You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
66 lines
2.4 KiB
66 lines
2.4 KiB
# --- SDE-COPYRIGHT-NOTE-BEGIN --- |
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch. |
|
# |
|
# Filename: package/.../pam_ldap/pam_ldap-178-nonDNmember.patch |
|
# Copyright (C) 2004 - 2006 The T2 SDE Project |
|
# |
|
# More information can be found in the files COPYING and README. |
|
# |
|
# This patch file is dual-licensed. It is available under the license the |
|
# patched project is licensed under, as long as it is an OpenSource license |
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms |
|
# of the GNU General Public License as published by the Free Software |
|
# Foundation; either version 2 of the License, or (at your option) any later |
|
# version. |
|
# --- SDE-COPYRIGHT-NOTE-END --- |
|
## pam_ldap-178-nonDNmember.patch by Peter Marschall <peter@adpm.de> |
|
## |
|
## DP: search for group members with non-DN attribute username |
|
## DP: after searching for DN-valued attribute failed |
|
|
|
--- ./pam_ldap.c |
|
+++ ./pam_ldap.c 2005-03-28 11:44:52.939314905 +0200 |
|
@@ -3871,15 +3871,39 @@ |
|
rc = ldap_compare_s (session->ld, |
|
session->conf->groupdn, |
|
session->conf->groupattr, session->info->userdn); |
|
- if (rc != LDAP_COMPARE_TRUE) |
|
+ |
|
+ if (rc == LDAP_COMPARE_FALSE) |
|
+ { |
|
+#ifndef NO_2ND_CHANCE |
|
+ /* 2nd chance: compare group membership based on non-DN attributes */ |
|
+ rc = ldap_compare_s (session->ld, |
|
+ session->conf->groupdn, |
|
+ session->conf->groupattr, username); |
|
+#endif /* NO_2ND_CHANCE */ |
|
+ |
|
+ if (rc != LDAP_COMPARE_TRUE) |
|
+ { |
|
+ snprintf (buf, sizeof buf, "You must be a %s of %s to login.", |
|
+ session->conf->groupattr, session->conf->groupdn); |
|
+ _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn); |
|
+ |
|
+ /* return error in case of failure, denied in case of no membership */ |
|
+ return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR; |
|
+ } |
|
+ } |
|
+ else if (rc == LDAP_COMPARE_TRUE) |
|
+ { |
|
+ rc = success; |
|
+ } |
|
+ else |
|
{ |
|
snprintf (buf, sizeof buf, "You must be a %s of %s to login.", |
|
session->conf->groupattr, session->conf->groupdn); |
|
_conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn); |
|
- return PAM_PERM_DENIED; |
|
+ |
|
+ /* return error in case of failure, denied in case of no membership */ |
|
+ return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR; |
|
} |
|
- else |
|
- rc = success; |
|
} |
|
|
|
if (rc == success && session->conf->checkserviceattr)
|
|
|