├── NEWS ├── stamp-h.in ├── autogen.sh ├── .cvsignore ├── pam.d ├── vlock ├── xlock ├── xscreensaver ├── ppp ├── xserver ├── halt ├── other ├── imap ├── pop ├── samba ├── linuxconf ├── reboot ├── poweroff ├── shutdown ├── rsh ├── rexec ├── passwd ├── su ├── mcserv ├── ftp ├── chfn ├── chsh ├── ssh ├── kde ├── login ├── rlogin ├── gdm ├── xdm └── linuxconf-pair ├── exports.hpux ├── exports.aix ├── exports.linux ├── exports.solaris ├── acconfig.h ├── CVSVersionInfo.txt ├── ldapns.schema ├── mkinstalldirs ├── cvslib.pl ├── Makefile.am ├── pam.conf ├── AUTHORS ├── vers_string ├── md5.h ├── chsh ├── chfn ├── pam_ldap.spec ├── config.h.in ├── certutil ├── install-sh ├── configure.in ├── missing ├── ns-pwd-policy.schema ├── INSTALL ├── README ├── ldap.conf ├── pam_ldap.h ├── md5.c ├── depcomp ├── pam_ldap.5 ├── COPYING └── Makefile.in /NEWS: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /stamp-h.in: -------------------------------------------------------------------------------- 1 | timestamp 2 | -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | aclocal14 3 | automake14 4 | autoheader213 5 | autoconf213 6 | -------------------------------------------------------------------------------- /.cvsignore: -------------------------------------------------------------------------------- 1 | config.log 2 | config.h 3 | config.cache 4 | config.status 5 | stamp-h 6 | Makefile 7 | -------------------------------------------------------------------------------- /pam.d/vlock: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_ldap.so 3 | auth required /lib/security/pam_pwdb.so shadow nullok 4 | -------------------------------------------------------------------------------- /pam.d/xlock: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_ldap.so 3 | auth required /lib/security/pam_pwdb.so shadow nullok 4 | -------------------------------------------------------------------------------- /exports.hpux: -------------------------------------------------------------------------------- 1 | +e pam_sm_authenticate +e pam_sm_acct_mgmt +e pam_sm_setcred +e pam_sm_open_session +e pam_sm_close_session +e pam_sm_chauthtok 2 | -------------------------------------------------------------------------------- /pam.d/xscreensaver: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_ldap.so 3 | auth required /lib/security/pam_pwdb.so shadow nullok 4 | -------------------------------------------------------------------------------- /pam.d/ppp: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth required pam_nologin.so 3 | auth required pam_pwdb.so shadow nullok 4 | account required pam_pwdb.so 5 | session required pam_pwdb.so 6 | -------------------------------------------------------------------------------- /pam.d/xserver: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_rootok.so 3 | auth required /lib/security/pam_console.so 4 | account required /lib/security/pam_permit.so 5 | -------------------------------------------------------------------------------- /exports.aix: -------------------------------------------------------------------------------- 1 | #! 2 | 3 | * Published PAM service module interfaces 4 | pam_sm_authenticate 5 | pam_sm_acct_mgmt 6 | pam_sm_setcred 7 | pam_sm_open_session 8 | pam_sm_close_session 9 | pam_sm_chauthtok 10 | 11 | -------------------------------------------------------------------------------- /pam.d/halt: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_rootok.so 3 | auth required /lib/security/pam_console.so 4 | auth required /lib/security/pam_pwdb.so 5 | account required /lib/security/pam_permit.so 6 | -------------------------------------------------------------------------------- /pam.d/other: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth required /lib/security/pam_deny.so 3 | account required /lib/security/pam_deny.so 4 | password required /lib/security/pam_deny.so 5 | session required /lib/security/pam_deny.so 6 | -------------------------------------------------------------------------------- /pam.d/imap: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_ldap.so 3 | auth required /lib/security/pam_unix_auth.so try_first_pass 4 | account sufficient /lib/security/pam_ldap.so 5 | account required /lib/security/pam_unix_acct.so 6 | -------------------------------------------------------------------------------- /pam.d/pop: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_ldap.so 3 | auth required /lib/security/pam_unix_auth.so