log and return a diagnostic message instead of just the LDAP error on password change failure

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1895 ef36b2f9-881f-0410-afb5-c4e39611909c

3 files changed, 49 insertions, 7 deletions

diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index bacfb4f..883fbc7 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -1977,3 +1977,29 @@ int myldap_modify(MYLDAP_SESSION *session, const char *dn, LDAPMod * mods[])
   }
   return ldap_modify_ext_s(session->ld, dn, mods, NULL, NULL);
 }
+
+int myldap_error_message(MYLDAP_SESSION *session, int rc,
+                         char *buffer, size_t buflen)
+{
+  char *msg_diag = NULL;
+  if (!is_valid_session(session) || (buffer == NULL) || (buflen <= 0))
+  {
+    log_log(LOG_ERR, "myldap_error_message(): invalid parameter passed");
+    errno = EINVAL;
+    return LDAP_OTHER;
+  }
+  /* clear buffer */
+  buffer[0] = '\0';
+#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
+  if (session->ld != NULL)
+    ldap_get_option(session->ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, &msg_diag);
+#endif /* LDAP_OPT_DIAGNOSTIC_MESSAGE */
+  /* return msg_diag or generic error message */
+  mysnprintf(buffer, buflen - 1, "%s",
+             ((msg_diag != NULL) && (msg_diag[0]!='\0')) ?
+             msg_diag : ldap_err2string(rc));
+  /* free diagnostic message */
+  if (msg_diag != NULL)
+    ldap_memfree(msg_diag);
+  return LDAP_SUCCESS;
+}
diff --git a/nslcd/myldap.h b/nslcd/myldap.h
index 627b236..b2ae841 100644
--- a/nslcd/myldap.h
+++ b/nslcd/myldap.h
@@ -2,7 +2,7 @@
    myldap.h - simple interface to do LDAP requests
    This file is part of the nss-pam-ldapd library.
 
-   Copyright (C) 2007, 2008, 2009, 2010, 2011, 2012 Arthur de Jong
+   Copyright (C) 2007, 2008, 2009, 2010, 2011, 2012, 2013 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -151,4 +151,9 @@ int myldap_passwd(MYLDAP_SESSION *session,
 /* Perform an LDAP modification request. Returns an LDAP status code. */
 int myldap_modify(MYLDAP_SESSION *session, const char *dn, LDAPMod * mods[]);
 
+/* Get an LDAP error message from the supplied rc and optionally any extra
+   information in the connection. */
+int myldap_error_message(MYLDAP_SESSION *session, int rc,
+                         char *buffer, size_t buflen);
+
 #endif /* not NSLCD__MYLDAP_H */
diff --git a/nslcd/pam.c b/nslcd/pam.c
index 1f611fb..f8b2806 100644
--- a/nslcd/pam.c
+++ b/nslcd/pam.c
@@ -2,7 +2,7 @@
    pam.c - pam processing routines
 
    Copyright (C) 2009 Howard Chu
-   Copyright (C) 2009, 2010, 2011, 2012 Arthur de Jong
+   Copyright (C) 2009, 2010, 2011, 2012, 2013 Arthur de Jong
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -580,10 +580,11 @@ int nslcd_pam_sess_c(TFILE *fp, MYLDAP_SESSION *session)
 /* perform an LDAP password modification, returns an LDAP status code */
 static int try_pwmod(MYLDAP_SESSION *oldsession,
                      const char *binddn, const char *userdn,
-                     const char *oldpassword, const char *newpassword)
+                     const char *oldpassword, const char *newpassword,
+                     char *authzmsg, size_t authzmsg_len)
 {
   MYLDAP_SESSION *session;
-  char buffer[256];
+  char buffer[1024];
   int rc;
   /* set up a new connection */
   session = myldap_create_session();
@@ -608,6 +609,14 @@ static int try_pwmod(MYLDAP_SESSION *oldsession,
         /* retry with the normal session */
         (void)update_lastchange(oldsession, userdn);
     }
+    else
+    {
+      /* get a diagnostic or error message */
+      if ((myldap_error_message(session, rc, buffer, sizeof(buffer)) == LDAP_SUCCESS) &&
+          (buffer[0] != '\0'))
+        mysnprintf(authzmsg, authzmsg_len - 1, "password change failed: %s",
+                   buffer);
+    }
   }
   /* close the session */
   myldap_session_close(session);
@@ -696,11 +705,13 @@ int nslcd_pam_pwmod(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid)
     }
   }
   /* perform password modification */
-  rc = try_pwmod(session, binddn, myldap_get_dn(entry), oldpassword, newpassword);
+  rc = try_pwmod(session, binddn, myldap_get_dn(entry), oldpassword, newpassword,
+                 authzmsg, sizeof(authzmsg));
   if (rc != LDAP_SUCCESS)
   {
-    mysnprintf(authzmsg, sizeof(authzmsg) - 1, "password change failed: %s",
-               ldap_err2string(rc));
+    if (authzmsg[0] == '\0')
+      mysnprintf(authzmsg, sizeof(authzmsg) - 1, "password change failed: %s",
+                 ldap_err2string(rc));
     WRITE_INT32(fp, NSLCD_RESULT_BEGIN);
     WRITE_INT32(fp, NSLCD_PAM_PERM_DENIED);
     WRITE_STRING(fp, authzmsg);