From d55d963af8f42fe4caa4dac1d39968aad7864437 Mon Sep 17 00:00:00 2001 | |
From: Randall Mason <randall@mason.ch> | |
Date: Mon, 20 Aug 2018 19:16:32 -0500 | |
Subject: [PATCH] Add option to bind early in ldappasswd | |
ldappasswd is slightly different from a standard passwd workflow in that it | |
requests an old password, then a new password, then the old password | |
again. This confuses people who are used to the unix passwd tool as | |
well as people who use password manager. I've seen quite a few people | |
who have generated a new password, overwriting the old one, and then | |
need a password reset because they still need to bind to modify their | |
password. | |
This patch adds an option to bind at the beginning of the process so | |
that you can pass '-E' to ldappasswd and it will bind early in the | |
process so that the process is the same as the standard passwd. All it | |
does is run the bind towards the beginning of the process instead of the | |
end. | |
The attached patch file is derived from OpenLDAP Software. All of | |
the modifications to OpenLDAP Software represented in the following | |
patch(es) were developed by Randall Mason randall@mason.ch. I have not | |
assigned rights and/or interest in this work to any party. | |
I, Randall Mason, hereby place the following modifications to | |
OpenLDAP Software (and only these modifications) into the public domain. | |
Hence, these modifications may be freely used and/or redistributed for | |
any purpose with or without attribution and/or other notice. | |
--- | |
clients/tools/ldappasswd.c | 23 ++++++++++++++++++++--- | |
1 file changed, 20 insertions(+), 3 deletions(-) | |
diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c | |
index 501d0bad5..231cb8e10 100644 | |
--- a/clients/tools/ldappasswd.c | |
+++ b/clients/tools/ldappasswd.c | |
@@ -56,6 +56,7 @@ | |
static struct berval newpw = { 0, NULL }; | |
static struct berval oldpw = { 0, NULL }; | |
+static int want_bindearly = 0; | |
static int want_newpw = 0; | |
static int want_oldpw = 0; | |
@@ -69,6 +70,7 @@ usage( void ) | |
fprintf( stderr,_("usage: %s [options] [user]\n"), prog); | |
fprintf( stderr, _(" user: the authentication identity, commonly a DN\n")); | |
fprintf( stderr, _("Password change options:\n")); | |
+ fprintf( stderr, _(" -E bind early\n")); | |
fprintf( stderr, _(" -a secret old password\n")); | |
fprintf( stderr, _(" -A prompt for old password\n")); | |
fprintf( stderr, _(" -t file read file for old password\n")); | |
@@ -80,7 +82,7 @@ usage( void ) | |
} | |
-const char options[] = "a:As:St:T:" | |
+const char options[] = "Ea:As:St:T:" | |
"d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z"; | |
int | |
@@ -117,6 +119,11 @@ handle_private_option( int i ) | |
} | |
#endif | |
+ case 'E': /* bind to the LDAP server before other actions */ | |
+ want_bindearly++; | |
+ break; | |
+ | |
+ | |
case 'a': /* old password (secret) */ | |
oldpw.bv_val = strdup( optarg ); | |
{ | |
@@ -195,6 +202,13 @@ main( int argc, char *argv[] ) | |
user = NULL; | |
} | |
+ if( want_bindearly ) { | |
+ /* bind */ | |
+ ld = tool_conn_setup( 0, 0 ); | |
+ | |
+ tool_bind( ld ); | |
+ } | |
+ | |
if( oldpwfile ) { | |
rc = lutil_get_filed_password( oldpwfile, &oldpw ); | |
if( rc ) { | |
@@ -245,9 +259,12 @@ main( int argc, char *argv[] ) | |
newpw.bv_len = strlen( newpw.bv_val ); | |
} | |
- ld = tool_conn_setup( 0, 0 ); | |
+ if( ! want_bindearly ) { | |
+ /* bind */ | |
+ ld = tool_conn_setup( 0, 0 ); | |
- tool_bind( ld ); | |
+ tool_bind( ld ); | |
+ } | |
if( user != NULL || oldpw.bv_val != NULL || newpw.bv_val != NULL ) { | |
/* build the password modify request data */ | |
-- | |
2.18.0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment