| From d55d963af8f42fe4caa4dac1d39968aad7864437 Mon Sep 17 00:00:00 2001 | |
| From: Randall Mason <randall@mason.ch> | |
| Date: Mon, 20 Aug 2018 19:16:32 -0500 | |
| Subject: [PATCH] Add option to bind early in ldappasswd | |
| ldappasswd is slightly different from a standard passwd workflow in that it | |
| requests an old password, then a new password, then the old password | |
| again. This confuses people who are used to the unix passwd tool as | |
| well as people who use password manager. I've seen quite a few people | |
| who have generated a new password, overwriting the old one, and then | |
| need a password reset because they still need to bind to modify their | |
| password. | |
| This patch adds an option to bind at the beginning of the process so | |
| that you can pass '-E' to ldappasswd and it will bind early in the | |
| process so that the process is the same as the standard passwd. All it | |
| does is run the bind towards the beginning of the process instead of the | |
| end. | |
| The attached patch file is derived from OpenLDAP Software. All of | |
| the modifications to OpenLDAP Software represented in the following | |
| patch(es) were developed by Randall Mason randall@mason.ch. I have not | |
| assigned rights and/or interest in this work to any party. | |
| I, Randall Mason, hereby place the following modifications to | |
| OpenLDAP Software (and only these modifications) into the public domain. | |
| Hence, these modifications may be freely used and/or redistributed for | |
| any purpose with or without attribution and/or other notice. | |
| --- | |
| clients/tools/ldappasswd.c | 23 ++++++++++++++++++++--- | |
| 1 file changed, 20 insertions(+), 3 deletions(-) | |
| diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c | |
| index 501d0bad5..231cb8e10 100644 | |
| --- a/clients/tools/ldappasswd.c | |
| +++ b/clients/tools/ldappasswd.c | |
| @@ -56,6 +56,7 @@ | |
| static struct berval newpw = { 0, NULL }; | |
| static struct berval oldpw = { 0, NULL }; | |
| +static int want_bindearly = 0; | |
| static int want_newpw = 0; | |
| static int want_oldpw = 0; | |
| @@ -69,6 +70,7 @@ usage( void ) | |
| fprintf( stderr,_("usage: %s [options] [user]\n"), prog); | |
| fprintf( stderr, _(" user: the authentication identity, commonly a DN\n")); | |
| fprintf( stderr, _("Password change options:\n")); | |
| + fprintf( stderr, _(" -E bind early\n")); | |
| fprintf( stderr, _(" -a secret old password\n")); | |
| fprintf( stderr, _(" -A prompt for old password\n")); | |
| fprintf( stderr, _(" -t file read file for old password\n")); | |
| @@ -80,7 +82,7 @@ usage( void ) | |
| } | |
| -const char options[] = "a:As:St:T:" | |
| +const char options[] = "Ea:As:St:T:" | |
| "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z"; | |
| int | |
| @@ -117,6 +119,11 @@ handle_private_option( int i ) | |
| } | |
| #endif | |
| + case 'E': /* bind to the LDAP server before other actions */ | |
| + want_bindearly++; | |
| + break; | |
| + | |
| + | |
| case 'a': /* old password (secret) */ | |
| oldpw.bv_val = strdup( optarg ); | |
| { | |
| @@ -195,6 +202,13 @@ main( int argc, char *argv[] ) | |
| user = NULL; | |
| } | |
| + if( want_bindearly ) { | |
| + /* bind */ | |
| + ld = tool_conn_setup( 0, 0 ); | |
| + | |
| + tool_bind( ld ); | |
| + } | |
| + | |
| if( oldpwfile ) { | |
| rc = lutil_get_filed_password( oldpwfile, &oldpw ); | |
| if( rc ) { | |
| @@ -245,9 +259,12 @@ main( int argc, char *argv[] ) | |
| newpw.bv_len = strlen( newpw.bv_val ); | |
| } | |
| - ld = tool_conn_setup( 0, 0 ); | |
| + if( ! want_bindearly ) { | |
| + /* bind */ | |
| + ld = tool_conn_setup( 0, 0 ); | |
| - tool_bind( ld ); | |
| + tool_bind( ld ); | |
| + } | |
| if( user != NULL || oldpw.bv_val != NULL || newpw.bv_val != NULL ) { | |
| /* build the password modify request data */ | |
| -- | |
| 2.18.0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment