[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
How to change password in pam-ldap?
hi
I use pam with openldap.Now I can change login auth by pam-ldap,
but I cann't use pam_chauthtok to change password on ldap.
Can someone can tell me what's wrong with it?
My program source:
#include <stdlib.h>
#include <stdio.h>
#include <security/pam_appl.h>
#include <security/pam_misc.h>
static void bail_out(pam_handle_t *pamh, int really, int code, const char *fn);
int auc_conv_chpass(int num_msg, const struct pam_message **msg,struct pam_response **resp, void *appdata_ptr);
int auc_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr);
struct pam_response *resp_data;
struct chpass
{
char *old, *new;
};
main()
{
struct pam_conv conv;
int retcode,result;
struct chpass appdata;
pam_handle_t *pamh = NULL;
conv.conv = auc_conv_chpass;
appdata.old = "test123";
appdata.new = "ceshi";
conv.appdata_ptr = (void *) &appdata;
retcode=pam_start("testpam", "laomao", &conv, &pamh);
bail_out(pamh,1,retcode,"pam_start");
retcode=pam_chauthtok(pamh, PAM_SILENT) ;
bail_out(pamh,1,retcode,"pam_chauthtok");
result=pam_end(pamh, PAM_SUCCESS);
bail_out(pamh,1,retcode,"pam_end");
}
static void bail_out(pam_handle_t *pamh, int really, int code, const char *fn)
{
fprintf(stderr,"==> called %s()\n got: `%s'\n", fn,
pam_strerror(pamh, code));
if (really && code)
exit (1);
}
int
auc_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
{
resp_data = (struct pam_response *) calloc(num_msg, sizeof(struct pam_response));
*resp = resp_data;
resp_data->resp = appdata_ptr;
resp_data->resp_retcode = 0;
return (PAM_SUCCESS);
}
int
auc_conv_chpass(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
{
resp_data = (struct pam_response *) calloc(num_msg, sizeof(struct pam_response));
*resp = resp_data;
if (!strncmp(msg[0]->msg, "(current)", 9))
resp_data->resp = (char *) strdup(((struct chpass *) appdata_ptr)->old);
else {
resp_data->resp = (char *) strdup(((struct chpass *) appdata_ptr)->new);
(resp_data + 1)->resp = (char *) strdup(((struct chpass *) appdata_ptr)->new);
}
resp_data->resp_retcode = 0;
return (PAM_SUCCESS);
}
The result of the program:
caesar@cvs:~/cvs/pam$ ./testpam
==> called pam_start()
got: `Success'
==> called pam_chauthtok()
got: `Have exhasted maximum number of retries for service.'
caesar@cvs:~/cvs/pam$ cat /etc/pam.d/testpam
#%PAM-1.0
#auth required /lib/security/pam_unix.so shadow nullok
#auth required /lib/security/pam_nologin.so
#account required /lib/security/pam_unix.so
#password required /lib/security/pam_unix.so not_set_pass nullok
#session required /lib/security/pam_unix.so
auth required /lib/security/pam_ldap.so debug
account required /lib/security/pam_ldap.so debug
password required /lib/security/pam_ldap.so debug
session required /lib/security/pam_ldap.so debug
caesar@cvs:~/cvs/pam$ cat /etc/pam_ldap.conf
###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure to configure this file
#
# @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1
# The distinguished name of the search base.
base dc=net,dc=dlut,dc=edu,dc=cn
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=admin,dc=net,dc=dlut,dc=edu,dc=cn
# The credentials to bind with.
# Optional: default is no credential.
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=net,dc=dlut,dc=edu,dc=cn
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
pam_login_attribute cn
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=net
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_password clear
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#pam_password nds
# For IBM SecureWay support, do:
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
cvs:/home/caesar# cat /etc/ldap/slapd.conf
# This is the main ldapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
#schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Where to store the replica logs
replogfile /var/lib/ldap/replog
# Read slapd.conf(5) for possible values
loglevel -1
#loglevel 256
#######################################################################
# ldbm database definitions
#######################################################################
# The backend type, ldbm, is the default standard
database ldbm
# The base of your directory
suffix "dc=net,dc=dlut,dc=edu,dc=cn"
# Where the database file are physically stored
directory "/var/lib/ldap"
# Indexing options
index objectClass eq
# Save the time that the entry gets modified
lastmod on
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attribute=userPassword
by dn="cn=admin,dc=net,dc=dlut,dc=edu,dc=cn" write
by anonymous auth
by self write
# by * write
# by self write
# by * none
# The admin dn has full write access
access to *
by dn="cn=admin,dc=net,dc=dlut,dc=edu,dc=cn" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
access to dn=".*,ou=Roaming,o=morsnet"
by dn="cn=admin,dc=net,dc=dlut,dc=edu,dc=cn" write
by dnattr=owner write
ldaplog
Nov 12 05:37:13 cvs slapd[21068]: daemon: conn=1 fd=9 connection from IP=127.0.0.1:1907 (IP=0.0.0.0:34049) accepted.
Nov 12 05:37:13 cvs slapd[21073]: conn=1 op=0 BIND dn="" method=128
Nov 12 05:37:13 cvs slapd[21073]: conn=1 op=0 RESULT tag=97 err=0 text=
Nov 12 05:37:13 cvs slapd[21074]: conn=1 op=1 SRCH base="dc=net,dc=dlut,dc=edu,dc=cn" scope=2 filter="(cn=laomao)"
Nov 12 05:37:13 cvs slapd[21074]: conn=1 op=1 SEARCH RESULT tag=101 err=0 text=
Nov 12 05:37:13 cvs slapd[21073]: conn=1 op=2 BIND dn="CN=LAOMAO,DC=NET,DC=DLUT,DC=EDU,DC=CN" method=128
Nov 12 05:37:13 cvs slapd[21073]: conn=1 op=2 RESULT tag=97 err=49 text=
Nov 12 05:37:13 cvs slapd[21074]: conn=1 op=3 BIND dn="" method=128
Nov 12 05:37:13 cvs slapd[21074]: conn=1 op=3 RESULT tag=97 err=0 text=
Nov 12 05:37:13 cvs slapd[21073]: conn=1 op=4 BIND dn="CN=LAOMAO,DC=NET,DC=DLUT,DC=EDU,DC=CN" method=128
Nov 12 05:37:13 cvs slapd[21073]: conn=1 op=4 RESULT tag=97 err=49 text=
Nov 12 05:37:13 cvs slapd[21074]: conn=1 op=5 BIND dn="" method=128
Nov 12 05:37:13 cvs slapd[21074]: conn=1 op=5 RESULT tag=97 err=0 text=
Nov 12 05:37:13 cvs slapd[21073]: conn=1 op=6 BIND dn="CN=LAOMAO,DC=NET,DC=DLUT,DC=EDU,DC=CN" method=128
Nov 12 05:37:13 cvs slapd[21073]: conn=1 op=6 RESULT tag=97 err=49 text=
Nov 12 05:37:13 cvs slapd[21074]: conn=1 op=7 BIND dn="" method=128
Nov 12 05:37:13 cvs slapd[21074]: conn=1 op=7 RESULT tag=97 err=0 text=
Nov 12 05:37:13 cvs slapd[21068]: conn=-1 fd=9 closed