$NetBSD: patch-ab,v 1.5 2005/01/12 02:30:09 xtraeme Exp $

--- pam_ldap.c.orig	Sun Oct 31 02:42:54 2004
+++ pam_ldap.c	Sun Oct 31 02:48:03 2004
@@ -131,12 +131,7 @@
 #include "pam_ldap.h"
 #include "md5.h"
 
-#if defined(HAVE_SECURITY_PAM_MISC_H) || defined(HAVE_PAM_PAM_MISC_H)
- /* FIXME: is there something better to check? */
 #define CONST_ARG const
-#else
-#define CONST_ARG
-#endif
 
 #ifndef HAVE_LDAP_MEMFREE
 #define ldap_memfree(x)	free(x)
@@ -3137,7 +3132,7 @@
   int rc;
   const char *username;
   char *p;
-  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0;
+  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0;
   int i;
   pam_ldap_session_t *session = NULL;
   const char *configFile = NULL;
@@ -3158,6 +3153,8 @@
 	;
       else if (!strcmp (argv[i], "debug"))
 	;
+      else if (!strcmp (argv[i], "migrate"))
+        migrate = 1;
       else
 	syslog (LOG_ERR, "illegal option %s", argv[i]);
     }
@@ -3171,6 +3168,22 @@
     return rc;
 
   rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p);
+  /* start of migrate facility in "pam_ldap authentication" */
+  if (migrate==1 && rc==PAM_SUCCESS)
+    {
+      /* check if specified username exists in LDAP */
+      if (_get_user_info(session,username)==PAM_SUCCESS)
+        {
+          /*
+             overwrite old LDAP userPassword with a new password
+             obtained during pam authentication process
+             - rootbinddn and ldap.secret must be set
+          */
+          rc=_update_authtok(pamh,session,username,NULL,p);
+          return PAM_IGNORE;
+        }
+    }
+  /* end of migrate facility in "pam_ldap authentication" */
   if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass))
     {
       rc = _do_authentication (pamh, session, username, p);
@@ -3419,11 +3432,11 @@
 		    {
 		      _conv_sendmsg (appconv, "Password change aborted",
 				     PAM_ERROR_MSG, no_warn);
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
-		      return PAM_AUTHTOK_RECOVERY_ERR;
-#else
+#ifdef PAM_AUTHTOK_RECOVER_ERR
 		      return PAM_AUTHTOK_RECOVER_ERR;
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
+#else
+		      return PAM_AUTHTOK_RECOVERY_ERR;
+#endif
 		    }
 		  else
 		    {
@@ -3437,7 +3450,7 @@
 	  if (curpass == NULL)
 	    return PAM_MAXTRIES;	/* maximum tries exceeded */
 	  else
-	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass);
+	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass));
 	}
       else
 	{
@@ -3465,11 +3478,11 @@
       syslog (LOG_ERR,
 	      "pam_ldap: error getting old authentication token (%s)",
 	      pam_strerror (pamh, rc));
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
-      return PAM_AUTHTOK_RECOVERY_ERR;
-#else
+#ifdef PAM_AUTHTOK_RECOVER_ERR
       return PAM_AUTHTOK_RECOVER_ERR;
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
+#else
+      return PAM_AUTHTOK_RECOVERY_ERR;
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
     }
 
   if (try_first_pass || use_first_pass)
@@ -3479,11 +3492,11 @@
 	newpass = NULL;
 
       if (use_first_pass && newpass == NULL)
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
-	return PAM_AUTHTOK_RECOVERY_ERR;
-#else
+#ifdef PAM_AUTHTOK_RECOVER_ERR
 	return PAM_AUTHTOK_RECOVER_ERR;
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
+#else
+	return PAM_AUTHTOK_RECOVERY_ERR;
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
     }
 
   tries = 0;
@@ -3533,11 +3546,11 @@
 	}
       else
 	{
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
-	  return PAM_AUTHTOK_RECOVERY_ERR;
-#else
+#ifdef PAM_AUTHTOK_RECOVER_ERR
 	  return PAM_AUTHTOK_RECOVER_ERR;
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
+#else
+	  return PAM_AUTHTOK_RECOVERY_ERR;
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
 	}
 
       if (cmiscptr == NULL)
@@ -3569,11 +3582,11 @@
 		{
 		  _conv_sendmsg (appconv, "Password change aborted",
 				 PAM_ERROR_MSG, no_warn);
-#ifdef PAM_AUTHTOK_RECOVERY_ERR
-		  return PAM_AUTHTOK_RECOVERY_ERR;
-#else
+#ifdef PAM_AUTHTOK_RECOVER_ERR
 		  return PAM_AUTHTOK_RECOVER_ERR;
-#endif /* PAM_AUTHTOK_RECOVERY_ERR */
+#else
+		  return PAM_AUTHTOK_RECOVERY_ERR;
+#endif /* PAM_AUTHTOK_RECOVER_ERR */
 		}
 	    }
 	  else if (!strcmp (newpass, miscptr))

