                  |  13 --
 src/providers/ldap/sdap_async.c            |  48 +++--
 src/providers/ldap/sdap_async.h            |  29 +--
 src/providers/ldap/sdap_async_connection.c | 150 +++++++---------
 src/util/sss_ldap.c                        |   9 +-
 src/util/sss_ldap.h                        |   2 -
 src/util/util_errors.c                     |   3 +
 src/util/util_errors.h                     |   3 +
 11 files changed, 234 insertions(+), 355 deletions(-)

diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 2a033db94bf157d96c64fb163a4845530d1aa120..5cb3d402e1460c57770484e594d62345e88a6568 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -36,7 +36,6 @@ struct get_password_migration_flag_state {
     struct tevent_context *ev;
     struct sdap_id_op *sdap_op;
     struct sdap_id_ctx *sdap_id_ctx;
-    enum sdap_result result;
     struct fo_server *srv;
     char *ipa_realm;
     bool password_migration;
@@ -68,7 +67,6 @@ static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx,
 
     state->ev = ev;
     state->sdap_id_ctx = sdap_id_ctx;
-    state->result = SDAP_ERROR;
     state->srv = NULL;
     state->password_migration = false;
     state->ipa_realm = ipa_realm;
@@ -393,26 +391,30 @@ static void ipa_auth_ldap_done(struct tevent_req *req)
     struct be_ctx *be_ctx = be_req_get_be_ctx(state->be_req);
     int ret;
     int dp_err = DP_ERR_FATAL;
-    enum sdap_result result;
 
-    ret = sdap_auth_recv(req, state, &result, NULL);
+    ret = sdap_auth_recv(req, state, NULL);
     talloc_zfree(req);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, ("auth_send request failed.\n"));
-        state->pd->pam_status = PAM_SYSTEM_ERR;
-        dp_err = DP_ERR_OK;
-        goto done;
-    }
+    switch (ret) {
+    case EOK:
+        break;
 
+    case ERR_AUTH_DENIED:
+    case ERR_AUTH_FAILED:
+    case ERR_PASSWORD_EXPIRED:
 /* TODO: do we need to handle expired passwords? */
-    if (result != SDAP_AUTH_SUCCESS) {
         DEBUG(SSSDBG_MINOR_FAILURE, ("LDAP authentication failed, "
                                      "Password migration not possible.\n"));
         state->pd->pam_status = PAM_CRED_INSUFFICIENT;
         dp_err = DP_ERR_OK;
         goto done;
+    default:
+        DEBUG(SSSDBG_OP_FAILURE, ("auth_send request failed.\n"));
+        state->pd->pam_status = PAM_SYSTEM_ERR;
+        dp_err = DP_ERR_OK;
+        goto done;
     }
 
+
     DEBUG(SSSDBG_TRACE_FUNC, ("LDAP authentication succeded, "
                               "trying Kerberos authentication again.\n"));
 
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index be088664e71fbf8581fd8c3c65d5410bf693016c..29c21d4172b8e97be07f51384f65488793fe29a1 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -52,7 +52,6 @@ struct ipa_s2n_exop_state {
 
     struct sdap_op *op;
 
-    int result;
     char *retoid;
     struct berval *retdata;
 };
@@ -75,7 +74,6 @@ static struct tevent_req *ipa_s2n_exop_send(TALLOC_CTX *mem_ctx,
     if (!req) return NULL;
 
     state->sh = sh;
-    state->result = LDAP_OPERATIONS_ERROR;
     state->retoid = NULL;
     state->retdata = NULL;
 
@@ -85,6 +83,7 @@ static struct tevent_req *ipa_s2n_exop_send(TALLOC_CTX *mem_ctx,
                                   bv, NULL, NULL, &msgid);
     if (ret == -1 || msgid == -1) {
         DEBUG(SSSDBG_CRIT_FAILURE, ("ldap_extended_operation failed\n"));
+        ret = ERR_NETWORK_IO;
         goto fail;
     }
     DEBUG(SSSDBG_TRACE_INTERNAL, ("ldap_extended_operation sent, msgid = %d\n", msgid));
@@ -94,13 +93,14 @@ static struct tevent_req *ipa_s2n_exop_send(TALLOC_CTX *mem_ctx,
                       &state->op);
     if (ret) {
         DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to set up operation!\n"));
+        ret = ERR_INTERNAL;
         goto fail;
     }
 
     return req;
 
 fail:
-    tevent_req_error(req, EIO);
+    tevent_req_error(req, ret);
     tevent_req_post(req, ev);
     return req;
 }
@@ -116,6 +116,7 @@ static void ipa_s2n_exop_done(struct sdap_op *op,
     char *errmsg = NULL;
     char *retoid = NULL;
     struct berval *retdata = NULL;
+    int result;
 
     if (error) {
         tevent_req_error(req, error);
@@ -123,19 +124,19 @@ static void ipa_s2n_exop_done(struct sdap_op *op,
     }
 
     ret = ldap_parse_result(state->sh->ldap, reply->msg,
-                            &state->result, &errmsg, NULL, NULL,
+                            &result, &errmsg, NULL, NULL,
                             NULL, 0);
     if (ret != LDAP_SUCCESS) {
         DEBUG(SSSDBG_OP_FAILURE, ("ldap_parse_result failed (%d)\n", state->op->msgid));
-        ret = EIO;
+        ret = ERR_NETWORK_IO;
         goto done;
     }
 
     DEBUG(SSSDBG_TRACE_FUNC, ("ldap_extended_operation result: %s(%d), %s\n",
-            sss_ldap_err2string(state->result), state->result, errmsg));
+            sss_ldap_err2string(result), result, errmsg));
 
-    if (state->result != LDAP_SUCCESS) {
-        ret = EIO;
+    if (result != LDAP_SUCCESS) {
+        ret = ERR_NETWORK_IO;
         goto done;
     }
 
@@ -143,7 +144,7 @@ static void ipa_s2n_exop_done(struct sdap_op *op,
                                       &retoid, &retdata, 0);
     if (ret != LDAP_SUCCESS) {
         DEBUG(SSSDBG_OP_FAILURE, ("ldap_parse_extendend_result failed (%d)\n", ret));
-        ret = EIO;
+        ret = ERR_NETWORK_IO;
         goto done;
     }
 
@@ -183,21 +184,15 @@ done:
 }
 
 static int ipa_s2n_exop_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
-                             enum sdap_result *result, char **retoid,
-                             struct berval **retdata)
+                             char **retoid, struct berval **retdata)
 {
     struct ipa_s2n_exop_state *state = tevent_req_data(req,
                                                     struct ipa_s2n_exop_state);
 
     TEVENT_REQ_RETURN_ON_ERROR(req);
 