try_first_pass 4 | account sufficient /lib/security/pam_ldap.so 5 | account required /lib/security/pam_unix_acct.so 6 | -------------------------------------------------------------------------------- /pam.d/samba: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_ldap.so 3 | auth required /lib/security/pam_unix_auth.so try_first_pass 4 | account sufficient /lib/security/pam_ldap.so 5 | account required /lib/security/pam_unix_acct.so 6 | -------------------------------------------------------------------------------- /pam.d/linuxconf: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_ldap.so 3 | auth required /lib/security/pam_unix_auth.so try_first_pass 4 | account sufficient /lib/security/pam_ldap.so 5 | account required /lib/security/pam_unix_acct.so 6 | -------------------------------------------------------------------------------- /pam.d/reboot: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_rootok.so 3 | auth required /lib/security/pam_console.so 4 | auth sufficient /lib/security/pam_ldap.so 5 | auth required /lib/security/pam_pwdb.so 6 | account required /lib/security/pam_permit.so 7 | -------------------------------------------------------------------------------- /pam.d/poweroff: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_rootok.so 3 | auth required /lib/security/pam_console.so 4 | auth sufficient /lib/security/pam_ldap.so 5 | auth required /lib/security/pam_pwdb.so 6 | account required /lib/security/pam_permit.so 7 | -------------------------------------------------------------------------------- /pam.d/shutdown: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_rootok.so 3 | auth required /lib/security/pam_console.so 4 | auth sufficient /lib/security/pam_ldap.so 5 | auth required /lib/security/pam_pwdb.so 6 | account required /lib/security/pam_permit.so 7 | -------------------------------------------------------------------------------- /exports.linux: -------------------------------------------------------------------------------- 1 | #ident $Id$ 2 | EXPORTED { 3 | global: 4 | # Published PAM service module interfaces 5 | pam_sm_authenticate; 6 | pam_sm_acct_mgmt; 7 | pam_sm_setcred; 8 | pam_sm_open_session; 9 | pam_sm_close_session; 10 | pam_sm_chauthtok; 11 | local: 12 | *; 13 | }; 14 | -------------------------------------------------------------------------------- /exports.solaris: -------------------------------------------------------------------------------- 1 | #ident $Id$ 2 | pam_ldap.so.1 { 3 | global: 4 | # Published PAM service module interfaces 5 | pam_sm_authenticate; 6 | pam_sm_acct_mgmt; 7 | pam_sm_setcred; 8 | pam_sm_open_session; 9 | pam_sm_close_session; 10 | pam_sm_chauthtok; 11 | local: 12 | *; 13 | }; 14 | -------------------------------------------------------------------------------- /pam.d/rsh: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth required /lib/security/pam_rhosts_auth.so 3 | auth required /lib/security/pam_nologin.so 4 | account sufficient /lib/security/pam_ldap.so 5 | account required /lib/security/pam_unix_acct.so try_first_pass 6 | session required /lib/security/pam_unix_session.so 7 | -------------------------------------------------------------------------------- /pam.d/rexec: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth required /lib/security/pam_securetty.so 3 | auth required /lib/security/pam_nologin.so 4 | auth sufficient /lib/security/pam_ldap.so 5 | auth required /lib/security/pam_unix_auth.so try_first_pass 6 | account sufficient /lib/security/pam_ldap.so 7 | account required /lib/security/pam_unix_acct.so 8 | -------------------------------------------------------------------------------- /acconfig.h: -------------------------------------------------------------------------------- 1 | /* Define to the number of arguments to ldap_set_rebindproc */ 2 | #undef LDAP_SET_REBIND_PROC_ARGS 3 | 4 | /* define to the number of args to gethostbyname_r */ 5 | #undef GETHOSTBYNAME_R_ARGS 6 | 7 | /* define to support PADL ypldapd locator */ 8 | #undef YPLDAPD 9 | 10 | 11 | #define PAM_LDAP_PATH_CONF "/etc/ldap.conf" 12 | #define PAM_LDAP_PATH_ROOTPASSWD "/etc/ldap.secret" 13 | 14 | -------------------------------------------------------------------------------- /pam.d/passwd: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_ldap.so 3 | auth required /lib/security/pam_unix_auth.so use_first_pass 4 | account sufficient /lib/security/pam_ldap.so 5 | account