| @@ -1,147 +1,54 @@ | | | @@ -1,147 +1,54 @@ |
1 | $NetBSD: patch-ab,v 1.8 2010/10/28 08:06:19 adam Exp $ | | 1 | $NetBSD: patch-ab,v 1.9 2010/11/16 09:53:50 adam Exp $ |
2 | | | 2 | |
3 | --- pam_ldap.c.orig 2009-11-06 10:29:34.000000000 +0000 | | 3 | --- pam_ldap.c.orig 2010-11-08 00:58:44.000000000 +0000 |
4 | +++ pam_ldap.c | | 4 | +++ pam_ldap.c |
5 | @@ -131,12 +131,7 @@ | | 5 | @@ -3411,7 +3411,7 @@ pam_sm_authenticate (pam_handle_t * pamh |
6 | #include "pam_ldap.h" | | | |
7 | #include "md5.h" | | | |
8 | | | | |
9 | -#if defined(HAVE_SECURITY_PAM_MISC_H) || defined(HAVE_PAM_PAM_MISC_H) | | | |
10 | - /* FIXME: is there something better to check? */ | | | |
11 | #define CONST_ARG const | | | |
12 | -#else | | | |
13 | -#define CONST_ARG | | | |
14 | -#endif | | | |
15 | | | | |
16 | #ifndef HAVE_LDAP_MEMFREE | | | |
17 | #define ldap_memfree(x) free(x) | | | |
18 | @@ -3411,7 +3406,7 @@ pam_sm_authenticate (pam_handle_t * pamh | | | |
19 | int rc; | | 6 | int rc; |
20 | const char *username; | | 7 | const char *username; |
21 | char *p; | | 8 | char *p; |
22 | - int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0; | | 9 | - int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0; |
23 | + int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0; | | 10 | + int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0; |
24 | int i; | | 11 | int i; |
25 | pam_ldap_session_t *session = NULL; | | 12 | pam_ldap_session_t *session = NULL; |
26 | const char *configFile = NULL; | | 13 | const char *configFile = NULL; |
27 | @@ -3432,6 +3427,8 @@ pam_sm_authenticate (pam_handle_t * pamh | | 14 | @@ -3432,6 +3432,8 @@ pam_sm_authenticate (pam_handle_t * pamh |
28 | ; | | 15 | ; |
29 | else if (!strcmp (argv[i], "debug")) | | 16 | else if (!strcmp (argv[i], "debug")) |
30 | ; | | 17 | ; |
31 | + else if (!strcmp (argv[i], "migrate")) | | 18 | + else if (!strcmp (argv[i], "migrate")) |
32 | + migrate = 1; | | 19 | + migrate = 1; |
33 | else | | 20 | else |
34 | syslog (LOG_ERR, "illegal option %s", argv[i]); | | 21 | syslog (LOG_ERR, "illegal option %s", argv[i]); |
35 | } | | 22 | } |
36 | @@ -3445,6 +3442,22 @@ pam_sm_authenticate (pam_handle_t * pamh | | 23 | @@ -3445,6 +3447,22 @@ pam_sm_authenticate (pam_handle_t * pamh |
37 | return rc; | | 24 | return rc; |
38 | | | 25 | |
39 | rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p); | | 26 | rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p); |
40 | + /* start of migrate facility in "pam_ldap authentication" */ | | 27 | + /* start of migrate facility in "pam_ldap authentication" */ |
41 | + if (migrate==1 && rc==PAM_SUCCESS) | | 28 | + if (migrate==1 && rc==PAM_SUCCESS) |
42 | + { | | 29 | + { |
43 | + /* check if specified username exists in LDAP */ | | 30 | + /* check if specified username exists in LDAP */ |
44 | + if (_get_user_info(session,username)==PAM_SUCCESS) | | 31 | + if (_get_user_info(session,username)==PAM_SUCCESS) |
45 | + { | | 32 | + { |
46 | + /* | | 33 | + /* |
47 | + overwrite old LDAP userPassword with a new password | | 34 | + overwrite old LDAP userPassword with a new password |
48 | + obtained during pam authentication process | | 35 | + obtained during pam authentication process |
49 | + - rootbinddn and ldap.secret must be set | | 36 | + - rootbinddn and ldap.secret must be set |
50 | + */ | | 37 | + */ |
51 | + rc=_update_authtok(pamh,session,username,NULL,p); | | 38 | + rc=_update_authtok(pamh,session,username,NULL,p); |
52 | + return PAM_IGNORE; | | 39 | + return PAM_IGNORE; |
53 | + } | | 40 | + } |
54 | + } | | 41 | + } |
55 | + /* end of migrate facility in "pam_ldap authentication" */ | | 42 | + /* end of migrate facility in "pam_ldap authentication" */ |
56 | if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass)) | | 43 | if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass)) |
57 | { | | 44 | { |
