From 86c985481c2fdb1d8996a77576b12bff431c18d5 Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzidek@redhat.com>
Date: Aug 11 2013 18:36:20 +0000
Subject: ldap, krb5: More descriptive msg on chpass failure.


Print more descriptive message when wrong current password
is given during password change operation.

resolves:
https://fedorahosted.org/sssd/ticket/2029

---

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 47c8fb2..b77fa0a 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1278,6 +1278,8 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
     const char *realm_name;
     int realm_length;
     krb5_get_init_creds_opt *chagepw_options;
+    size_t msg_len;
+    uint8_t *msg;
 
     DEBUG(SSSDBG_TRACE_LIBS, ("Password change operation\n"));
 
@@ -1310,6 +1312,19 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
                                         chagepw_options);
     sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options);
     if (kerr != 0) {
+        ret = pack_user_info_chpass_error(kr->pd, "Old password not accepted.",
+                                          &msg_len, &msg);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  ("pack_user_info_chpass_error failed.\n"));
+        } else {
+            ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, msg_len,
+                                   msg);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      ("pam_add_response failed.\n"));
+            }
+        }
         return kerr;
     }
 
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index ea28ba6..e5b6365 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -768,6 +768,8 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
     void *pw_expire_data;
     int dp_err = DP_ERR_FATAL;
     int ret;
+    size_t msg_len;
+    uint8_t *msg;
 
     ret = auth_recv(req, state, &state->sh, &state->dn,
                     &pw_expire_type, &pw_expire_data);
@@ -847,6 +849,19 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
     case ERR_AUTH_DENIED:
     case ERR_AUTH_FAILED:
         state->pd->pam_status = PAM_AUTH_ERR;
+        ret = pack_user_info_chpass_error(state->pd, "Old password not accepted.",
+                                          &msg_len, &msg);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  ("pack_user_info_chpass_error failed.\n"));
+        } else {
+            ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len,
+                                    msg);
+            if (ret != EOK) {
+               DEBUG(SSSDBG_CRIT_FAILURE, ("pam_add_response failed.\n"));
+            }
+        }
+
         break;
     case ETIMEDOUT:
     case ERR_NETWORK_IO: