Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/pam/pam.c
diff options
context:
space:
mode:
authorArthur de Jong <arthur@arthurdejong.org>2010-09-05 11:30:44 +0200
committerArthur de Jong <arthur@arthurdejong.org>2010-09-05 11:30:44 +0200
commit5d0bed9421744105d9f99b12257921ac076cc264 (patch)
tree8609be021b35f423d42dab6d883eb95c8365a9d4 /pam/pam.c
parent9a9a18ee35a48980510da613c9caa460f6da7e30 (diff)
implement a rootpwmodpw option that allows root users to change user passwords without a password prompt
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1206 ef36b2f9-881f-0410-afb5-c4e39611909c
Diffstat (limited to 'pam/pam.c')
-rw-r--r--pam/pam.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/pam/pam.c b/pam/pam.c
index 8826379..f179bd9 100644
--- a/pam/pam.c
+++ b/pam/pam.c
@@ -513,6 +513,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv)
const char *username,*service;
const char *oldpassword=NULL,*newpassword=NULL;
struct passwd *pwent;
+ uid_t myuid;
/* set up configuration */
rc=init(pamh,flags,argc,argv,&cfg,&ctx,&username,&service);
if (rc!=PAM_SUCCESS)
@@ -523,8 +524,17 @@ int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv)
{
/* see if the user is trying to modify another user's password */
pwent=getpwnam(username);
- if ((pwent!=NULL)&&(pwent->pw_uid!=getuid()))
+ myuid=getuid();
+ if ((pwent!=NULL)&&(pwent->pw_uid!=myuid))
{
+ /* we are root so we can test if nslcd will allow us to change the
+ user's password without the admin password */
+ if (myuid==0)
+ {
+ rc=nslcd_request_authc(pamh,ctx,&cfg,"",service,"");
+ if ((rc==PAM_SUCCESS)&&(ctx->authok==PAM_SUCCESS))
+ return pam_set_item(pamh,PAM_OLDAUTHTOK,"");
+ }
/* try to authenticate with the LDAP administrator password by passing
an empty username to the authc request */
rc=pam_get_authtok(pamh,PAM_OLDAUTHTOK,&oldpassword,"LDAP administrator password: ");
@@ -558,6 +568,9 @@ int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv)
pam_syslog(pamh,LOG_NOTICE,"%s; user=%s",pam_strerror(pamh,ctx->authok),username);
else if (cfg.debug)
pam_syslog(pamh,LOG_DEBUG,"authentication succeeded");
+ /* store password (needed if oldpassword was retreived from context) */
+ if (rc==PAM_SUCCESS)
+ return pam_set_item(pamh,PAM_OLDAUTHTOK,oldpassword);
/* remap error code */
return remap_pam_rc(ctx->authok,&cfg);
}