From 5d0bed9421744105d9f99b12257921ac076cc264 Mon Sep 17 00:00:00 2001
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun, 5 Sep 2010 09:30:44 +0000
Subject: implement a rootpwmodpw option that allows root users to change user
 passwords without a password prompt

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1206 ef36b2f9-881f-0410-afb5-c4e39611909c
---
 pam/pam.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'pam/pam.c')

diff --git a/pam/pam.c b/pam/pam.c
index 8826379..f179bd9 100644
--- a/pam/pam.c
+++ b/pam/pam.c
@@ -513,6 +513,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv)
   const char *username,*service;
   const char *oldpassword=NULL,*newpassword=NULL;
   struct passwd *pwent;
+  uid_t myuid;
   /* set up configuration */
   rc=init(pamh,flags,argc,argv,&cfg,&ctx,&username,&service);
   if (rc!=PAM_SUCCESS)
@@ -523,8 +524,17 @@ int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv)
   {
     /* see if the user is trying to modify another user's password */
     pwent=getpwnam(username);
-    if ((pwent!=NULL)&&(pwent->pw_uid!=getuid()))
+    myuid=getuid();
+    if ((pwent!=NULL)&&(pwent->pw_uid!=myuid))
     {
+      /* we are root so we can test if nslcd will allow us to change the
+         user's password without the admin password */
+      if (myuid==0)
+      {
+        rc=nslcd_request_authc(pamh,ctx,&cfg,"",service,"");
+        if ((rc==PAM_SUCCESS)&&(ctx->authok==PAM_SUCCESS))
+          return pam_set_item(pamh,PAM_OLDAUTHTOK,"");
+      }
       /* try to  authenticate with the LDAP administrator password by passing
          an empty username to the authc request */
       rc=pam_get_authtok(pamh,PAM_OLDAUTHTOK,&oldpassword,"LDAP administrator password: ");
@@ -558,6 +568,9 @@ int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv)
       pam_syslog(pamh,LOG_NOTICE,"%s; user=%s",pam_strerror(pamh,ctx->authok),username);
     else if (cfg.debug)
       pam_syslog(pamh,LOG_DEBUG,"authentication succeeded");
+    /* store password (needed if oldpassword was retreived from context) */
+    if (rc==PAM_SUCCESS)
+      return pam_set_item(pamh,PAM_OLDAUTHTOK,oldpassword);
     /* remap error code */
     return remap_pam_rc(ctx->authok,&cfg);
   }
-- 
cgit v1.2.3