Index: man/pam_ldap.8.xml
===================================================================
--- man/pam_ldap.8.xml (revision 1373)
+++ man/pam_ldap.8.xml (working copy)
@@ -90,6 +90,17 @@
+
+
+
+
+ Specifying this option allows users to log in with a blank password.
+ Normally logins without a password are denied.
+
+
+
+
+
Index: pam/pam.c
===================================================================
--- pam/pam.c (revision 1373)
+++ pam/pam.c (working copy)
@@ -140,6 +140,7 @@
struct pld_cfg {
int use_first_pass;
int try_first_pass;
+ int nullok;
int no_warn;
int ignore_unknown_user;
int ignore_authinfo_unavail;
@@ -157,6 +158,7 @@
/* initialise config with defaults */
cfg->use_first_pass=0;
cfg->try_first_pass=0;
+ cfg->nullok=0;
cfg->no_warn=0;
cfg->ignore_unknown_user=0;
cfg->ignore_authinfo_unavail=0;
@@ -169,6 +171,8 @@
cfg->use_first_pass=1;
else if (strcmp(argv[i],"try_first_pass")==0)
cfg->try_first_pass=1;
+ else if (strcmp(argv[i],"nullok")==0)
+ cfg->nullok=1;
else if (strcmp(argv[i],"use_authtok")==0)
/* ignore, this option is used by pam_get_authtok() internally */;
else if (strcmp(argv[i],"no_warn")==0)
@@ -363,8 +367,14 @@
rc=pam_get_item(pamh,PAM_AUTHTOK,(const void **)&passwd);
if (rc!=PAM_SUCCESS)
pam_syslog(pamh,LOG_ERR,"failed to get password: %s",pam_strerror(pamh,rc));
- if (rc==PAM_SUCCESS)
+ else if (!cfg.nullok&&((passwd==NULL)||(passwd[0]=='\0')))
{
+ if (cfg.debug)
+ pam_syslog(pamh,LOG_DEBUG,"user has empty password, access denied");
+ rc=PAM_AUTH_ERR;
+ }
+ else
+ {
rc=nslcd_request_authc(pamh,ctx,&cfg,username,service,passwd);
if (rc==PAM_SUCCESS)
{
@@ -562,6 +572,13 @@
if (rc!=PAM_SUCCESS)
return rc;
}
+ /* check for empty password */
+ if (!cfg.nullok&&((oldpassword==NULL)||(oldpassword[0]=='\0')))
+ {
+ if (cfg.debug)
+ pam_syslog(pamh,LOG_DEBUG,"user has empty password, access denied");
+ return PAM_AUTH_ERR;
+ }
/* try authenticating */
rc=nslcd_request_authc(pamh,ctx,&cfg,username,service,oldpassword);
if (rc==PAM_SUCCESS)