-    if (state->result == LDAP_SUCCESS) {
-        *result = SDAP_SUCCESS;
-        *retoid = talloc_steal(mem_ctx, state->retoid);
-        *retdata = talloc_steal(mem_ctx, state->retdata);
-    } else {
-        *result = SDAP_ERROR;
-    }
+    *retoid = talloc_steal(mem_ctx, state->retoid);
+    *retdata = talloc_steal(mem_ctx, state->retdata);
 
     return EOK;
 }
@@ -583,7 +578,6 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
     struct ipa_s2n_get_user_state *state = tevent_req_data(req,
                                                 struct ipa_s2n_get_user_state);
     int ret;
-    enum sdap_result result;
     char *retoid = NULL;
     struct berval *retdata = NULL;
     struct resp_attrs *attrs;
@@ -595,7 +589,7 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
     char *realm;
     char *upn;
 
-    ret = ipa_s2n_exop_recv(subreq, state, &result, &retoid, &retdata);
+    ret = ipa_s2n_exop_recv(subreq, state, &retoid, &retdata);
     talloc_zfree(subreq);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, ("s2n exop request failed.\n"));
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index bc91e2f797eb4bf15c2724f87cd0542f50d1eb95..59290714cdbc8968b7d59f858b0f1e7e4d3e27b4 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -86,19 +86,16 @@ static errno_t add_expired_warning(struct pam_data *pd, long exp_time)
 
 static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
                                        struct pam_data *pd,
-                                       enum sdap_result *result,
                                        int pwd_exp_warning)
 {
     char *end;
     struct tm tm;
     time_t expire_time;
     int expiration_warning;
-    int ret;
+    int ret = ERR_INTERNAL;
 
     memset(&tm, 0, sizeof(tm));
 
-    *result = SDAP_AUTH_FAILED;
-
     end = strptime(expire_date, "%Y%m%d%H%M%SZ", &tm);
     if (end == NULL) {
         DEBUG(1, ("Kerberos expire date [%s] invalid.\n", expire_date));
@@ -124,10 +121,8 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
 
     if (difftime(now, expire_time) > 0.0) {
         DEBUG(4, ("Kerberos password expired.\n"));
-        *result = SDAP_AUTH_PW_EXPIRED;
+        ret = ERR_PASSWORD_EXPIRED;
     } else {
-        *result = SDAP_AUTH_SUCCESS;
-
         if (pwd_exp_warning >= 0) {
             expiration_warning = pwd_exp_warning;
         } else {
@@ -141,14 +136,14 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now,
                 DEBUG(1, ("add_expired_warning failed.\n"));
             }
         }
+        ret = EOK;
     }
 
-    return EOK;
+    return ret;
 }
 
 static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
-                                     struct pam_data *pd,
-                                     enum sdap_result *result)
+                                     struct pam_data *pd)
 {
     long today;
     long password_age;
@@ -157,15 +152,13 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
 
     if (spwd->sp_lstchg <= 0) {
         DEBUG(4, ("Last change day is not set, new password needed.\n"));
-        *result = SDAP_AUTH_PW_EXPIRED;
-        return EOK;
+        return ERR_PASSWORD_EXPIRED;
     }
 
     today = (long) (now / (60 * 60 *24));
     password_age = today - spwd->sp_lstchg;
     if (password_age < 0) {
         DEBUG(2, ("The last password change time is in the future!.\n"));
-        *result = SDAP_AUTH_SUCCESS;
         return EOK;
     }
 
@@ -174,14 +167,12 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
          password_age > spwd->sp_max + spwd->sp_inact))
     {
         DEBUG(4, ("Account expired.\n"));
-        *result = SDAP_ACCT_EXPIRED;
-        return EOK;
+        return ERR_ACCOUNT_EXPIRED;
     }
 
     if (spwd->sp_max != -1 && password_age > spwd->sp_max) {
         DEBUG(4, ("Password expired.\n"));
-        *result = SDAP_AUTH_PW_EXPIRED;
-        return EOK;
+        return ERR_PASSWORD_EXPIRED;
     }
 
     if (pd != NULL && spwd->sp_max != -1 && spwd->sp_warn != -1 &&
@@ -200,19 +191,18 @@ static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now,
         }
     }
 
-    *result = SDAP_AUTH_SUCCESS;
     return EOK;
 }
 
 static errno_t check_pwexpire_ldap(struct pam_data *pd,
                                    struct sdap_ppolicy_data *ppolicy,
-                                   enum sdap_result *result,
                                    int pwd_exp_warning)
 {
+    int ret = EOK;
+
     if (ppolicy->grace > 0 || ppolicy->expire > 0) {
         uint32_t *data;
         uint32_t *ptr;
-        int ret;
 
         if (pwd_exp_warning < 0) {
             pwd_exp_warning = 0;
@@ -245,13 +235,11 @@ static errno_t check_pwexpire_ldap(struct pam_data *pd,
                                (uint8_t*)data);
         if (ret != EOK) {
             DEBUG(1, ("pam_add_response failed.\n"));
-            return ret;
         }
     }
 
 done:
-    *result = SDAP_AUTH_SUCCESS;
-    return EOK;
+    return ret;
 }
 
 static errno_t find_password_expiration_attributes(TALLOC_CTX *mem_ctx,
@@ -469,7 +457,6 @@ struct auth_state {
 
     struct sdap_handle *sh;
 
-    enum sdap_result result;
     char *dn;
     enum pwexpire pw_expire_type;
     void *pw_expire_data;
@@ -497,8 +484,7 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
 
     /* The token must be a password token */
     if (sss_authtok_get_type(authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
-        state->result = SDAP_AUTH_FAILED;
-        tevent_req_done(req);
+        tevent_req_error(req, ERR_AUTH_FAILED);
         return tevent_req_post(req, ev);
     }
 
@@ -646,54 +632,38 @@ static void auth_bind_user_done(struct tevent_req *subreq)
     struct auth_state *state = tevent_req_data(req,
                                                     struct auth_state);
     int ret;
-    struct sdap_ppolicy_data *ppolicy;
+    struct sdap_ppolicy_data *ppolicy = NULL;
 
