$NetBSD: patch-ab,v 1.6 2007/01/15 03:24:03 taca Exp $ --- pam_ldap.c.orig Sun Oct 31 02:42:54 2004 +++ pam_ldap.c Sun Oct 31 02:48:03 2004 @@ -131,12 +131,7 @@ #include "pam_ldap.h" #include "md5.h" -#if defined(HAVE_SECURITY_PAM_MISC_H) || defined(HAVE_PAM_PAM_MISC_H) - /* FIXME: is there something better to check? */ #define CONST_ARG const -#else -#define CONST_ARG -#endif #ifndef HAVE_LDAP_MEMFREE #define ldap_memfree(x) free(x) @@ -3137,7 +3132,7 @@ int rc; const char *username; char *p; - int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0; + int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0; int i; pam_ldap_session_t *session = NULL; const char *configFile = NULL; @@ -3158,6 +3153,8 @@ ; else if (!strcmp (argv[i], "debug")) ; + else if (!strcmp (argv[i], "migrate")) + migrate = 1; else syslog (LOG_ERR, "illegal option %s", argv[i]); } @@ -3171,6 +3168,22 @@ return rc; rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p); + /* start of migrate facility in "pam_ldap authentication" */ + if (migrate==1 && rc==PAM_SUCCESS) + { + /* check if specified username exists in LDAP */ + if (_get_user_info(session,username)==PAM_SUCCESS) + { + /* + overwrite old LDAP userPassword with a new password + obtained during pam authentication process + - rootbinddn and ldap.secret must be set + */ + rc=_update_authtok(pamh,session,username,NULL,p); + return PAM_IGNORE; + } + } + /* end of migrate facility in "pam_ldap authentication" */ if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass)) { rc = _do_authentication (pamh, session, username, p); @@ -3419,11 +3432,11 @@ { _conv_sendmsg (appconv, "Password change aborted", PAM_ERROR_MSG, no_warn); -#ifdef PAM_AUTHTOK_RECOVERY_ERR - return PAM_AUTHTOK_RECOVERY_ERR; -#else +#ifdef PAM_AUTHTOK_RECOVER_ERR return PAM_AUTHTOK_RECOVER_ERR; -#endif /* PAM_AUTHTOK_RECOVERY_ERR */ +#else + return PAM_AUTHTOK_RECOVERY_ERR; +#endif } else { @@ -3437,7 +3450,7 @@ if (curpass == NULL) return PAM_MAXTRIES; /* maximum tries exceeded */ else - pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass); + pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass)); } else { @@ -3465,11 +3478,11 @@ syslog (LOG_ERR, "pam_ldap: error getting old authentication token (%s)", pam_strerror (pamh, rc)); -#ifdef PAM_AUTHTOK_RECOVERY_ERR - return PAM_AUTHTOK_RECOVERY_ERR; -#else +#ifdef PAM_AUTHTOK_RECOVER_ERR return PAM_AUTHTOK_RECOVER_ERR; -#endif /* PAM_AUTHTOK_RECOVERY_ERR */ +#else + return PAM_AUTHTOK_RECOVERY_ERR; +#endif /* PAM_AUTHTOK_RECOVER_ERR */ } if (try_first_pass || use_first_pass) @@ -3479,11 +3492,11 @@ newpass = NULL; if (use_first_pass && newpass == NULL) -#ifdef PAM_AUTHTOK_RECOVERY_ERR - return PAM_AUTHTOK_RECOVERY_ERR; -#else +#ifdef PAM_AUTHTOK_RECOVER_ERR return PAM_AUTHTOK_RECOVER_ERR; -#endif /* PAM_AUTHTOK_RECOVERY_ERR */ +#else + return PAM_AUTHTOK_RECOVERY_ERR; +#endif /* PAM_AUTHTOK_RECOVER_ERR */ } tries = 0; @@ -3533,11 +3546,11 @@ } else { -#ifdef PAM_AUTHTOK_RECOVERY_ERR - return PAM_AUTHTOK_RECOVERY_ERR; -#else +#ifdef PAM_AUTHTOK_RECOVER_ERR return PAM_AUTHTOK_RECOVER_ERR; -#endif /* PAM_AUTHTOK_RECOVERY_ERR */ +#else + return PAM_AUTHTOK_RECOVERY_ERR; +#endif /* PAM_AUTHTOK_RECOVER_ERR */ } if (cmiscptr == NULL) @@ -3569,11 +3582,11 @@ { _conv_sendmsg (appconv, "Password change aborted", PAM_ERROR_MSG, no_warn); -#ifdef PAM_AUTHTOK_RECOVERY_ERR - return PAM_AUTHTOK_RECOVERY_ERR; -#else +#ifdef PAM_AUTHTOK_RECOVER_ERR return PAM_AUTHTOK_RECOVER_ERR; -#endif /* PAM_AUTHTOK_RECOVERY_ERR */ +#else + return PAM_AUTHTOK_RECOVERY_ERR; +#endif /* PAM_AUTHTOK_RECOVER_ERR */ } } else if (!strcmp (newpass, miscptr))