58 | rc = _do_authentication (pamh, session, username, p); | | 45 | rc = _do_authentication (pamh, session, username, p); |
59 | @@ -3707,11 +3720,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i | | 46 | @@ -3721,7 +3739,7 @@ pam_sm_chauthtok (pam_handle_t * pamh, i |
60 | { | | | |
61 | _conv_sendmsg (appconv, "Password change aborted", | | | |
62 | PAM_ERROR_MSG, no_warn); | | | |
63 | -#ifdef PAM_AUTHTOK_RECOVERY_ERR | | | |
64 | - return PAM_AUTHTOK_RECOVERY_ERR; | | | |
65 | -#else | | | |
66 | +#ifdef PAM_AUTHTOK_RECOVER_ERR | | | |
67 | return PAM_AUTHTOK_RECOVER_ERR; | | | |
68 | -#endif /* PAM_AUTHTOK_RECOVERY_ERR */ | | | |
69 | +#else | | | |
70 | + return PAM_AUTHTOK_RECOVERY_ERR; | | | |
71 | +#endif | | | |
72 | } | | | |
73 | else | | | |
74 | { | | | |
75 | @@ -3725,7 +3738,7 @@ pam_sm_chauthtok (pam_handle_t * pamh, i | | | |
76 | if (curpass == NULL) | | 47 | if (curpass == NULL) |
77 | return PAM_MAXTRIES; /* maximum tries exceeded */ | | 48 | return PAM_MAXTRIES; /* maximum tries exceeded */ |
78 | else | | 49 | else |
79 | - pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass); | | 50 | - pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass); |
80 | + pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass)); | | 51 | + pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass)); |
81 | } | | 52 | } |
82 | else | | 53 | else |
83 | { | | 54 | { |
84 | @@ -3753,11 +3766,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i | | | |
85 | syslog (LOG_ERR, | | | |
86 | "pam_ldap: error getting old authentication token (%s)", | | | |
87 | pam_strerror (pamh, rc)); | | | |
88 | -#ifdef PAM_AUTHTOK_RECOVERY_ERR | | | |
89 | - return PAM_AUTHTOK_RECOVERY_ERR; | | | |
90 | -#else | | | |
91 | +#ifdef PAM_AUTHTOK_RECOVER_ERR | | | |
92 | return PAM_AUTHTOK_RECOVER_ERR; | | | |
93 | -#endif /* PAM_AUTHTOK_RECOVERY_ERR */ | | | |
94 | +#else | | | |
95 | + return PAM_AUTHTOK_RECOVERY_ERR; | | | |
96 | +#endif /* PAM_AUTHTOK_RECOVER_ERR */ | | | |
97 | } | | | |
98 | | | | |
99 | if (try_first_pass || use_first_pass) | | | |
100 | @@ -3767,11 +3780,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i | | | |
101 | newpass = NULL; | | | |
102 | | | | |
103 | if (use_first_pass && newpass == NULL) | | | |
104 | -#ifdef PAM_AUTHTOK_RECOVERY_ERR | | | |
105 | - return PAM_AUTHTOK_RECOVERY_ERR; | | | |
106 | -#else | | | |
107 | +#ifdef PAM_AUTHTOK_RECOVER_ERR | | | |
108 | return PAM_AUTHTOK_RECOVER_ERR; | | | |
109 | -#endif /* PAM_AUTHTOK_RECOVERY_ERR */ | | | |
110 | +#else | | | |
111 | + return PAM_AUTHTOK_RECOVERY_ERR; | | | |
112 | +#endif /* PAM_AUTHTOK_RECOVER_ERR */ | | | |
113 | } | | | |
114 | | | | |
115 | tries = 0; | | | |
116 | @@ -3821,11 +3834,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i | | | |
117 | } | | | |
118 | else | | | |
119 | { | | | |
120 | -#ifdef PAM_AUTHTOK_RECOVERY_ERR | | | |
121 | - return PAM_AUTHTOK_RECOVERY_ERR; | | | |
122 | -#else | | | |
123 | +#ifdef PAM_AUTHTOK_RECOVER_ERR | | | |
124 | return PAM_AUTHTOK_RECOVER_ERR; | | | |
125 | -#endif /* PAM_AUTHTOK_RECOVERY_ERR */ | | | |
126 | +#else | | | |
127 | + return PAM_AUTHTOK_RECOVERY_ERR; | | | |
128 | +#endif /* PAM_AUTHTOK_RECOVER_ERR */ | | | |
129 | } | | | |
130 | | | | |
131 | if (cmiscptr == NULL) | | | |
132 | @@ -3857,11 +3870,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i | | | |
133 | { | | | |
134 | _conv_sendmsg (appconv, "Password change aborted", | | | |
135 | PAM_ERROR_MSG, no_warn); | | | |
136 | -#ifdef PAM_AUTHTOK_RECOVERY_ERR | | | |
137 | - return PAM_AUTHTOK_RECOVERY_ERR; | | | |
138 | -#else | | | |
139 | +#ifdef PAM_AUTHTOK_RECOVER_ERR | | | |
140 | return PAM_AUTHTOK_RECOVER_ERR; | | | |
141 | -#endif /* PAM_AUTHTOK_RECOVERY_ERR */ | | | |
142 | +#else | | | |
143 | + return PAM_AUTHTOK_RECOVERY_ERR; | | | |
144 | +#endif /* PAM_AUTHTOK_RECOVER_ERR */ | | | |
145 | } | | | |
146 | } | | | |
147 | else if (!strcmp (newpass, miscptr)) | | | |