028262906e
* fix for BUG 312: pam_ldap does not try to reconnect when LDAP server closed the connection
147 lines
4.4 KiB
Text
147 lines
4.4 KiB
Text
$NetBSD: patch-ab,v 1.7 2007/11/27 08:27:06 adam Exp $
|
|
|
|
--- pam_ldap.c.orig 2007-08-12 18:35:00.000000000 +0200
|
|
+++ pam_ldap.c
|
|
@@ -131,12 +131,7 @@
|
|
#include "pam_ldap.h"
|
|
#include "md5.h"
|
|
|
|
-#if defined(HAVE_SECURITY_PAM_MISC_H) || defined(HAVE_PAM_PAM_MISC_H)
|
|
- /* FIXME: is there something better to check? */
|
|
#define CONST_ARG const
|
|
-#else
|
|
-#define CONST_ARG
|
|
-#endif
|
|
|
|
#ifndef HAVE_LDAP_MEMFREE
|
|
#define ldap_memfree(x) free(x)
|
|
@@ -3281,7 +3276,7 @@ pam_sm_authenticate (pam_handle_t * pamh
|
|
int rc;
|
|
const char *username;
|
|
char *p;
|
|
- int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0;
|
|
+ int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0;
|
|
int i;
|
|
pam_ldap_session_t *session = NULL;
|
|
const char *configFile = NULL;
|
|
@@ -3302,6 +3297,8 @@ pam_sm_authenticate (pam_handle_t * pamh
|
|
;
|
|
else if (!strcmp (argv[i], "debug"))
|
|
;
|
|
+ else if (!strcmp (argv[i], "migrate"))
|
|
+ migrate = 1;
|
|
else
|
|
syslog (LOG_ERR, "illegal option %s", argv[i]);
|
|
}
|
|
@@ -3315,6 +3312,22 @@ pam_sm_authenticate (pam_handle_t * pamh
|
|
return rc;
|
|
|
|
rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p);
|
|
+ /* start of migrate facility in "pam_ldap authentication" */
|
|
+ if (migrate==1 && rc==PAM_SUCCESS)
|
|
+ {
|
|
+ /* check if specified username exists in LDAP */
|
|
+ if (_get_user_info(session,username)==PAM_SUCCESS)
|
|
+ {
|
|
+ /*
|
|
+ overwrite old LDAP userPassword with a new password
|
|
+ obtained during pam authentication process
|
|
+ - rootbinddn and ldap.secret must be set
|
|
+ */
|
|
+ rc=_update_authtok(pamh,session,username,NULL,p);
|
|
+ return PAM_IGNORE;
|
|
+ }
|
|
+ }
|
|
+ /* end of migrate facility in "pam_ldap authentication" */
|
|
if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass))
|
|
{
|
|
rc = _do_authentication (pamh, session, username, p);
|
|
@@ -3563,11 +3576,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
|
|
{
|
|
_conv_sendmsg (appconv, "Password change aborted",
|
|
PAM_ERROR_MSG, no_warn);
|
|
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
|
|
- return PAM_AUTHTOK_RECOVERY_ERR;
|
|
-#else
|
|
+#ifdef PAM_AUTHTOK_RECOVER_ERR
|
|
return PAM_AUTHTOK_RECOVER_ERR;
|
|
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
|
|
+#else
|
|
+ return PAM_AUTHTOK_RECOVERY_ERR;
|
|
+#endif
|
|
}
|
|
else
|
|
{
|
|
@@ -3581,7 +3594,7 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
|
|
if (curpass == NULL)
|
|
return PAM_MAXTRIES; /* maximum tries exceeded */
|
|
else
|
|
- pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass);
|
|
+ pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass));
|
|
}
|
|
else
|
|
{
|
|
@@ -3609,11 +3622,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
|
|
syslog (LOG_ERR,
|
|
"pam_ldap: error getting old authentication token (%s)",
|
|
pam_strerror (pamh, rc));
|
|
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
|
|
- return PAM_AUTHTOK_RECOVERY_ERR;
|
|
-#else
|
|
+#ifdef PAM_AUTHTOK_RECOVER_ERR
|
|
return PAM_AUTHTOK_RECOVER_ERR;
|
|
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
|
|
+#else
|
|
+ return PAM_AUTHTOK_RECOVERY_ERR;
|
|
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
|
|
}
|
|
|
|
if (try_first_pass || use_first_pass)
|
|
@@ -3623,11 +3636,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
|
|
newpass = NULL;
|
|
|
|
if (use_first_pass && newpass == NULL)
|
|
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
|
|
- return PAM_AUTHTOK_RECOVERY_ERR;
|
|
-#else
|
|
+#ifdef PAM_AUTHTOK_RECOVER_ERR
|
|
return PAM_AUTHTOK_RECOVER_ERR;
|
|
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
|
|
+#else
|
|
+ return PAM_AUTHTOK_RECOVERY_ERR;
|
|
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
|
|
}
|
|
|
|
tries = 0;
|
|
@@ -3677,11 +3690,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
|
|
}
|
|
else
|
|
{
|
|
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
|
|
- return PAM_AUTHTOK_RECOVERY_ERR;
|
|
-#else
|
|
+#ifdef PAM_AUTHTOK_RECOVER_ERR
|
|
return PAM_AUTHTOK_RECOVER_ERR;
|
|
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
|
|
+#else
|
|
+ return PAM_AUTHTOK_RECOVERY_ERR;
|
|
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
|
|
}
|
|
|
|
if (cmiscptr == NULL)
|
|
@@ -3713,11 +3726,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
|
|
{
|
|
_conv_sendmsg (appconv, "Password change aborted",
|
|
PAM_ERROR_MSG, no_warn);
|
|
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
|
|
- return PAM_AUTHTOK_RECOVERY_ERR;
|
|
-#else
|
|
+#ifdef PAM_AUTHTOK_RECOVER_ERR
|
|
return PAM_AUTHTOK_RECOVER_ERR;
|
|
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
|
|
+#else
|
|
+ return PAM_AUTHTOK_RECOVERY_ERR;
|
|
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
|
|
}
|
|
}
|
|
else if (!strcmp (newpass, miscptr))
|