[pam_ldap] - add Ross Tyler's patch to always require authentication during password change requests for expi
Nalin Dahyabhai
nalin at fedoraproject.org
Thu Mar 17 21:17:37 UTC 2011
commit 587ae93c567c0e03bd50f81c27ec92f60bb5ed76
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Thu Mar 17 17:17:07 2011 -0400
- add Ross Tyler's patch to always require authentication during password
change requests for expired passwords, so that modules which check password
quality (pam_cracklib) will always have the old password on-hand to examine
as well (#667758)
...ap-176-authenticateOnChangeExpiredAuthtok.patch | 11 +++++++++++
pam_ldap.spec | 10 +++++++++-
2 files changed, 20 insertions(+), 1 deletions(-)
---
diff --git a/pam_ldap-176-authenticateOnChangeExpiredAuthtok.patch b/pam_ldap-176-authenticateOnChangeExpiredAuthtok.patch
new file mode 100644
index 0000000..009326f
--- /dev/null
+++ b/pam_ldap-176-authenticateOnChangeExpiredAuthtok.patch
@@ -0,0 +1,11 @@
+--- pam_ldap-176/pam_ldap.c 2011-01-06 07:37:12.000000000 -0800
++++ pam_ldap-176/pam_ldap.c 2011-01-06 07:38:59.000000000 -0800
+@@ -3415,7 +3415,7 @@
+ if (rc != PAM_SUCCESS)
+ return rc;
+
+- if (!(session->conf->rootbinddn && getuid () == 0))
++ if (!(session->conf->rootbinddn && getuid () == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)))
+ {
+ /* we are not root, authenticate old password */
+ if (try_first_pass || use_first_pass)
diff --git a/pam_ldap.spec b/pam_ldap.spec
index a6dd205..f070aac 100644
--- a/pam_ldap.spec
+++ b/pam_ldap.spec
@@ -7,7 +7,7 @@
Summary: PAM module for LDAP
Name: pam_ldap
Version: 185
-Release: 9%{?dist}
+Release: 10%{?dist}
URL: http://www.padl.com/OSS/pam_ldap.html
License: LGPLv2+
Group: System Environment/Base
@@ -23,6 +23,7 @@ Patch13: pam_ldap-176-exop-modify.patch
Patch20: pam_ldap-184-nsrole.patch
Patch23: pam_ldap-183-releaseconfig.patch
Patch24: pam_ldap-185-expiration4.patch
+Patch25: pam_ldap-176-authenticateOnChangeExpiredAuthtok.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf, automake, libtool
@@ -52,6 +53,7 @@ cp nss_ldap-%{nss_ldap_version}/snprintf.h .
%patch20 -p1 -b .nsrole
%patch23 -p1 -b .releaseconfig
%patch24 -p1 -b .expiration4
+%patch25 -p1 -b .authenticateOnChangeExpiredAuthtok
sed -i -e 's,^ldap.conf$,%{name}.conf,g' *.5
sed -i -e 's,^/etc/ldap\.,/etc/%{name}.,g' *.5
sed -i -e 's,in ldap.conf,in %{name}.conf,g' *.5
@@ -129,6 +131,12 @@ fi
%attr(0600,root,root) %ghost %config(noreplace) /etc/%{name}.secret
%changelog
+* Thu Mar 17 2011 Nalin Dahyabhai <nalin at redhat.com> 185-10
+- add Ross Tyler's patch to always require authentication during password
+ change requests for expired passwords, so that modules which check password
+ quality (pam_cracklib) will always have the old password on-hand to examine
+ as well (#667758)
+
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 185-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
More information about the scm-commits
mailing list