-    ret = sdap_auth_recv(subreq, state, &state->result, &ppolicy);
+    ret = sdap_auth_recv(subreq, state, &ppolicy);
+    talloc_zfree(subreq);
     if (ppolicy != NULL) {
         DEBUG(9,("Found ppolicy data, "
                  "assuming LDAP password policies are active.\n"));
         state->pw_expire_type = PWEXPIRE_LDAP_PASSWORD_POLICY;
         state->pw_expire_data = ppolicy;
     }
-    talloc_zfree(subreq);
-    if (ret != EOK) {
+    switch (ret) {
+    case EOK:
+        break;
+    case ETIMEDOUT:
+    case ERR_NETWORK_IO:
         if (auth_get_server(req) == NULL) {
             tevent_req_error(req, ENOMEM);
         }
         return;
+    default:
+        tevent_req_error(req, ret);
+        return;
     }
 
     tevent_req_done(req);
 }
 
-int auth_recv(struct tevent_req *req,
-              TALLOC_CTX *memctx,
-              struct sdap_handle **sh,
-              enum sdap_result *result, char **dn,
-              enum pwexpire *pw_expire_type, void **pw_expire_data)
+static errno_t auth_recv(struct tevent_req *req, TALLOC_CTX *memctx,
+                         struct sdap_handle **sh, char **dn,
+                         enum pwexpire *pw_expire_type, void **pw_expire_data)
 {
     struct auth_state *state = tevent_req_data(req, struct auth_state);
-    enum tevent_req_state tstate;
-    uint64_t err;
-
-    if (tevent_req_is_error(req, &tstate, &err)) {
-        switch (tstate) {
-        case TEVENT_REQ_USER_ERROR:
-            if (err == ETIMEDOUT) {
-                *result = SDAP_UNAVAIL;
-                return EOK;
-            } else if (err == EACCES) {
-                *result = SDAP_AUTH_FAILED;
-                return EOK;
-            } else {
-                *result = SDAP_ERROR;
-                return err;
-            }
-        default:
-            *result = SDAP_ERROR;
-            return EIO;
-        }
-    }
 
     if (sh != NULL) {
         *sh = talloc_steal(memctx, state->sh);
@@ -711,7 +681,8 @@ int auth_recv(struct tevent_req *req,
 
     *pw_expire_type = state->pw_expire_type;
 
-    *result = state->result;
+    TEVENT_REQ_RETURN_ON_ERROR(req);
+
     return EOK;
 }
 
@@ -793,22 +764,15 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
                     tevent_req_callback_data(req, struct sdap_pam_chpass_state);
     struct be_ctx *be_ctx = be_req_get_be_ctx(state->breq);
     struct tevent_req *subreq;
-    enum sdap_result result;
     enum pwexpire pw_expire_type;
     void *pw_expire_data;
     int dp_err = DP_ERR_FATAL;
     int ret;
 
-    ret = auth_recv(req, state, &state->sh,
-                    &result, &state->dn,
+    ret = auth_recv(req, state, &state->sh, &state->dn,
                     &pw_expire_type, &pw_expire_data);
     talloc_zfree(req);
-    if (ret) {
-        state->pd->pam_status = PAM_SYSTEM_ERR;
-        goto done;
-    }
-
-    if ( (result == SDAP_AUTH_SUCCESS || result == SDAP_AUTH_PW_EXPIRED ) &&
+    if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
         state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
         DEBUG(9, ("Initial authentication for change password operation "
                   "successful.\n"));
@@ -817,46 +781,35 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
         goto done;
     }
 
-    if (result == SDAP_AUTH_SUCCESS) {
+    if (ret == EOK) {
         switch (pw_expire_type) {
-            case PWEXPIRE_SHADOW:
-                ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL,
-                                            &result);
-                if (ret != EOK) {
-                    DEBUG(1, ("check_pwexpire_shadow failed.\n"));
-                    state->pd->pam_status = PAM_SYSTEM_ERR;
-                    goto done;
-                }
-                break;
-            case PWEXPIRE_KERBEROS:
-                ret = check_pwexpire_kerberos(pw_expire_data, time(NULL), NULL, &result,
-                                              be_ctx->domain->pwd_expiration_warning);
-                if (ret != EOK) {
-                    DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
-                    state->pd->pam_status = PAM_SYSTEM_ERR;
-                    goto done;
-                }
+        case PWEXPIRE_SHADOW:
+            ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
+            break;
+        case PWEXPIRE_KERBEROS:
+            ret = check_pwexpire_kerberos(pw_expire_data, time(NULL), NULL,
+                                          be_ctx->domain->pwd_expiration_warning);
 
-                if (result == SDAP_AUTH_PW_EXPIRED) {
-                    DEBUG(1, ("LDAP provider cannot change kerberos "
-                              "passwords.\n"));
-                    state->pd->pam_status = PAM_SYSTEM_ERR;
-                    goto done;
-                }
-                break;
-            case PWEXPIRE_LDAP_PASSWORD_POLICY:
-            case PWEXPIRE_NONE:
-                break;
-            default:
-                DEBUG(1, ("Unknow pasword expiration type.\n"));
-                    state->pd->pam_status = PAM_SYSTEM_ERR;
-                    goto done;
+            if (ret == ERR_PASSWORD_EXPIRED) {
+                DEBUG(1, ("LDAP provider cannot change kerberos "
+                          "passwords.\n"));
+                state->pd->pam_status = PAM_SYSTEM_ERR;
+                goto done;
+            }
+            break;
+        case PWEXPIRE_LDAP_PASSWORD_POLICY:
+        case PWEXPIRE_NONE:
+            break;
+        default:
+            DEBUG(1, ("Unknow pasword expiration type.\n"));
+                state->pd->pam_status = PAM_SYSTEM_ERR;
+                goto done;
         }
     }
 
-    switch (result) {
-    case SDAP_AUTH_SUCCESS:
-    case SDAP_AUTH_PW_EXPIRED:
+    switch (ret) {
+    case EOK:
+    case ERR_PASSWORD_EXPIRED:
         DEBUG(7, ("user [%s] successfully authenticated.\n", state->dn));
         if (pw_expire_type == PWEXPIRE_SHADOW) {
 /* TODO: implement async ldap modify request */
@@ -891,10 +844,12 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
             return;
         }
         break;
-    case SDAP_AUTH_FAILED:
+    case ERR_AUTH_DENIED:
+    case ERR_AUTH_FAILED:
         state->pd->pam_status = PAM_AUTH_ERR;
         break;
-    case SDAP_UNAVAIL:
+    case ETIMEDOUT:
+    case ERR_NETWORK_IO:
         state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
         be_mark_offline(be_ctx);
         dp_err = DP_ERR_OFFLINE;
@@ -912,7 +867,6 @@ static void sdap_pam_chpass_done(struct tevent_req *req)
     struct sdap_pam_chpass_state *state =
                     tevent_req_callback_data(req, struct sdap_pam_chpass_state);
     struct be_ctx *be_ctx = be_req_get_be_ctx(state->breq);
-    enum sdap_result result;
     int dp_err = DP_ERR_FATAL;
     int ret;
     char *user_error_message = NULL;
@@ -921,24 +875,23 @@ static void sdap_pam_chpass_done(struct tevent_req *req)
     size_t msg_len;
     uint8_t *msg;
 
