[sudo-workers] ldap and password

[Todd C. Miller]

In message <200408201546.13469.news at rennings.net>
	so spake Markus Rennings (news):

> Ah, ok, but do you know any workaround? I have no expiration date in my ldap,
> so I don't know why pam returns _EXPIRED. As I said in my last mail login 
> works as expected - therefore I think my pam works with ldap.

You can back out revision 1.43 of auth/pam.c and pam_acct_mgmt()
will not be called.

 - todd

Index: pam.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/auth/pam.c,v
retrieving revision 1.43
retrieving revision 1.42
diff -u -r1.43 -r1.42
--- pam.c	28 Jun 2004 14:51:50 -0000	1.43
+++ pam.c	7 Jun 2004 00:02:56 -0000	1.42
@@ -116,32 +116,7 @@
     *pam_status = pam_authenticate(pamh, PAM_SILENT);
     switch (*pam_status) {
 	case PAM_SUCCESS:
-	    *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
-	    switch (*pam_status) {
-		case PAM_SUCCESS:
-		    return(AUTH_SUCCESS);
-		case PAM_AUTH_ERR:
-		    log_error(NO_EXIT|NO_MAIL, "pam_acct_mgmt: %d",
-			*pam_status);
-		    return(AUTH_FAILURE);
-		case PAM_NEW_AUTHTOK_REQD:
-		    log_error(NO_EXIT|NO_MAIL, "%s, %s"
-			"Account or password is expired",
-			"reset your password and try again");
-		    *pam_status = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-		    if (*pam_status == PAM_SUCCESS)
-			return(AUTH_SUCCESS);
-		    if ((s = pam_strerror(pamh, *pam_status)))
-			log_error(NO_EXIT|NO_MAIL, "pam_chauthtok: %s",s);
-		    return(AUTH_FAILURE);
-		case PAM_ACCT_EXPIRED:
-		    log_error(NO_EXIT|NO_MAIL, "%s, %s"
-			"Account or password is expired",
-			"contact your system administrator");
-		    /* FALLTHROUGH */
-		default:
-		    return(AUTH_FAILURE);
-	    }
+	    return(AUTH_SUCCESS);
 	case PAM_AUTH_ERR:
 	case PAM_MAXTRIES:
 	    return(AUTH_FAILURE);