[pam_ldap] - add Ross Tyler's patch to always require authentication during password change requests for expi

Nalin Dahyabhai nalin at fedoraproject.org
Thu Mar 17 21:17:37 UTC 2011 

commit 587ae93c567c0e03bd50f81c27ec92f60bb5ed76
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Thu Mar 17 17:17:07 2011 -0400

    - add Ross Tyler's patch to always require authentication during password
      change requests for expired passwords, so that modules which check password
      quality (pam_cracklib) will always have the old password on-hand to examine
      as well (#667758)

 ...ap-176-authenticateOnChangeExpiredAuthtok.patch |   11 +++++++++++
 pam_ldap.spec                                      |   10 +++++++++-
 2 files changed, 20 insertions(+), 1 deletions(-)
---
diff --git a/pam_ldap-176-authenticateOnChangeExpiredAuthtok.patch b/pam_ldap-176-authenticateOnChangeExpiredAuthtok.patch
new file mode 100644
index 0000000..009326f
--- /dev/null
+++ b/pam_ldap-176-authenticateOnChangeExpiredAuthtok.patch
@@ -0,0 +1,11 @@
+--- pam_ldap-176/pam_ldap.c	2011-01-06 07:37:12.000000000 -0800
++++ pam_ldap-176/pam_ldap.c	2011-01-06 07:38:59.000000000 -0800
+@@ -3415,7 +3415,7 @@
+       if (rc != PAM_SUCCESS)
+ 	return rc;
+ 
+-      if (!(session->conf->rootbinddn && getuid () == 0))
++      if (!(session->conf->rootbinddn && getuid () == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)))
+ 	{
+ 	  /* we are not root, authenticate old password */
+ 	  if (try_first_pass || use_first_pass)
diff --git a/pam_ldap.spec b/pam_ldap.spec
index a6dd205..f070aac 100644
--- a/pam_ldap.spec
+++ b/pam_ldap.spec
@@ -7,7 +7,7 @@
 Summary: PAM module for LDAP
 Name: pam_ldap
 Version: 185
-Release: 9%{?dist}
+Release: 10%{?dist}
 URL: http://www.padl.com/OSS/pam_ldap.html
 License: LGPLv2+
 Group: System Environment/Base
@@ -23,6 +23,7 @@ Patch13: pam_ldap-176-exop-modify.patch
 Patch20: pam_ldap-184-nsrole.patch
 Patch23: pam_ldap-183-releaseconfig.patch
 Patch24: pam_ldap-185-expiration4.patch
+Patch25: pam_ldap-176-authenticateOnChangeExpiredAuthtok.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf, automake, libtool
@@ -52,6 +53,7 @@ cp nss_ldap-%{nss_ldap_version}/snprintf.h .
 %patch20 -p1 -b .nsrole
 %patch23 -p1 -b .releaseconfig
 %patch24 -p1 -b .expiration4
+%patch25 -p1 -b .authenticateOnChangeExpiredAuthtok
 sed -i -e 's,^ldap.conf$,%{name}.conf,g' *.5
 sed -i -e 's,^/etc/ldap\.,/etc/%{name}.,g' *.5
 sed -i -e 's,in ldap.conf,in %{name}.conf,g' *.5
@@ -129,6 +131,12 @@ fi
 %attr(0600,root,root) %ghost %config(noreplace) /etc/%{name}.secret
 
 %changelog
+* Thu Mar 17 2011 Nalin Dahyabhai <nalin at redhat.com> 185-10
+- add Ross Tyler's patch to always require authentication during password
+  change requests for expired passwords, so that modules which check password
+  quality (pam_cracklib) will always have the old password on-hand to examine
+  as well (#667758)
+
 * Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 185-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

More information about the scm-commits mailing list