-    ret = sdap_exop_modify_passwd_recv(req, state, &result, &user_error_message);
+    ret = sdap_exop_modify_passwd_recv(req, state, &user_error_message);
     talloc_zfree(req);
-    if (ret && ret != EIO) {
-        state->pd->pam_status = PAM_SYSTEM_ERR;
-        goto done;
-    }
 
-    switch (result) {
-    case SDAP_SUCCESS:
+    switch (ret) {
+    case EOK:
         state->pd->pam_status = PAM_SUCCESS;
         dp_err = DP_ERR_OK;
         break;
-    case SDAP_AUTH_PW_CONSTRAINT_VIOLATION:
+    case ERR_CHPASS_DENIED:
         state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;
         break;
-    default:
+    case ERR_NETWORK_IO:
         state->pd->pam_status = PAM_AUTHTOK_ERR;
         break;
+    default:
+        state->pd->pam_status = PAM_SYSTEM_ERR;
+        break;
     }
 
     if (state->pd->pam_status != PAM_SUCCESS && user_error_message != NULL) {
@@ -1068,76 +1021,70 @@ static void sdap_pam_auth_done(struct tevent_req *req)
     struct sdap_pam_auth_state *state =
                     tevent_req_callback_data(req, struct sdap_pam_auth_state);
     struct be_ctx *be_ctx = be_req_get_be_ctx(state->breq);
-    enum sdap_result result;
     enum pwexpire pw_expire_type;
     void *pw_expire_data;
     const char *password;
     int dp_err = DP_ERR_OK;
     int ret;
 
-    ret = auth_recv(req, state, NULL,
-                    &result, NULL,
+    ret = auth_recv(req, state, NULL, NULL,
                     &pw_expire_type, &pw_expire_data);
     talloc_zfree(req);
-    if (ret != EOK) {
-        state->pd->pam_status = PAM_SYSTEM_ERR;
-        dp_err = DP_ERR_FATAL;
-        goto done;
-    }
 
-    if (result == SDAP_AUTH_SUCCESS) {
+    if (ret == EOK) {
         switch (pw_expire_type) {
-            case PWEXPIRE_SHADOW:
-                ret = check_pwexpire_shadow(pw_expire_data, time(NULL),
-                                            state->pd, &result);
-                if (ret != EOK) {
-                    DEBUG(1, ("check_pwexpire_shadow failed.\n"));
-                    state->pd->pam_status = PAM_SYSTEM_ERR;
-                    goto done;
-                }
-                break;
-            case PWEXPIRE_KERBEROS:
-                ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),
-                                              state->pd, &result,
-                                              be_ctx->domain->pwd_expiration_warning);
-                if (ret != EOK) {
-                    DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
-                    state->pd->pam_status = PAM_SYSTEM_ERR;
-                    goto done;
-                }
-                break;
-            case PWEXPIRE_LDAP_PASSWORD_POLICY:
-                ret = check_pwexpire_ldap(state->pd, pw_expire_data, &result,
+        case PWEXPIRE_SHADOW:
+            ret = check_pwexpire_shadow(pw_expire_data, time(NULL), state->pd);
+            if (ret != EOK) {
+                DEBUG(1, ("check_pwexpire_shadow failed.\n"));
+                state->pd->pam_status = PAM_SYSTEM_ERR;
+                goto done;
+            }
+            break;
+        case PWEXPIRE_KERBEROS:
+            ret = check_pwexpire_kerberos(pw_expire_data, time(NULL),
+                                          state->pd,
                                           be_ctx->domain->pwd_expiration_warning);
-                if (ret != EOK) {
-                    DEBUG(1, ("check_pwexpire_ldap failed.\n"));
-                    state->pd->pam_status = PAM_SYSTEM_ERR;
-                    goto done;
-                }
-                break;
-            case PWEXPIRE_NONE:
-                break;
-            default:
-                DEBUG(1, ("Unknow pasword expiration type.\n"));
-                    state->pd->pam_status = PAM_SYSTEM_ERR;
-                    goto done;
+            if (ret != EOK) {
+                DEBUG(1, ("check_pwexpire_kerberos failed.\n"));
+                state->pd->pam_status = PAM_SYSTEM_ERR;
+                goto done;
+            }
+            break;
+        case PWEXPIRE_LDAP_PASSWORD_POLICY:
+            ret = check_pwexpire_ldap(state->pd, pw_expire_data,
+                                      be_ctx->domain->pwd_expiration_warning);
+            if (ret != EOK) {
+                DEBUG(1, ("check_pwexpire_ldap failed.\n"));
+                state->pd->pam_status = PAM_SYSTEM_ERR;
+                goto done;
+            }
+            break;
+        case PWEXPIRE_NONE:
+            break;
+        default:
+            DEBUG(1, ("Unknow pasword expiration type.\n"));
+                state->pd->pam_status = PAM_SYSTEM_ERR;
+                goto done;
         }
     }
 
-    switch (result) {
-    case SDAP_AUTH_SUCCESS:
+    switch (ret) {
+    case EOK:
         state->pd->pam_status = PAM_SUCCESS;
         break;
-    case SDAP_AUTH_FAILED:
+    case ERR_AUTH_DENIED:
+    case ERR_AUTH_FAILED:
         state->pd->pam_status = PAM_PERM_DENIED;
         break;
-    case SDAP_UNAVAIL:
+    case ETIMEDOUT:
+    case ERR_NETWORK_IO:
         state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
         break;
-    case SDAP_ACCT_EXPIRED:
+    case ERR_ACCOUNT_EXPIRED:
         state->pd->pam_status = PAM_ACCT_EXPIRED;
         break;
-    case SDAP_AUTH_PW_EXPIRED:
+    case ERR_PASSWORD_EXPIRED:
         state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;
         break;
     default:
@@ -1145,13 +1092,13 @@ static void sdap_pam_auth_done(struct tevent_req *req)
         dp_err = DP_ERR_FATAL;
     }
 
-    if (result == SDAP_UNAVAIL) {
+    if (ret == ETIMEDOUT || ret == ERR_NETWORK_IO) {
         be_mark_offline(be_ctx);
         dp_err = DP_ERR_OFFLINE;
         goto done;
     }
 
-    if (result == SDAP_AUTH_SUCCESS && be_ctx->domain->cache_credentials) {
+    if (ret == EOK && be_ctx->domain->cache_credentials) {
 
         ret = sss_authtok_get_password(&state->pd->authtok, &password, NULL);
         if (ret == EOK) {
@@ -1167,7 +1114,6 @@ static void sdap_pam_auth_done(struct tevent_req *req)
             DEBUG(4, ("Password successfully cached for %s\n",
                       state->pd->user));
         }
-        goto done;
     }
 
 done:
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index d143657999f081dc067c43e0e7dedbb4a6ef3489..27f18ae172dddb3f7cd76149ad255ddd4b670b82 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -136,19 +136,6 @@ struct sdap_ppolicy_data {
 #define SDAP_AD_USN "uSNChanged"
 #define SDAP_AD_LAST_USN "highestCommittedUSN"
 
-enum sdap_result {
-    SDAP_SUCCESS,
-    SDAP_NOT_FOUND,
-    SDAP_UNAVAIL,
-    SDAP_RETRY,
-    SDAP_ERROR,
-    SDAP_AUTH_SUCCESS,
-    SDAP_AUTH_FAILED,
-    SDAP_AUTH_PW_EXPIRED,
-    SDAP_AUTH_PW_CONSTRAINT_VIOLATION,
-    SDAP_ACCT_EXPIRED
-};
-
 enum sdap_basic_opt {
     SDAP_URI = 0,
     SDAP_BACKUP_URI,
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index b7d98392bf3be16f5e02834304fab7c29a09e210..7ac32b95a7021f53ca115d0142b0164c0e52f2ea 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -490,7 +490,6 @@ struct sdap_exop_modify_passwd_state {
 
     struct sdap_op *op;
 
-    int result;
     char *user_error_message;
 };
 
@@ -552,6 +551,7 @@ struct tevent_req *sdap_exop_modify_passwd_send(TALLOC_CTX *memctx,
     if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) {
         DEBUG(1, ("sdap_control_create failed to create "
                   "Password Policy control.\n"));
+        ret = ERR_INTERNAL;
         goto fail;
     }
     request_controls = ctrls;
@@ -564,6 +564,7 @@ struct tevent_req *sdap_exop_modify_passwd_send(TALLOC_CTX *memctx,
     if (ctrls[0]) ldap_control_free(ctrls[0]);
     if (ret == -1 || msgid == -1) {
         DEBUG(1, ("ldap_extended_operation failed\n"));
+        ret = ERR_NETWORK_IO;
         goto fail;
     }
     DEBUG(8, ("ldap_extended_operation sent, msgid = %d\n", msgid));
@@ -573,13 +574,14 @@ struct tevent_req *sdap_exop_modify_passwd_send(TALLOC_CTX *memctx,
                       sdap_exop_modify_passwd_done, req, 5, &state->op);
     if (ret) {
         DEBUG(1, ("Failed to set up operation!\n"));
+        ret = ERR_INTERNAL;
         goto fail;
     }
 
     return req;
 
 fail:
-    tevent_req_error(req, EIO);
+    tevent_req_error(req, ret);
     tevent_req_post(req, ev);
     return req;
 }
@@ -598,6 +600,7 @@ static void sdap_exop_modify_passwd_done(struct sdap_op *op,
     ber_int_t pp_grace;
     ber_int_t pp_expire;
     LDAPPasswordPolicyError pp_error;
+    int result;
 
     if (error) {
         tevent_req_error(req, error);
@@ -605,11 +608,11 @@ static void sdap_exop_modify_passwd_done(struct sdap_op *op,
     }
 
     ret = ldap_parse_result(state->sh->ldap, reply->msg,
-                            &state->result, NULL, &errmsg, NULL,
+                            &result, NULL, &errmsg, NULL,
                             &response_controls, 0);
     if (ret != LDAP_SUCCESS) {
         DEBUG(2, ("ldap_parse_result failed (%d)\n", state->op->msgid));
-        ret = EIO;
+        ret = ERR_INTERNAL;
         goto done;
     }
 
@@ -627,7 +630,7 @@ static void sdap_exop_modify_passwd_done(struct sdap_op *op,
                                                         &pp_error);
                 if (ret != LDAP_SUCCESS) {
                     DEBUG(1, ("ldap_parse_passwordpolicy_control failed.\n"));
-                    ret = EIO;
+                    ret = ERR_NETWORK_IO;
                     goto done;
                 }
 
@@ -639,9 +642,16 @@ static void sdap_exop_modify_passwd_done(struct sdap_op *op,
     }
 
     DEBUG(3, ("ldap_extended_operation result: %s(%d), %s\n",
-            sss_ldap_err2string(state->result), state->result, errmsg));
+            sss_ldap_err2string(result), result, errmsg));
 
-    if (state->result != LDAP_SUCCESS) {
+    switch (result) {
+    case LDAP_SUCCESS:
+        ret = EOK;
+        break;
+    case LDAP_CONSTRAINT_VIOLATION:
+        ret = ERR_CHPASS_DENIED;
+        break;
+    default:
         if (errmsg) {
             state->user_error_message = talloc_strdup(state, errmsg);
             if (state->user_error_message == NULL) {
@@ -650,11 +660,10 @@ static void sdap_exop_modify_passwd_done(struct sdap_op *op,
                 goto done;
             }
         }
-        ret = EIO;
-        goto done;
+        ret = ERR_NETWORK_IO;
+        break;
     }
 
-    ret = EOK;
 done:
     ldap_controls_free(response_controls);
     ldap_memfree(errmsg);
@@ -666,28 +675,15 @@ done:
     }
 }
 
-int sdap_exop_modify_passwd_recv(struct tevent_req *req,
-                                 TALLOC_CTX * mem_ctx,
-                                 enum sdap_result *result,
-                                 char **user_error_message)
+errno_t sdap_exop_modify_passwd_recv(struct tevent_req *req,
+                                     TALLOC_CTX * mem_ctx,
+                                     char **user_error_message)
 {
     struct sdap_exop_modify_passwd_state *state = tevent_req_data(req,
                                          struct sdap_exop_modify_passwd_state);
 
     *user_error_message = talloc_steal(mem_ctx, state->user_error_message);
 
-    switch (state->result) {
-        case LDAP_SUCCESS:
-            *result = SDAP_SUCCESS;
-            break;
-        case LDAP_CONSTRAINT_VIOLATION:
-            *result = SDAP_AUTH_PW_CONSTRAINT_VIOLATION;
-            break;
-        default:
-            *result = SDAP_ERROR;
-            break;
-    }
-
     TEVENT_REQ_RETURN_ON_ERROR(req);
 
     return EOK;
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 69590b9ed0d0b8459d5b82fe86a856417fb3bd71..59269110126c7015d6ae18f2ae1ddc6b2871d360 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -86,22 +86,6 @@ int sdap_get_netgroups_recv(struct tevent_req *req,
                             size_t *reply_count,
                             struct sysdb_attrs ***reply);
 
-struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
-                                   struct tevent_context *ev,
-                                   struct be_ctx *be,
-                                   struct sdap_handle *sh,
-                                   const char *service_name,
-                                   int    timeout,
-                                   const char *keytab,
-                                   const char *principal,
-                                   const char *realm,
-                                   bool canonicalize,
-                                   int lifetime);
-
-int sdap_kinit_recv(struct tevent_req *req,
-                    enum sdap_result *result,
-                    time_t *expire_time);
-
 struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
                                   struct tevent_context *ev,
                                   struct sdap_handle *sh,
@@ -110,10 +94,9 @@ struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx,
                                   const char *user_dn,
                                   struct sss_auth_token *authtok);
 
-int sdap_auth_recv(struct tevent_req *req,
-                   TALLOC_CTX *memctx,
-                   enum sdap_result *result,
-                   struct sdap_ppolicy_data **ppolicy);
+errno_t sdap_auth_recv(struct tevent_req *req,
+                       TALLOC_CTX *memctx,
+                       struct sdap_ppolicy_data **ppolicy);
 
 struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
                                         struct tevent_context *ev,
@@ -129,9 +112,9 @@ struct tevent_req *sdap_exop_modify_passwd_send(TALLOC_CTX *memctx,
                                                 char *user_dn,
                                                 const char *password,
                                                 const char *new_password);
-int sdap_exop_modify_passwd_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
-                                 enum sdap_result *result,
-                                 char **user_error_msg);
+errno_t sdap_exop_modify_passwd_recv(struct tevent_req *req,
+                                     TALLOC_CTX *mem_ctx,
+                                     char **user_error_msg);
 
 struct tevent_req *
 sdap_modify_shadow_lastchange_send(TALLOC_CTX *mem_ctx,
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index b673daf6efdaa32bc23448c05db4e5461e9b9749..e396fff8c6850a886a43c68a4f9030fe5bf27bba 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -446,7 +446,6 @@ struct simple_bind_state {
 
     struct sdap_msg *reply;
     struct sdap_ppolicy_data *ppolicy;
-    int result;
 };
 
 static void simple_bind_done(struct sdap_op *op,
@@ -529,7 +528,7 @@ fail:
     if (ret == LDAP_SERVER_DOWN) {
         tevent_req_error(req, ETIMEDOUT);
     } else {
-        tevent_req_error(req, EIO);
+        tevent_req_error(req, ERR_NETWORK_IO);
     }
     tevent_req_post(req, ev);
     return req;
@@ -544,13 +543,14 @@ static void simple_bind_done(struct sdap_op *op,
                                             struct simple_bind_state);
     char *errmsg = NULL;
     char *nval;
-    errno_t ret;
+    errno_t ret = ERR_INTERNAL;
     int lret;
     LDAPControl **response_controls;
     int c;
     ber_int_t pp_grace;
     ber_int_t pp_expire;
     LDAPPasswordPolicyError pp_error;
+    int result = LDAP_OTHER;
 
     if (error) {
         tevent_req_error(req, error);
@@ -560,15 +560,19 @@ static void simple_bind_done(struct sdap_op *op,
     state->reply = talloc_steal(state, reply);
 
     lret = ldap_parse_result(state->sh->ldap, state->reply->msg,
-                            &state->result, NULL, &errmsg, NULL,
+                            &result, NULL, &errmsg, NULL,
                             &response_controls, 0);
     if (lret != LDAP_SUCCESS) {
         DEBUG(SSSDBG_MINOR_FAILURE,
               ("ldap_parse_result failed (%d)\n", state->op->msgid));
-        ret = EIO;
+        ret = ERR_INTERNAL;
         goto done;
     }
 
+    if (result == LDAP_SUCCESS) {
+        ret = EOK;
+    }
+
     if (response_controls == NULL) {
         DEBUG(SSSDBG_TRACE_LIBS, ("Server returned no controls.\n"));
         state->ppolicy = NULL;
@@ -586,7 +590,7 @@ static void simple_bind_done(struct sdap_op *op,
                 if (lret != LDAP_SUCCESS) {
                     DEBUG(SSSDBG_MINOR_FAILURE,
                           ("ldap_parse_passwordpolicy_control failed.\n"));
-                    ret = EIO;
+                    ret = ERR_INTERNAL;
                     goto done;
                 }
 
@@ -602,12 +606,13 @@ static void simple_bind_done(struct sdap_op *op,
                 }
                 state->ppolicy->grace = pp_grace;
                 state->ppolicy->expire = pp_expire;
-                if (state->result == LDAP_SUCCESS) {
+                if (result == LDAP_SUCCESS) {
+
                     if (pp_error == PP_changeAfterReset) {
                         DEBUG(SSSDBG_TRACE_LIBS,
                               ("Password was reset. "
                                "User must set a new password.\n"));
-                        state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
+                        ret = ERR_PASSWORD_EXPIRED;
                     } else if (pp_grace > 0) {
                         DEBUG(SSSDBG_TRACE_LIBS,
                               ("Password expired. "
@@ -618,17 +623,17 @@ static void simple_bind_done(struct sdap_op *op,
                               ("Password will expire in [%d] seconds.\n",
                                pp_expire));
                     }
-                } else if (state->result == LDAP_INVALID_CREDENTIALS &&
+                } else if (result == LDAP_INVALID_CREDENTIALS &&
                            pp_error == PP_passwordExpired) {
                     DEBUG(SSSDBG_TRACE_LIBS,
                           ("Password expired user must set a new password.\n"));
-                    state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
+                    ret = ERR_PASSWORD_EXPIRED;
                 }
             } else if (strcmp(response_controls[c]->ldctl_oid,
                               LDAP_CONTROL_PWEXPIRED) == 0) {
                 DEBUG(SSSDBG_TRACE_LIBS,
                       ("Password expired user must set a new password.\n"));
-                state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
+                ret = ERR_PASSWORD_EXPIRED;
             } else if (strcmp(response_controls[c]->ldctl_oid,
                               LDAP_CONTROL_PWEXPIRING) == 0) {
                 /* ignore controls with suspiciously long values */
@@ -670,10 +675,13 @@ static void simple_bind_done(struct sdap_op *op,
     }
 
     DEBUG(SSSDBG_TRACE_FUNC, ("Bind result: %s(%d), %s\n",
-              sss_ldap_err2string(state->result), state->result,
+              sss_ldap_err2string(result), result,
               errmsg ? errmsg : "no errmsg set"));
 
-    ret = EOK;
+    if (result != LDAP_SUCCESS && ret == EOK) {
+        ret = ERR_AUTH_FAILED;
+    }
+
 done:
     ldap_controls_free(response_controls);
     ldap_memfree(errmsg);
@@ -685,19 +693,19 @@ done:
     }
 }
 
-static int simple_bind_recv(struct tevent_req *req,
-                            TALLOC_CTX *memctx,
-                            int *ldaperr,
-                            struct sdap_ppolicy_data **ppolicy)
+static errno_t simple_bind_recv(struct tevent_req *req,
+                                TALLOC_CTX *memctx,
+                                struct sdap_ppolicy_data **ppolicy)
 {
     struct simple_bind_state *state = tevent_req_data(req,
                                             struct simple_bind_state);
 
