--- pam_ldap-176/pam_ldap.c.refpwd 2005-12-08 12:04:43.000000000 -0600 +++ pam_ldap-176/pam_ldap.c 2005-12-08 12:09:12.000000000 -0600 @@ -2087,7 +2087,13 @@ return PAM_AUTH_ERR; } - if (session->info->policy_error != POLICY_ERROR_SUCCESS) + /* + * the above hack to get to acct_mgmt when passwd is expired requires + * us to preserve the userpw for subsequent binds to a master server + * in case we're doing referrals + */ + if (session->info->policy_error != POLICY_ERROR_SUCCESS && + session->info->policy_error != POLICY_ERROR_PASSWORD_EXPIRED) { _pam_overwrite (session->info->userpw); _pam_drop (session->info->userpw);