During password change operation if wrong current password was given we gave no hint to the user about what went wrong. The "Authentication token manipulation error" message alone was not very descriptive.
resolves: https://fedorahosted.org/sssd/ticket/2029 Thanks Michal
>From 6b6bf110f6bc362a56c1e0cf8c1bb9b84088004d Mon Sep 17 00:00:00 2001 From: Michal Zidek <[email protected]> Date: Fri, 9 Aug 2013 15:17:48 -0400 Subject: [PATCH] ldap, krb5: More descriptive msg on chpass failure. Print more descriptive message when wrong current password is given during password change operation. resolves: https://fedorahosted.org/sssd/ticket/2029 --- src/providers/krb5/krb5_child.c | 15 +++++++++++++++ src/providers/ldap/ldap_auth.c | 15 +++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 47c8fb2..b77fa0a 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1278,6 +1278,8 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) const char *realm_name; int realm_length; krb5_get_init_creds_opt *chagepw_options; + size_t msg_len; + uint8_t *msg; DEBUG(SSSDBG_TRACE_LIBS, ("Password change operation\n")); @@ -1310,6 +1312,19 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) chagepw_options); sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options); if (kerr != 0) { + ret = pack_user_info_chpass_error(kr->pd, "Old password not accepted.", + &msg_len, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("pack_user_info_chpass_error failed.\n")); + } else { + ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, msg_len, + msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("pam_add_response failed.\n")); + } + } return kerr; } diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index ea28ba6..e5b6365 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -768,6 +768,8 @@ static void sdap_auth4chpass_done(struct tevent_req *req) void *pw_expire_data; int dp_err = DP_ERR_FATAL; int ret; + size_t msg_len; + uint8_t *msg; ret = auth_recv(req, state, &state->sh, &state->dn, &pw_expire_type, &pw_expire_data); @@ -847,6 +849,19 @@ static void sdap_auth4chpass_done(struct tevent_req *req) case ERR_AUTH_DENIED: case ERR_AUTH_FAILED: state->pd->pam_status = PAM_AUTH_ERR; + ret = pack_user_info_chpass_error(state->pd, "Old password not accepted.", + &msg_len, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("pack_user_info_chpass_error failed.\n")); + } else { + ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len, + msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("pam_add_response failed.\n")); + } + } + break; case ETIMEDOUT: case ERR_NETWORK_IO: -- 1.7.11.2
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
