On Mon, Feb 08, 2016 at 01:56:07PM +0100, Pavel Reichl wrote: > > > On 02/08/2016 10:48 AM, Jakub Hrozek wrote: > >On Mon, Feb 08, 2016 at 10:34:16AM +0100, Pavel Reichl wrote: > >> > >> > >>On 02/05/2016 03:16 PM, Lukas Slebodnik wrote: > >>>> > >>>The ticket is about "SSSD should be about to display message to the user > >>>when > >>>the account in Active Directory is 'locked out'" > >>> > >>>If the string is not standardized among AD versions > >>>than this ticket is NOT solved. > >> > >>So what do you propose? Rename ticket to contain version of tested AD? Or > >>should we say user that although we have fix that would work for him it > >>might not work for all AD versions so we won't provide it? > > > >It would be nice to mention what we tested with in the commit message. > > OK, done. > > > > >> > >>Can we ask our QA to test on all AD version they can lay their hands on? > > > >Yes, I think we can test 2012 and 2008. Probably not worth testing 2003 > >anymore. > > > > I updated the relevant BZ.
> From 5a4ca73e16e4eec023108387cd8c572c34496e9b Mon Sep 17 00:00:00 2001 > From: Pavel Reichl <prei...@redhat.com> > Date: Fri, 5 Feb 2016 07:27:38 -0500 > Subject: [PATCH 1/2] SDAP: Add return code ERR_ACCOUNT_LOCKED ACK. This made pam_sss return "6 (Permission denied)". > From 637766eb543a54d4a96ae5c9692566a02522a742 Mon Sep 17 00:00:00 2001 > From: Pavel Reichl <prei...@redhat.com> > Date: Fri, 5 Feb 2016 07:31:45 -0500 > Subject: [PATCH 2/2] PAM: Pass account lockout status and display message > > Tested against Windows Server 2012. Yes, me too, I don't have 2008 around. > diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml > index > 73a21bfa0049bc4d3cfacb49201707868c87e533..2dbc58a451686beda0faa9e9366bbc3b3b4c253e > 100644 > --- a/src/man/sssd.conf.5.xml > +++ b/src/man/sssd.conf.5.xml > @@ -1040,6 +1040,27 @@ pam_account_expired_message = Account expired, please > call help desk. > </listitem> > </varlistentry> > <varlistentry> > + <term>pam_account_locked_message (string)</term> > + <listitem> > + <para> > + If user is authenticating and Please ask someone for an English review (I know Dan started, but I didn't see a fixed version yet). At the very least, this should read "a user". > + account is locked then by default > + 'Permission denied' is output. This output will > + be changed to content of this variable if it is > + set. > + </para> > + <para> > + example: > + <programlisting> > +pam_account_locked_message = Account locked, please call help desk. > + </programlisting> > + </para> > + <para> > + Default: none > + </para> > + </listitem> > + </varlistentry> > + <varlistentry> > <term>p11_child_timeout (integer)</term> > <listitem> > <para> The rest of the patch looks good to me and seems to work as advertized. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
