We need to hang on to the user's (old) password when the policy error is
change-after-reset, too, just as we do for password-expired. As far as the
end-user and we are concerned, they're pretty much the same policy error.
diff -up pam_ldap-176/pam_ldap.c pam_ldap-176/pam_ldap.c
--- pam_ldap-176/pam_ldap.c 2007-10-02 14:23:26.000000000 -0400
+++ pam_ldap-176/pam_ldap.c 2007-10-02 14:25:24.000000000 -0400
@@ -2121,8 +2121,9 @@ _connect_as_user (pam_handle_t * pamh, p
* us to preserve the userpw for subsequent binds to a master server
* in case we're doing referrals
*/
- if (session->info->policy_error != POLICY_ERROR_SUCCESS &&
- session->info->policy_error != POLICY_ERROR_PASSWORD_EXPIRED)
+ if ((session->info->policy_error != POLICY_ERROR_SUCCESS) &&
+ (session->info->policy_error != POLICY_ERROR_PASSWORD_EXPIRED) &&
+ (session->info->policy_error != POLICY_ERROR_CHANGE_AFTER_RESET))
{
_pam_overwrite (session->info->userpw);
_pam_drop (session->info->userpw);
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
media
>
main-src
>
by-pkgid
>
f2c9a24e570f82c24fd7074143d03478
>
files
>
34