-    *ldaperr = LDAP_OTHER;
+    if (ppolicy != NULL) {
+        *ppolicy = talloc_steal(memctx, state->ppolicy);
+    }
+
     TEVENT_REQ_RETURN_ON_ERROR(req);
 
-    *ldaperr = state->result;
-    *ppolicy = talloc_steal(memctx, state->ppolicy);
     return EOK;
 }
 
@@ -710,8 +718,6 @@ struct sasl_bind_state {
     const char *sasl_mech;
     const char *sasl_user;
     struct berval *sasl_cred;
-
-    int result;
 };
 
 static int sdap_sasl_interact(LDAP *ld, unsigned flags,
@@ -749,7 +755,6 @@ static struct tevent_req *sasl_bind_send(TALLOC_CTX *memctx,
                                        sasl_mech, NULL, NULL,
                                        LDAP_SASL_QUIET,
                                        (*sdap_sasl_interact), state);
-    state->result = ret;
     if (ret != LDAP_SUCCESS) {
         DEBUG(SSSDBG_CRIT_FAILURE,
               ("ldap_sasl_bind failed (%d)[%s]\n",
@@ -771,14 +776,20 @@ static struct tevent_req *sasl_bind_send(TALLOC_CTX *memctx,
         if (ret) goto fail;
     }
 
+    /* This is a hack, relies on the fact that tevent_req_done() will always
+     * set the state but will not complain if no callback has been set.
+     * tevent_req_post() will only set the immediate event and then just call
+     * the async callback set by the caller right after we return using the
+     * state value set previously by tevent_req_done() */
+    tevent_req_done(req);
     tevent_req_post(req, ev);
     return req;
 
 fail:
-    if (ret == LDAP_SERVER_DOWN) {
+    if (ret == LDAP_SERVER_DOWN || ret == LDAP_TIMEOUT) {
         tevent_req_error(req, ETIMEDOUT);
     } else {
-        tevent_req_error(req, EIO);
+        tevent_req_error(req, ERR_AUTH_FAILED);
     }
     tevent_req_post(req, ev);
     return req;
@@ -830,21 +841,10 @@ fail:
     return LDAP_UNAVAILABLE;
 }
 
-static int sasl_bind_recv(struct tevent_req *req, int *ldaperr)
+static errno_t sasl_bind_recv(struct tevent_req *req)
 {
-    struct sasl_bind_state *state = tevent_req_data(req,
-                                            struct sasl_bind_state);
-    enum tevent_req_state tstate;
-    uint64_t err = EIO;
+    TEVENT_REQ_RETURN_ON_ERROR(req);
 
-    if (tevent_req_is_error(req, &tstate, &err)) {
-        if (tstate != TEVENT_REQ_IN_PROGRESS) {
-            *ldaperr = LDAP_OTHER;
-            return err;
-        }
-    }
-
-    *ldaperr = state->result;
     return EOK;
 }
 
@@ -862,7 +862,6 @@ struct sdap_kinit_state {
     struct be_ctx *be;
 
     struct fo_server *kdc_srv;
-    int result;
     time_t expire_time;
 };
 
@@ -870,6 +869,7 @@ static void sdap_kinit_done(struct tevent_req *subreq);
 static struct tevent_req *sdap_kinit_next_kdc(struct tevent_req *req);
 static void sdap_kinit_kdc_resolved(struct tevent_req *subreq);
 
+static
 struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
                                    struct tevent_context *ev,
                                    struct be_ctx *be,
@@ -899,7 +899,6 @@ struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx,
     req = tevent_req_create(memctx, &state, struct sdap_kinit_state);
     if (!req) return NULL;
 
-    state->result = SDAP_AUTH_FAILED;
     state->keytab = keytab;
     state->principal = principal;
     state->realm = realm;
@@ -974,7 +973,7 @@ static void sdap_kinit_kdc_resolved(struct tevent_req *subreq)
     if (ret != EOK) {
         /* all servers have been tried and none
          * was found good, go offline */
-        tevent_req_error(req, EIO);
+        tevent_req_error(req, ERR_NETWORK_IO);
         return;
     }
 
@@ -1021,7 +1020,6 @@ static void sdap_kinit_done(struct tevent_req *subreq)
         return;
     } else if (ret != EOK) {
         /* A severe error while executing the child. Abort the operation. */
-        state->result = SDAP_AUTH_FAILED;
         DEBUG(1, ("child failed (%d [%s])\n", ret, strerror(ret)));
         tevent_req_error(req, ret);
         return;
@@ -1031,12 +1029,10 @@ static void sdap_kinit_done(struct tevent_req *subreq)
         ret = setenv("KRB5CCNAME", ccname, 1);
         if (ret == -1) {
             DEBUG(2, ("Unable to set env. variable KRB5CCNAME!\n"));
-            state->result = SDAP_AUTH_FAILED;
-            tevent_req_error(req, EFAULT);
+            tevent_req_error(req, ERR_AUTH_FAILED);
         }
 
         state->expire_time = expire_time;
-        state->result = SDAP_AUTH_SUCCESS;
         tevent_req_done(req);
         return;
     } else {
@@ -1052,28 +1048,24 @@ static void sdap_kinit_done(struct tevent_req *subreq)
 
     }
 
-    DEBUG(4, ("Could not get TGT: %d [%s]\n", result, strerror(result)));
-    state->result = SDAP_AUTH_FAILED;
-    tevent_req_error(req, EIO);
+    DEBUG(4, ("Could not get TGT: %d [%s]\n", result, sss_strerror(result)));
+    tevent_req_error(req, ERR_AUTH_FAILED);
 }
 
-int sdap_kinit_recv(struct tevent_req *req,
-                    enum sdap_result *result,
-                    time_t *expire_time)
+static errno_t sdap_kinit_recv(struct tevent_req *req,
+                               time_t *expire_time)
 {
     struct sdap_kinit_state *state = tevent_req_data(req,
                                                      struct sdap_kinit_state);
     enum tevent_req_state tstate;
-    uint64_t err = EIO;
+    uint64_t err = ERR_INTERNAL;
 
     if (tevent_req_is_error(req, &tstate, &err)) {
         if (tstate != TEVENT_REQ_IN_PROGRESS) {
-            *result = SDAP_ERROR;
             return err;
         }
     }
 
