nss-pam-ldapd commit: r1059 - in nss-pam-ldapd: . debian man nslcd pam
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
nss-pam-ldapd commit: r1059 - in nss-pam-ldapd: . debian man nslcd pam
- From: "Commits of the nss-pam-ldapd project." <nss-pam-ldapd-commits [at] lists.arthurdejong.org>
- To: nss-pam-ldapd-commits [at] lists.arthurdejong.org
- Reply-to: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: nss-pam-ldapd commit: r1059 - in nss-pam-ldapd: . debian man nslcd pam
- Date: Sun, 24 Jan 2010 15:33:22 +0100 (CET)
Author: arthur
Date: Sun Jan 24 15:33:21 2010
New Revision: 1059
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=1059
Log:
add admindn configuration file option that is used when modifying another
user's password
Modified:
nss-pam-ldapd/debian/nslcd.postinst
nss-pam-ldapd/man/nslcd.conf.5.xml
nss-pam-ldapd/nslcd.conf
nss-pam-ldapd/nslcd.h
nss-pam-ldapd/nslcd/cfg.c
nss-pam-ldapd/nslcd/cfg.h
nss-pam-ldapd/nslcd/pam.c
nss-pam-ldapd/pam/pam.c
Modified: nss-pam-ldapd/debian/nslcd.postinst
==============================================================================
--- nss-pam-ldapd/debian/nslcd.postinst Sun Jan 24 14:46:15 2010 (r1058)
+++ nss-pam-ldapd/debian/nslcd.postinst Sun Jan 24 15:33:21 2010 (r1059)
@@ -115,6 +115,9 @@
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret
+# The DN used for password modifications by root.
+#admindn cn=admin,dc=example,dc=com
+
# SSL options
#ssl off
#tls_reqcert never
Modified: nss-pam-ldapd/man/nslcd.conf.5.xml
==============================================================================
--- nss-pam-ldapd/man/nslcd.conf.5.xml Sun Jan 24 14:46:15 2010 (r1058)
+++ nss-pam-ldapd/man/nslcd.conf.5.xml Sun Jan 24 15:33:21 2010 (r1059)
@@ -6,7 +6,7 @@
nslcd.conf.5.xml - docbook manual page for nslcd.conf
Copyright (C) 1997-2005 Luke Howard
- Copyright (C) 2007, 2008, 2009 Arthur de Jong
+ Copyright (C) 2007, 2008, 2009, 2010 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -187,6 +187,17 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>admindn</option> <emphasis remap="I">DN</emphasis></term>
+ <listitem>
+ <para>
+ Specifies the distinguished name to use when the root user tries to
+ modify a user's password using the PAM module. The PAM module prompts
+ the user for the admin password instead of the user's password.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect2>
Modified: nss-pam-ldapd/nslcd.conf
==============================================================================
--- nss-pam-ldapd/nslcd.conf Sun Jan 24 14:46:15 2010 (r1058)
+++ nss-pam-ldapd/nslcd.conf Sun Jan 24 15:33:21 2010 (r1059)
@@ -29,6 +29,9 @@
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret
+# The distinguished name to perform password modifications by root by.
