ITS#7596 Report correct number of grace authentications left

author Ondřej Kuzník <ondra@mistotebe.net>

Tue, 23 Feb 2021 14:31:41 +0000 (14:31 +0000)

committer Quanah Gibson-Mount <quanah@openldap.org>

Wed, 24 Feb 2021 17:03:22 +0000 (17:03 +0000)
author Ondřej Kuzník <ondra@mistotebe.net>
Tue, 23 Feb 2021 14:31:41 +0000 (14:31 +0000)
committer Quanah Gibson-Mount <quanah@openldap.org>
Wed, 24 Feb 2021 17:03:22 +0000 (17:03 +0000)
diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c

index 468b20583c55ca22ff116074cdad69b21a54f1b5..5e879547e82148d531bc9dae878b9ca778b549d2 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -703,7 +703,7 @@ create_passcontrol( Operation *op, int exptime, int grace, LDAPPasswordPolicyErr
                 }
                 ber_printf( ber, "tO", PPOLICY_WARNING, &bv );
                 ch_free( bv.bv_val );
-       } else if ( grace > 0 ) {
+       } else if ( grace >= 0 ) {
                 ber_init2( b2, NULL, LBER_USE_DER );
                 ber_printf( b2, "ti", PPOLICY_GRACE, grace );
                 rc = ber_flatten2( b2, &bv, 1 );
@@ -1658,8 +1658,10 @@ grace:
                 Debug( LDAP_DEBUG_ANY,
                         "ppolicy_bind: Entry %s has an expired password: %d grace logins\n",
                         e->e_name.bv_val, ngut );
-               
-               if (ngut < 1) {
+
+               ngut--;
+
+               if (ngut < 0) {
                         ppb->pErr = PP_passwordExpired;
                         rs->sr_err = LDAP_INVALID_CREDENTIALS;
                         goto done;
author	Ondřej Kuzník <ondra@mistotebe.net>
	Tue, 23 Feb 2021 14:31:41 +0000 (14:31 +0000)
committer	Quanah Gibson-Mount <quanah@openldap.org>
	Wed, 24 Feb 2021 17:03:22 +0000 (17:03 +0000)