package-update/network/pam_ldap/pam_ldap-178-nonDNmember.patch

# --- T2-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
# 
# T2 SDE: package/.../pam_ldap/pam_ldap-178-nonDNmember.patch
# Copyright (C) 2004 - 2006 The T2 SDE Project
# 
# More information can be found in the files COPYING and README.
# 
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- T2-COPYRIGHT-NOTE-END ---
## pam_ldap-178-nonDNmember.patch by Peter Marschall <peter@adpm.de>
##
## DP: search for group members with non-DN attribute username 
## DP: after searching for DN-valued attribute failed

--- ./pam_ldap.c
+++ ./pam_ldap.c	2005-03-28 11:44:52.939314905 +0200
@@ -3871,15 +3871,39 @@
       rc = ldap_compare_s (session->ld,
 			   session->conf->groupdn,
 			   session->conf->groupattr, session->info->userdn);
-      if (rc != LDAP_COMPARE_TRUE)
+      
+      if (rc == LDAP_COMPARE_FALSE)
+	{
+#ifndef NO_2ND_CHANCE
+	  /* 2nd chance: compare group membership based on non-DN attributes */
+	  rc = ldap_compare_s (session->ld,
+			       session->conf->groupdn,
+                               session->conf->groupattr, username);
+#endif /* NO_2ND_CHANCE */
+
+	  if (rc != LDAP_COMPARE_TRUE)
+	    {
+	      snprintf (buf, sizeof buf, "You must be a %s of %s to login.",
+			session->conf->groupattr, session->conf->groupdn);
+	      _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
+
+	      /* return error in case of failure, denied in case of no membership */
+	      return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR;
+	    }
+       }
+      else if (rc == LDAP_COMPARE_TRUE)
+       {
+         rc = success;
+       }
+      else
 	{
 	  snprintf (buf, sizeof buf, "You must be a %s of %s to login.",
 		    session->conf->groupattr, session->conf->groupdn);
 	  _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
-	  return PAM_PERM_DENIED;
+
+	  /* return error in case of failure, denied in case of no membership */
+	  return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR;
 	}
-      else
-	rc = success;
     }
 
   if (rc == success && session->conf->checkserviceattr)
* relocated current package database to the trunk of the package sub-project git-svn-id: svn://svn.opensde.net/opensde/package/trunk@20072 10447126-35f2-4685-b0cf-6dd780d3921f 18 years ago			`# --- T2-COPYRIGHT-NOTE-BEGIN ---`
			`# This copyright note is auto-generated by ./scripts/Create-CopyPatch.`
			`#`
			`# T2 SDE: package/.../pam_ldap/pam_ldap-178-nonDNmember.patch`
			`# Copyright (C) 2004 - 2006 The T2 SDE Project`
			`#`
			`# More information can be found in the files COPYING and README.`
			`#`
			`# This patch file is dual-licensed. It is available under the license the`
			`# patched project is licensed under, as long as it is an OpenSource license`
			`# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms`
			`# of the GNU General Public License as published by the Free Software`
			`# Foundation; either version 2 of the License, or (at your option) any later`
			`# version.`
			`# --- T2-COPYRIGHT-NOTE-END ---`
			`## pam_ldap-178-nonDNmember.patch by Peter Marschall <peter@adpm.de>`
			`##`
			`## DP: search for group members with non-DN attribute username`
			`## DP: after searching for DN-valued attribute failed`

			`--- ./pam_ldap.c`
			`+++ ./pam_ldap.c 2005-03-28 11:44:52.939314905 +0200`
			`@@ -3871,15 +3871,39 @@`
			`rc = ldap_compare_s (session->ld,`
			`session->conf->groupdn,`
			`session->conf->groupattr, session->info->userdn);`
			`- if (rc != LDAP_COMPARE_TRUE)`
			`+`
			`+ if (rc == LDAP_COMPARE_FALSE)`
			`+ {`
			`+#ifndef NO_2ND_CHANCE`
			`+ /* 2nd chance: compare group membership based on non-DN attributes */`
			`+ rc = ldap_compare_s (session->ld,`
			`+ session->conf->groupdn,`
			`+ session->conf->groupattr, username);`
			`+#endif /* NO_2ND_CHANCE */`
			`+`
			`+ if (rc != LDAP_COMPARE_TRUE)`
			`+ {`
			`+ snprintf (buf, sizeof buf, "You must be a %s of %s to login.",`
			`+ session->conf->groupattr, session->conf->groupdn);`
			`+ _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);`
			`+`
			`+ /* return error in case of failure, denied in case of no membership */`
			`+ return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR;`
			`+ }`
			`+ }`
			`+ else if (rc == LDAP_COMPARE_TRUE)`
			`+ {`
			`+ rc = success;`
			`+ }`
			`+ else`
			`{`
			`snprintf (buf, sizeof buf, "You must be a %s of %s to login.",`
			`session->conf->groupattr, session->conf->groupdn);`
			`_conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);`
			`- return PAM_PERM_DENIED;`
			`+`
			`+ /* return error in case of failure, denied in case of no membership */`
			`+ return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR;`
			`}`
			`- else`
			`- rc = success;`
			`}`

			`if (rc == success && session->conf->checkserviceattr)`