+#admindn cn=admin,dc=example,dc=com
+
# The default search scope.
#scope sub
#scope one
Modified: nss-pam-ldapd/nslcd.h
==============================================================================
--- nss-pam-ldapd/nslcd.h Sun Jan 24 14:46:15 2010 (r1058)
+++ nss-pam-ldapd/nslcd.h Sun Jan 24 15:33:21 2010 (r1059)
@@ -2,7 +2,7 @@
nslcd.h - file describing client/server protocol
Copyright (C) 2006 West Consulting
- Copyright (C) 2006, 2007, 2009 Arthur de Jong
+ Copyright (C) 2006, 2007, 2009, 2010 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -194,7 +194,10 @@
and the result value ends with:
INT32 authc NSLCD_PAM_* result code
INT32 authz NSLCD_PAM_* result code
- STRING authorisation error message */
+ STRING authorisation error message
+ If the username is empty in this request an attempt is made to
+ authenticate as the administrator (set using admindn). The returned DN
+ is that of the administrator. */
#define NSLCD_ACTION_PAM_AUTHC 20001
/* PAM authorisation check request. The extra request values are:
@@ -225,7 +228,10 @@
STRING new password
and returns there extra result values:
INT32 authz NSLCD_PAM_* result code
- STRING authorisation error message */
+ STRING authorisation error message
+ In this request the DN may be set to the administrator's DN. In this
+ case old password should be the administrator's password. This allows
+ the administrator to change any user's password. */
#define NSLCD_ACTION_PAM_PWMOD 20005
/* Request result codes. */
Modified: nss-pam-ldapd/nslcd/cfg.c
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.c Sun Jan 24 14:46:15 2010 (r1058)
+++ nss-pam-ldapd/nslcd/cfg.c Sun Jan 24 15:33:21 2010 (r1059)
@@ -5,7 +5,7 @@
Copyright (C) 1997-2005 Luke Howard
Copyright (C) 2007 West Consulting
- Copyright (C) 2007, 2008, 2009 Arthur de Jong
+ Copyright (C) 2007, 2008, 2009, 2010 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -96,6 +96,7 @@
#endif /* not LDAP_VERSION3 */
cfg->ldc_binddn=NULL;
cfg->ldc_bindpw=NULL;
+ cfg->ldc_admindn=NULL;
cfg->ldc_sasl_authcid=NULL;
cfg->ldc_sasl_authzid=NULL;
cfg->ldc_sasl_secprops=NULL;
@@ -767,6 +768,10 @@
{
get_restdup(filename,lnr,keyword,&line,&cfg->ldc_bindpw);
}
+ else if (strcasecmp(keyword,"admindn")==0)
+ {
+ get_restdup(filename,lnr,keyword,&line,&cfg->ldc_admindn);
+ }
/* SASL authentication options */
else if (strcasecmp(keyword,"sasl_authcid")==0)
{
Modified: nss-pam-ldapd/nslcd/cfg.h
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.h Sun Jan 24 14:46:15 2010 (r1058)
+++ nss-pam-ldapd/nslcd/cfg.h Sun Jan 24 15:33:21 2010 (r1059)
@@ -5,7 +5,7 @@
Copyright (C) 1997-2005 Luke Howard
Copyright (C) 2007 West Consulting
- Copyright (C) 2007, 2008, 2009 Arthur de Jong
+ Copyright (C) 2007, 2008, 2009, 2010 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -92,6 +92,8 @@
char *ldc_binddn;
/* bind cred */
char *ldc_bindpw;
+ /* bind DN for password modification by administrator */
+ char *ldc_admindn;
/* sasl authentication id */
char *ldc_sasl_authcid;
/* sasl authorization id */
Modified: nss-pam-ldapd/nslcd/pam.c
==============================================================================
--- nss-pam-ldapd/nslcd/pam.c Sun Jan 24 14:46:15 2010 (r1058)
+++ nss-pam-ldapd/nslcd/pam.c Sun Jan 24 15:33:21 2010 (r1059)
@@ -2,7 +2,7 @@
pam.c - pam processing routines
Copyright (C) 2009 Howard Chu
- Copyright (C) 2009 Arthur de Jong
+ Copyright (C) 2009, 2010 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -145,8 +145,18 @@
/* write the response header */
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_AUTHC);
- /* validate request and fill in the blanks */
- if (validate_user(session,userdn,sizeof(userdn),username,sizeof(username)))
+ /* if the username is blank and admindn is configure, try to authenticate
+ as administrator, otherwise validate request as usual */
+ if ((*username=='\0')&&(nslcd_cfg->ldc_admindn!=NULL))
+ {
+ if (strlen(nslcd_cfg->ldc_admindn)>=sizeof(userdn))
+ {
+ log_log(LOG_ERR,"nslcd_pam_authc(): admindn will not fit in userdn");
+ return -1;
+ }
+ strcpy(userdn,nslcd_cfg->ldc_admindn);