-    *result = state->result;
     *expire_time = state->expire_time;
     return EOK;
 }
@@ -1084,7 +1076,6 @@ int sdap_kinit_recv(struct tevent_req *req,
 struct sdap_auth_state {
     struct sdap_ppolicy_data *ppolicy;
     bool is_sasl;
-    int result;
 };
 
 static void sdap_auth_done(struct tevent_req *subreq);
@@ -1171,46 +1162,31 @@ static void sdap_auth_done(struct tevent_req *subreq)
     int ret;
 
     if (state->is_sasl) {
-        ret = sasl_bind_recv(subreq, &state->result);
+        ret = sasl_bind_recv(subreq);
         state->ppolicy = NULL;
     } else {
-        ret = simple_bind_recv(subreq, state, &state->result, &state->ppolicy);
+        ret = simple_bind_recv(subreq, state, &state->ppolicy);
     }
-    if (ret != EOK) {
-        tevent_req_error(req, ret);
+
+    if (tevent_req_error(req, ret)) {
         return;
     }
 
     tevent_req_done(req);
 }
 
-int sdap_auth_recv(struct tevent_req *req,
-                   TALLOC_CTX *memctx,
-                   enum sdap_result *result,
-                   struct sdap_ppolicy_data **ppolicy)
+errno_t sdap_auth_recv(struct tevent_req *req,
+                       TALLOC_CTX *memctx,
+                       struct sdap_ppolicy_data **ppolicy)
 {
     struct sdap_auth_state *state = tevent_req_data(req,
                                                  struct sdap_auth_state);
 
-    *result = SDAP_ERROR;
-    TEVENT_REQ_RETURN_ON_ERROR(req);
-
     if (ppolicy != NULL) {
         *ppolicy = talloc_steal(memctx, state->ppolicy);
     }
-    switch (state->result) {
-        case LDAP_SUCCESS:
-            *result = SDAP_AUTH_SUCCESS;
-            break;
-        case LDAP_INVALID_CREDENTIALS:
-            *result = SDAP_AUTH_FAILED;
-            break;
-        case LDAP_X_SSSD_PASSWORD_EXPIRED:
-            *result = SDAP_AUTH_PW_EXPIRED;
-            break;
-        default:
-            break;
-    }
+
+    TEVENT_REQ_RETURN_ON_ERROR(req);
 
     return EOK;
 }
@@ -1564,17 +1540,16 @@ static void sdap_cli_kinit_done(struct tevent_req *subreq)
                                                       struct tevent_req);
     struct sdap_cli_connect_state *state = tevent_req_data(req,
                                              struct sdap_cli_connect_state);
-    enum sdap_result result;
     time_t expire_time;
-    int ret;
+    errno_t ret;
 
-    ret = sdap_kinit_recv(subreq, &result, &expire_time);
+    ret = sdap_kinit_recv(subreq, &expire_time);
     talloc_zfree(subreq);
-    if (ret != EOK || result != SDAP_AUTH_SUCCESS) {
+    if (ret != EOK) {
         /* We're not able to authenticate to the LDAP server.
          * There's not much we can do except for going offline */
         DEBUG(SSSDBG_TRACE_FUNC,
-              ("Cannot get a TGT: ret [%d] result [%d]\n", ret, result));
+              ("Cannot get a TGT: ret [%d](%s)\n", ret, sss_strerror(ret)));
         tevent_req_error(req, EACCES);
         return;
     }
@@ -1660,19 +1635,14 @@ static void sdap_cli_auth_done(struct tevent_req *subreq)
                                                       struct tevent_req);
     struct sdap_cli_connect_state *state = tevent_req_data(req,
                                              struct sdap_cli_connect_state);
-    enum sdap_result result;
     int ret;
 
-    ret = sdap_auth_recv(subreq, NULL, &result, NULL);
+    ret = sdap_auth_recv(subreq, NULL, NULL);
     talloc_zfree(subreq);
     if (ret) {
         tevent_req_error(req, ret);
         return;
     }
-    if (result != SDAP_AUTH_SUCCESS) {
-        tevent_req_error(req, EACCES);
-        return;
-    }
 
     if (state->use_rootdse && !state->rootdse) {
         /* We weren't able to read rootDSE during unauthenticated bind.
diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c
index 060aacf9e55e79724a701fa391f72933416ef5d4..f7834d94073464eae06917c75ffaf75aac0f832f 100644
--- a/src/util/sss_ldap.c
+++ b/src/util/sss_ldap.c
@@ -32,12 +32,9 @@
 
 const char* sss_ldap_err2string(int err)
 {
-    static const char *password_expired = "Password expired";
-
-    switch (err) {
-    case LDAP_X_SSSD_PASSWORD_EXPIRED:
-        return password_expired;
-    default:
+    if (IS_SSSD_ERROR(err)) {
+        return sss_strerror(err);
+    } else {
         return ldap_err2string(err);
     }
 }
diff --git a/src/util/sss_ldap.h b/src/util/sss_ldap.h
index 46829259aedcf4a4f2ba3f94fc059c343c0e9ba6..7399c4d0ac0749cfaf57d42c2fe0465a0bdd4a41 100644
--- a/src/util/sss_ldap.h
+++ b/src/util/sss_ldap.h
@@ -27,8 +27,6 @@
 #include <talloc.h>
 #include <tevent.h>
 
-#define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D
-
 #ifndef LDAP_CONTROL_PWEXPIRED
 #define LDAP_CONTROL_PWEXPIRED "2.16.840.1.113730.3.4.4"
 #endif
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 1760c8d84e8c4c4e3906692cc9acbe166a4279fc..88806f531ed90699438deed060d192b7ac029920 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -35,8 +35,11 @@ struct err_string error_to_str[] = {
     { "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */
     { "Authentication Denied" }, /* ERR_AUTH_DENIED */
     { "Authentication Failed" }, /* ERR_AUTH_FAILED */
+    { "Password Change Denied" }, /* ERR_CHPASS_DENIED */
     { "Password Change Failed" }, /* ERR_CHPASS_FAILED */
     { "Network I/O Error" }, /* ERR_NETWORK_IO */
+    { "Account Expired" }, /* ERR_ACCOUNT_EXPIRED */
+    { "Password Expired" }, /* ERR_PASSWORD_EXPIRED */
 };
 
 
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index 9292c9959bed1d1772ca761c04f6db417c6286c1..bc69dc37f871e66a6854cd65597fad4e5992fe41 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -57,8 +57,11 @@ enum sssd_errors {
     ERR_CACHED_CREDS_EXPIRED,
     ERR_AUTH_DENIED,
     ERR_AUTH_FAILED,
+    ERR_CHPASS_DENIED,
     ERR_CHPASS_FAILED,
     ERR_NETWORK_IO,
+    ERR_ACCOUNT_EXPIRED,
+    ERR_PASSWORD_EXPIRED,
     ERR_LAST            /* ALWAYS LAST */
 };
 
-- 
1.8.1.2


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to