|
|
# --- SDE-COPYRIGHT-NOTE-BEGIN --- # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # Filename: package/.../pam_ldap/pam_ldap-178-nonDNmember.patch # Copyright (C) 2004 - 2006 The T2 SDE Project # # More information can be found in the files COPYING and README. # # This patch file is dual-licensed. It is available under the license the # patched project is licensed under, as long as it is an OpenSource license # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 2 of the License, or (at your option) any later # version. # --- SDE-COPYRIGHT-NOTE-END --- ## pam_ldap-178-nonDNmember.patch by Peter Marschall <peter@adpm.de> ## ## DP: search for group members with non-DN attribute username ## DP: after searching for DN-valued attribute failed
--- ./pam_ldap.c
+++ ./pam_ldap.c 2005-03-28 11:44:52.939314905 +0200
@@ -3871,15 +3871,39 @@
rc = ldap_compare_s (session->ld, session->conf->groupdn, session->conf->groupattr, session->info->userdn); - if (rc != LDAP_COMPARE_TRUE)
+
+ if (rc == LDAP_COMPARE_FALSE)
+ {
+#ifndef NO_2ND_CHANCE
+ /* 2nd chance: compare group membership based on non-DN attributes */
+ rc = ldap_compare_s (session->ld,
+ session->conf->groupdn,
+ session->conf->groupattr, username);
+#endif /* NO_2ND_CHANCE */
+
+ if (rc != LDAP_COMPARE_TRUE)
+ {
+ snprintf (buf, sizeof buf, "You must be a %s of %s to login.",
+ session->conf->groupattr, session->conf->groupdn);
+ _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
+
+ /* return error in case of failure, denied in case of no membership */
+ return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR;
+ }
+ }
+ else if (rc == LDAP_COMPARE_TRUE)
+ {
+ rc = success;
+ }
+ else
{ snprintf (buf, sizeof buf, "You must be a %s of %s to login.", session->conf->groupattr, session->conf->groupdn); _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn); - return PAM_PERM_DENIED;
+
+ /* return error in case of failure, denied in case of no membership */
+ return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR;
} - else
- rc = success;
} if (rc == success && session->conf->checkserviceattr)
|