+ }
+ else if
(validate_user(session,userdn,sizeof(userdn),username,sizeof(username)))
{
WRITE_INT32(fp,NSLCD_RESULT_END);
return -1;
@@ -262,8 +272,8 @@
return 0;
}
-static int try_pwmod(const char *userdn,const char *oldpassword,
- const char *newpassword)
+static int try_pwmod(const char *binddn,const char *userdn,
+ const char *oldpassword,const char *newpassword)
{
MYLDAP_SESSION *session;
int rc;
@@ -272,9 +282,12 @@
if (session==NULL)
return NSLCD_PAM_AUTH_ERR;
/* set up credentials for the session */
- rc=myldap_set_credentials(session,userdn,oldpassword);
+ rc=myldap_set_credentials(session,binddn,oldpassword);
if (rc==LDAP_SUCCESS)
{
+ /* if doing password modification as admin, don't pass old password along
*/
+ if
((nslcd_cfg->ldc_admindn!=NULL)&&(strcmp(binddn,nslcd_cfg->ldc_admindn)==0))
+ oldpassword=NULL;
/* perform password modification */
rc=myldap_passwd(session,userdn,oldpassword,newpassword);
}
@@ -292,6 +305,7 @@
char servicename[64];
char oldpassword[64];
char newpassword[64];
+ char *binddn=userdn; /* the user performing the modification */
int rc;
/* read request parameters */
READ_STRING(fp,username);
@@ -306,6 +320,12 @@
/* write the response header */
WRITE_INT32(fp,NSLCD_VERSION);
WRITE_INT32(fp,NSLCD_ACTION_PAM_PWMOD);
+ /* check if the the user passed the admindn */
+ if
((nslcd_cfg->ldc_admindn!=NULL)&&(strcmp(userdn,nslcd_cfg->ldc_admindn)==0))
+ {
+ binddn=nslcd_cfg->ldc_admindn;
+ userdn[0]='\0'; /* cause validate_user() to get the user DN */
+ }
/* validate request and fill in the blanks */
if (validate_user(session,userdn,sizeof(userdn),username,sizeof(username)))
{
@@ -313,7 +333,7 @@
return -1;
}
/* perform password modification */
- rc=try_pwmod(userdn,oldpassword,newpassword);
+ rc=try_pwmod(binddn,userdn,oldpassword,newpassword);
/* write response */
WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
WRITE_STRING(fp,username);
Modified: nss-pam-ldapd/pam/pam.c
==============================================================================
--- nss-pam-ldapd/pam/pam.c Sun Jan 24 14:46:15 2010 (r1058)
+++ nss-pam-ldapd/pam/pam.c Sun Jan 24 15:33:21 2010 (r1059)
@@ -2,7 +2,7 @@
pam.c - pam module functions
Copyright (C) 2009 Howard Chu
- Copyright (C) 2009 Arthur de Jong
+ Copyright (C) 2009, 2010 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
@@ -28,6 +28,7 @@
#include <syslog.h>
#include <unistd.h>
#include <sys/types.h>
+#include <pwd.h>
#include "common.h"
#include "compat/attrs.h"
@@ -596,6 +597,8 @@
READ_BUF_STRING(fp,ctx->authzmsg);)
}
+/* prompt for LDAP administrator password */
+
/* ensure that the context includes and oldpassword field */
static const char *get_old_password(pam_handle_t *pamh, int flags,pld_ctx *ctx)
{
@@ -635,7 +638,8 @@
int i;
struct pam_conv *appconv;
pld_ctx *ctx=NULL;
-
+ struct passwd *pwent;
+ /* parse module options */
for (i=0;i<argc;i++)
{
if (strcmp(argv[i],"use_first_pass")==0)
@@ -686,10 +690,24 @@
and authenticate with the current password */
if (flags&PAM_PRELIM_CHECK)
{
- /* get old (current) password */
- oldpassword=get_old_password(pamh,flags,ctx);
- /* check the old password */
- rc=nslcd_request_authc(ctx,username,service,oldpassword);
+ /* see if the user is trying to modify another user's password */
+ pwent=getpwnam(username);
+ if ((pwent!=NULL)&&(pwent->pw_uid!=getuid()))
+ {
+ /* prompt for the admin password */
+ rc=pam_get_authtok(pamh,PAM_OLDAUTHTOK,&oldpassword,"LDAP administrator
password: ");
+ if (rc!=PAM_SUCCESS)
+ return rc;
+ /* try authenticating */
+ rc=nslcd_request_authc(ctx,"",service,oldpassword);
+ }
+ else
+ {
+ /* get old (current) password */
+ oldpassword=get_old_password(pamh,flags,ctx);
+ /* check the old password */
+ rc=nslcd_request_authc(ctx,username,service,oldpassword);
+ }
if (rc==PAM_SUCCESS)
rc=ctx->authok;
if ((rc==PAM_AUTHINFO_UNAVAIL)&&(ignore_flags&IGNORE_UNAVAIL))
--
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits
- nss-pam-ldapd commit: r1059 - in nss-pam-ldapd: . debian man nslcd pam,
Commits of the nss-pam-ldapd project.
