[src/trunk]: src/lib/libpam/modules/pam_deny Add Edgar Fuss's patch to pam_de...

[perseant <perseant%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/44272cf5a86f
branches:  trunk
changeset: 789504:44272cf5a86f
user:      perseant <perseant%NetBSD.org@localhost>
date:      Tue Aug 20 22:07:44 2013 +0000

description:
Add Edgar Fuss's patch to pam_deny, to allow users to be able to change their
LDAP password with "passwd".

diffstat:

 lib/libpam/modules/pam_deny/pam_deny.8 |  13 ++++++++++++-
 lib/libpam/modules/pam_deny/pam_deny.c |  32 ++++++++++++++++++++++++--------
 2 files changed, 36 insertions(+), 9 deletions(-)

diffs (106 lines):

diff -r bb87d0db81d9 -r 44272cf5a86f lib/libpam/modules/pam_deny/pam_deny.8
--- a/lib/libpam/modules/pam_deny/pam_deny.8    Tue Aug 20 21:43:03 2013 +0000
+++ b/lib/libpam/modules/pam_deny/pam_deny.8    Tue Aug 20 22:07:44 2013 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: pam_deny.8,v 1.3 2005/02/26 14:54:25 thorpej Exp $
+.\" $NetBSD: pam_deny.8,v 1.4 2013/08/20 22:07:44 perseant Exp $
 .\" Copyright (c) 2001 Mark R V Murray
 .\" All rights reserved.
 .\"
@@ -73,6 +73,17 @@
 These messages include
 reasons why the user's
 authentication attempt was declined.
+.It Cm prelim_ignore
+for password management (
+.Dq Li password
+feature), return PAM_IGNORE
+in the preliminary phase.
+This allows the module to be used (with the
+.Dq Li required
+flag) at the end of a chain of
+.Dq Li sufficient
+modules with this service
+(where the entire chain is in fact run twice).
 .El
 .Sh SEE ALSO
 .Xr syslog 3 ,
diff -r bb87d0db81d9 -r 44272cf5a86f lib/libpam/modules/pam_deny/pam_deny.c
--- a/lib/libpam/modules/pam_deny/pam_deny.c    Tue Aug 20 21:43:03 2013 +0000
+++ b/lib/libpam/modules/pam_deny/pam_deny.c    Tue Aug 20 22:07:44 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pam_deny.c,v 1.2 2004/12/12 08:18:44 christos Exp $    */
+/*     $NetBSD: pam_deny.c,v 1.3 2013/08/20 22:07:44 perseant Exp $    */
 
 /*-
  * Copyright 2001 Mark R V Murray
@@ -30,10 +30,12 @@
 #ifdef __FreeBSD__
 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_deny/pam_deny.c,v 1.9 2002/04/12 22:27:19 des Exp $");
 #else
-__RCSID("$NetBSD: pam_deny.c,v 1.2 2004/12/12 08:18:44 christos Exp $");
+__RCSID("$NetBSD: pam_deny.c,v 1.3 2013/08/20 22:07:44 perseant Exp $");
 #endif
 
 #include <stddef.h>
+#include <string.h>
+#include <syslog.h>
 
 #define PAM_SM_AUTH
 #define PAM_SM_ACCOUNT
@@ -61,7 +63,7 @@
     int argc __unused, const char *argv[] __unused)
 {
 
-       return (PAM_AUTH_ERR);
+       return (PAM_CRED_ERR);
 }
 
 PAM_EXTERN int
@@ -73,11 +75,25 @@
 }
 
 PAM_EXTERN int
-pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused,
-    int argc __unused, const char *argv[] __unused)
+pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags,
+    int argc, const char *argv[])
 {
+       int prelim_ignore = 0, debug = 0;
+       int i;
 
-       return (PAM_AUTH_ERR);
+       for (i = 0; i < argc; i++) {
+               if (strcmp(argv[i], "prelim_ignore") == 0)
+                       prelim_ignore = 1;
+               else if (strcmp(argv[i], "debug") == 0)
+                       debug = 1;
+               else
+                       syslog(LOG_ERR, "illegal option %s", argv[i]);
+       }
+
+       if (flags & PAM_PRELIM_CHECK && prelim_ignore)
+               return (PAM_IGNORE);
+       else
+               return (PAM_AUTHTOK_ERR);
 }
 
 PAM_EXTERN int
@@ -85,7 +101,7 @@
     int argc __unused, const char *argv[] __unused)
 {
 
-       return (PAM_AUTH_ERR);
+       return (PAM_SESSION_ERR);
 }
 
 PAM_EXTERN int
@@ -93,7 +109,7 @@
     int argc __unused, const char *argv[] __unused)
 {
 
-       return (PAM_AUTH_ERR);
+       return (PAM_SESSION_ERR);
 }
 
 PAM_MODULE_ENTRY("pam_deny");