security/pam-ldap/patches/patch-ab


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

$NetBSD: patch-ab,v 1.8 2010/10/28 08:06:19 adam Exp $

--- pam_ldap.c.orig	2009-11-06 10:29:34.000000000 +0000
+++ pam_ldap.c
@@ -131,12 +131,7 @@
 #include "pam_ldap.h"
 #include "md5.h"
 
-#if defined(HAVE_SECURITY_PAM_MISC_H) || defined(HAVE_PAM_PAM_MISC_H)
- /* FIXME: is there something better to check? */
 #define CONST_ARG const
-#else
-#define CONST_ARG
-#endif
 
 #ifndef HAVE_LDAP_MEMFREE
 #define ldap_memfree(x)	free(x)
@@ -3411,7 +3406,7 @@ pam_sm_authenticate (pam_handle_t * pamh
   int rc;
   const char *username;
   char *p;
-  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0;
+  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0;
   int i;
   pam_ldap_session_t *session = NULL;
   const char *configFile = NULL;
@@ -3432,6 +3427,8 @@ pam_sm_authenticate (pam_handle_t * pamh
 	;
       else if (!strcmp (argv[i], "debug"))
 	;
+      else if (!strcmp (argv[i], "migrate"))
+        migrate = 1;
       else
 	syslog (LOG_ERR, "illegal option %s", argv[i]);
     }
@@ -3445,6 +3442,22 @@ pam_sm_authenticate (pam_handle_t * pamh
     return rc;
 
   rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p);
+  /* start of migrate facility in "pam_ldap authentication" */
+  if (migrate==1 && rc==PAM_SUCCESS)
+    {
+      /* check if specified username exists in LDAP */
+      if (_get_user_info(session,username)==PAM_SUCCESS)
+        {
+          /*
+             overwrite old LDAP userPassword with a new password
+             obtained during pam authentication process
+             - rootbinddn and ldap.secret must be set
+          */
+          rc=_update_authtok(pamh,session,username,NULL,p);
+          return PAM_IGNORE;
+        }
+    }
+  /* end of migrate facility in "pam_ldap authentication" */
   if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass))
     {
       rc = _do_authentication (pamh, session, username, p);
@@ -3707,11 +3720,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
 		    {
 		      _conv_sendmsg (appconv, "Password change aborted",
 				     PAM_ERROR_MSG, no_warn);
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
-		      return PAM_AUTHTOK_RECOVERY_ERR;
-#else
+#ifdef PAM_AUTHTOK_RECOVER_ERR
 		      return PAM_AUTHTOK_RECOVER_ERR;
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
+#else
+		      return PAM_AUTHTOK_RECOVERY_ERR;
+#endif
 		    }
 		  else
 		    {
@@ -3725,7 +3738,7 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
 	  if (curpass == NULL)
 	    return PAM_MAXTRIES;	/* maximum tries exceeded */
 	  else
-	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass);
+	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass));
 	}
       else
 	{
@@ -3753,11 +3766,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
       syslog (LOG_ERR,
 	      "pam_ldap: error getting old authentication token (%s)",
 	      pam_strerror (pamh, rc));
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
-      return PAM_AUTHTOK_RECOVERY_ERR;
-#else
+#ifdef PAM_AUTHTOK_RECOVER_ERR
       return PAM_AUTHTOK_RECOVER_ERR;
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
+#else
+      return PAM_AUTHTOK_RECOVERY_ERR;
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
     }
 
   if (try_first_pass || use_first_pass)
@@ -3767,11 +3780,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
 	newpass = NULL;
 
       if (use_first_pass && newpass == NULL)
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
-	return PAM_AUTHTOK_RECOVERY_ERR;
-#else
+#ifdef PAM_AUTHTOK_RECOVER_ERR
 	return PAM_AUTHTOK_RECOVER_ERR;
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
+#else
+	return PAM_AUTHTOK_RECOVERY_ERR;
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
     }
 
   tries = 0;
@@ -3821,11 +3834,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
 	}
       else
 	{
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
-	  return PAM_AUTHTOK_RECOVERY_ERR;
-#else
+#ifdef PAM_AUTHTOK_RECOVER_ERR
 	  return PAM_AUTHTOK_RECOVER_ERR;
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
+#else
+	  return PAM_AUTHTOK_RECOVERY_ERR;
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
 	}
 
       if (cmiscptr == NULL)
@@ -3857,11 +3870,11 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
 		{
 		  _conv_sendmsg (appconv, "Password change aborted",
 				 PAM_ERROR_MSG, no_warn);
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
-		  return PAM_AUTHTOK_RECOVERY_ERR;
-#else
+#ifdef PAM_AUTHTOK_RECOVER_ERR
 		  return PAM_AUTHTOK_RECOVER_ERR;
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
+#else
+		  return PAM_AUTHTOK_RECOVERY_ERR;
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
 		}
 	    }
 	  else if (!strcmp (newpass, miscptr))