summaryrefslogtreecommitdiffstats
path: root/security/pam_ldap/files/patch-pam_ldap.c
blob: eeb031a603c4316225be7ac796c5ba59f573ba2a (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

--- pam_ldap.c.orig	2010-12-17 14:36:11.105528000 -0500
+++ pam_ldap.c	2010-12-17 14:38:42.000000000 -0500
@@ -131,12 +131,7 @@
 #include "pam_ldap.h"
 #include "md5.h"
 
-#if defined(HAVE_SECURITY_PAM_MISC_H) || defined(HAVE_PAM_PAM_MISC_H) || defined(OPENPAM)
- /* FIXME: is there something better to check? */
 #define CONST_ARG const
-#else
-#define CONST_ARG
-#endif
 
 #ifndef HAVE_LDAP_MEMFREE
 #define ldap_memfree(x)	free(x)
@@ -3411,7 +3406,7 @@ pam_sm_authenticate (pam_handle_t * pamh
   int rc;
   const char *username;
   char *p;
-  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0;
+  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0;
   int i;
   pam_ldap_session_t *session = NULL;
   const char *configFile = NULL;
@@ -3432,6 +3427,8 @@ pam_sm_authenticate (pam_handle_t * pamh
 	;
       else if (!strcmp (argv[i], "debug"))
 	;
+      else if (!strcmp (argv[i], "migrate"))
+        migrate = 1;
       else
 	syslog (LOG_ERR, "illegal option %s", argv[i]);
     }
@@ -3445,6 +3442,22 @@ pam_sm_authenticate (pam_handle_t * pamh
     return rc;
 
   rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p);
+  /* start of migrate facility in "pam_ldap authentication" */
+  if (migrate==1 && rc==PAM_SUCCESS)
+    {
+      /* check if specified username exists in LDAP */
+      if (_get_user_info(session,username)==PAM_SUCCESS)
+        {
+          /*
+             overwrite old LDAP userPassword with a new password
+             obtained during pam authentication process
+             - rootbinddn and ldap.secret must be set
+          */
+          rc=_update_authtok(pamh,session,username,NULL,p);
+          return PAM_IGNORE;
+        }
+    }
+  /* end of migrate facility in "pam_ldap authentication" */
   if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass))
     {
       rc = _do_authentication (pamh, session, username, p);
@@ -3721,7 +3734,7 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
 	  if (curpass == NULL)
 	    return PAM_MAXTRIES;	/* maximum tries exceeded */
 	  else
-	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass);
+	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass));
 	}
       else
 	{
OpenPOWER on IntegriCloud