You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

67 lines
2.4 KiB

# --- T2-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
#
# T2 SDE: package/.../pam_ldap/pam_ldap-178-nonDNmember.patch
# Copyright (C) 2004 - 2006 The T2 SDE Project
#
# More information can be found in the files COPYING and README.
#
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- T2-COPYRIGHT-NOTE-END ---
## pam_ldap-178-nonDNmember.patch by Peter Marschall <peter@adpm.de>
##
## DP: search for group members with non-DN attribute username
## DP: after searching for DN-valued attribute failed
--- ./pam_ldap.c
+++ ./pam_ldap.c 2005-03-28 11:44:52.939314905 +0200
@@ -3871,15 +3871,39 @@
rc = ldap_compare_s (session->ld,
session->conf->groupdn,
session->conf->groupattr, session->info->userdn);
- if (rc != LDAP_COMPARE_TRUE)
+
+ if (rc == LDAP_COMPARE_FALSE)
+ {
+#ifndef NO_2ND_CHANCE
+ /* 2nd chance: compare group membership based on non-DN attributes */
+ rc = ldap_compare_s (session->ld,
+ session->conf->groupdn,
+ session->conf->groupattr, username);
+#endif /* NO_2ND_CHANCE */
+
+ if (rc != LDAP_COMPARE_TRUE)
+ {
+ snprintf (buf, sizeof buf, "You must be a %s of %s to login.",
+ session->conf->groupattr, session->conf->groupdn);
+ _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
+
+ /* return error in case of failure, denied in case of no membership */
+ return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR;
+ }
+ }
+ else if (rc == LDAP_COMPARE_TRUE)
+ {
+ rc = success;
+ }
+ else
{
snprintf (buf, sizeof buf, "You must be a %s of %s to login.",
session->conf->groupattr, session->conf->groupdn);
_conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
- return PAM_PERM_DENIED;
+
+ /* return error in case of failure, denied in case of no membership */
+ return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR;
}
- else
- rc = success;
}
if (rc == success && session->conf->checkserviceattr)