package/network/pam_ldap/pam_ldap-178-nonDNmember.patch

   1 # --- T2-COPYRIGHT-NOTE-BEGIN ---
   2 # This copyright note is auto-generated by ./scripts/Create-CopyPatch.
   3 #
   4 # T2 SDE: package/.../pam_ldap/pam_ldap-178-nonDNmember.patch
   5 # Copyright (C) 2004 - 2007 The T2 SDE Project
   6 #
   7 # More information can be found in the files COPYING and README.
   8 #
   9 # This patch file is dual-licensed. It is available under the license the
  10 # patched project is licensed under, as long as it is an OpenSource license
  11 # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
  12 # of the GNU General Public License as published by the Free Software
  13 # Foundation; either version 2 of the License, or (at your option) any later
  14 # version.
  15 # --- T2-COPYRIGHT-NOTE-END ---
  16 ## pam_ldap-178-nonDNmember.patch by Peter Marschall <peter@adpm.de>
  17 ##
  18 ## DP: search for group members with non-DN attribute username
  19 ## DP: after searching for DN-valued attribute failed
  20
  21 --- ./pam_ldap.c
  22 +++ ./pam_ldap.c        2005-03-28 11:44:52.939314905 +0200
  23 @@ -3871,15 +3871,39 @@
  24        rc = ldap_compare_s (session->ld,
  25                            session->conf->groupdn,
  26                            session->conf->groupattr, session->info->userdn);
  27 -      if (rc != LDAP_COMPARE_TRUE)
  28 +
  29 +      if (rc == LDAP_COMPARE_FALSE)
  30 +       {
  31 +#ifndef NO_2ND_CHANCE
  32 +         /* 2nd chance: compare group membership based on non-DN attributes */
  33 +         rc = ldap_compare_s (session->ld,
  34 +                              session->conf->groupdn,
  35 +                               session->conf->groupattr, username);
  36 +#endif /* NO_2ND_CHANCE */
  37 +
  38 +         if (rc != LDAP_COMPARE_TRUE)
  39 +           {
  40 +             snprintf (buf, sizeof buf, "You must be a %s of %s to login.",
  41 +                       session->conf->groupattr, session->conf->groupdn);
  42 +             _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
  43 +
  44 +             /* return error in case of failure, denied in case of no membership */
  45 +             return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR;
  46 +           }
  47 +       }
  48 +      else if (rc == LDAP_COMPARE_TRUE)
  49 +       {
  50 +         rc = success;
  51 +       }
  52 +      else
  53         {
  54           snprintf (buf, sizeof buf, "You must be a %s of %s to login.",
  55                     session->conf->groupattr, session->conf->groupdn);
  56           _conv_sendmsg (appconv, buf, PAM_ERROR_MSG, no_warn);
  57 -         return PAM_PERM_DENIED;
  58 +
  59 +         /* return error in case of failure, denied in case of no membership */
  60 +         return (rc == LDAP_COMPARE_FALSE) ? PAM_PERM_DENIED : PAM_AUTH_ERR;
  61         }
  62 -      else
  63 -       rc = success;
  64      }
  65
  66    if (rc == success && session->conf->checkserviceattr)