required /lib/security/pam_unix_acct.so 6 | password required /lib/security/pam_cracklib.so retry=3 7 | password sufficient /lib/security/pam_ldap.so 8 | password required /lib/security/pam_pwdb.so try_first_pass 9 | -------------------------------------------------------------------------------- /pam.d/su: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_ldap.so 3 | auth required /lib/security/pam_unix_auth.so use_first_pass 4 | account sufficient /lib/security/pam_ldap.so 5 | account required /lib/security/pam_unix_acct.so 6 | password required /lib/security/pam_cracklib.so 7 | password sufficient /lib/security/pam_ldap.so 8 | password required /lib/security/pam_pwdb.so use_first_pass 9 | session required /lib/security/pam_unix_session.so 10 | -------------------------------------------------------------------------------- /pam.d/mcserv: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed 3 | auth sufficient /lib/security/pam_ldap.so 4 | auth required /lib/security/pam_pwdb.so shadow nullok 5 | auth required /lib/security/pam_shells.so 6 | account sufficient /lib/security/pam_ldap.so 7 | account required /lib/security/pam_pwdb.so 8 | session sufficient /lib/security/pam_ldap.so 9 | session required /lib/security/pam_pwdb.so 10 | -------------------------------------------------------------------------------- /pam.d/ftp: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed 3 | auth required /lib/security/pam_shells.so 4 | auth sufficient /lib/security/pam_ldap.so 5 | auth required /lib/security/pam_pwdb.so shadow nullok 6 | account sufficient /lib/security/pam_ldap.so 7 | account required /lib/security/pam_pwdb.so 8 | #session sufficient /lib/security/pam_ldap.so 9 | session required /lib/security/pam_pwdb.so 10 | -------------------------------------------------------------------------------- /CVSVersionInfo.txt: -------------------------------------------------------------------------------- 1 | # Created and modified by checkpoint; do not edit 2 | # $Id$ 3 | # $Name$ 4 | ProjectName: pam_ldap 5 | ProjectVersion: 186 6 | ProjectMaintainer: lukeh 7 | # run this before building in RC. @@@PLATFORM@@@ is 8 | # substituted for our platform names (linux, solaris etc) 9 | PreBuild: configure --with-ldap-lib=netscape4 --with-ldap-dir=/usr/local/ldapsdk4 --enable-rfc2307bis --disable-ssl 10 | PostBuild: make distclean 11 | # binaries to ship (although we don't do that at the moment) 12 | Shippables: pam_ldap.so 13 | -------------------------------------------------------------------------------- /pam.d/chfn: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_rootok.so 3 | auth sufficient /lib/security/pam_ldap.so 4 | auth required /lib/security/pam_unix_auth.so use_first_pass 5 | account sufficient /lib/security/pam_ldap.so 6 | account required /lib/security/pam_unix_acct.so 7 | password required /lib/security/pam_cracklib.so 8 | password sufficient /lib/security/pam_ldap.so 9 | password required /lib/security/pam_pwdb.so use_first_pass 10 | session required /lib/security/pam_unix_session.so 11 | -------------------------------------------------------------------------------- /pam.d/chsh: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth sufficient /lib/security/pam_rootok.so 3 | auth sufficient /lib/security/pam_ldap.so 4 | auth required /lib/security/pam_unix_auth.so try_first_pass 5 | account sufficient /lib/security/pam_ldap.so 6 | account required /lib/security/pam_unix_acct.so 7 | password required /lib/security/pam_cracklib.so 8 | password sufficient /lib/security/pam_ldap.so 9 | password required /lib/security/pam_pwdb.so use_first_pass 10 | session required /lib/security/pam_unix_session.so 11 | -------------------------------------------------------------------------------- /pam.d/ssh: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth required /lib/security/pam_nologin.so 3 | auth sufficient /lib/security/pam_ldap.so 4 | auth required /lib/security/pam_unix_auth.so try_first_pass 5 | account sufficient /lib/security/pam_ldap.so 6 | account required /lib/security/pam_unix_acct.so 7 | password required /lib/security/pam_cracklib.so 8 | password sufficient /lib/security/pam_ldap.so 9 | password required /lib/security/pam_pwdb.so use_first_pass 10 | session required /lib/security/pam_unix_session.so 11 | -------------------------------------------------------------------------------- /pam.d/kde: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth required /lib/security/pam_nologin.so 3 | auth sufficient /lib/security/pam_ldap.so 4 | auth required /lib/security/pam_pwdb.so shadow nullok 5 | account sufficient /lib/security/pam_ldap.so 6 | account required /lib/security/pam_pwdb.so 7 | password required /lib/security/pam_cracklib.so 8 | password required /lib/security/pam_pwdb.so shadow nullok use_authtok 9 | session sufficient /lib/security/pam_ldap.so 10 | session required /lib/security/pam_pwdb.so 11 | session optional /lib/security/pam_console.so 12 | -------------------------------------------------------------------------------- /pam.d/login: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth required /lib/security/pam_securetty.so 3 | auth required /lib/security/pam_nologin.so 4 | auth sufficient /lib/security/pam_ldap.so 5 | auth required /lib/security/pam_unix_auth.so try_first_pass 6 | account sufficient /lib/security/pam_ldap.so 7 | account required /lib/security/pam_unix_acct.so 8 | password required /lib/security/pam_cracklib.so 9 | password required /lib/security/pam_ldap.so 10 | password required /lib/security/pam_pwdb.so use_first_pass 11 | session required /lib/security/pam_unix_session.so 12 | #session optional /lib/security/pam_console.so 13 | -------------------------------------------------------------------------------- /pam.d/rlogin: -------------------------------------------------------------------------------- 1 | auth required /lib/security/pam_securetty.so 2 | auth sufficient /lib/security/pam_rhosts_auth.so 3 | auth required /lib/security/pam_nologin.so 4 | auth sufficient /lib/security/pam_ldap.so 5 | auth required /lib/security/pam_unix_auth.so try_first_pass 6 | account sufficient /lib/security/pam_ldap.so 7 | account required /lib/security/pam_unix_acct.so 8 | password required /lib/security/pam_cracklib.so 9 | password sufficient /lib/security/pam_ldap.so 10 | password required /lib/security/pam_pwdb.so use_first_pass 11 | session required /lib/security/pam_unix_session.so 12 | -------------------------------------------------------------------------------- /pam.d/gdm: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth required /lib/security/pam_nologin.so 3 | auth sufficient /lib/security/pam_ldap.so 4 | auth required /lib/security/pam_unix_auth.so try_first_pass 5 | account sufficient /lib/security/pam_ldap.so 6 | account required /lib/security/pam_unix_acct.so 7 | password required /lib/security/pam_cracklib.so 8 | password sufficient /lib/security/pam_ldap.so 9 | password required /lib/security/pam_pwdb.so use_first_pass 10 | session sufficient /lib/security/pam_ldap.so 11 | session required /lib/security/pam_unix_session.so 12 | session optional /lib/security/pam_console.so 13 | -------------------------------------------------------------------------------- /pam.d/xdm: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | auth required /lib/security/pam_nologin.so 3 | auth sufficient /lib/security/pam_ldap.so 4 | auth required /lib/security/pam_unix_auth.so try_first_pass 5 | auth required /lib/security/pam_nologin.so 6 | account sufficient /lib/security/pam_ldap.so 7 | account required /lib/security/pam_unix_acct.so 8 | password required /lib/security/pam_cracklib.so 9 | password sufficient /lib/security/pam_ldap.so 10 | password required /lib/security/pam_pwdb.so use_first_pass 11 | session sufficient /lib/security/pam_ldap 12 | session required /lib/security/pam_unix_session.so 13 | session optional /lib/security/pam_console.so 14 | -------------------------------------------------------------------------------- /ldapns.schema: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | # LDAP Name Service Additional Schema 4 | 5 | # http://www.iana.org/assignments/gssapi-service-names 6 | 7 | attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' 8 | DESC 'IANA GSS-API authorized service name' 9 | EQUALITY caseIgnoreMatch 10 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) 11 | 12 | objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' 13 | DESC 'Auxiliary object class for adding authorizedService attribute' 14 | SUP top 15 | AUXILIARY 16 | MAY authorizedService ) 17 | 18 | objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' 19 | DESC 'Auxiliary object class for adding host attribute' 20 | SUP top 21 | AUXILIARY 22 | MAY host ) 23 | 24 | -------------------------------------------------------------------------------- /pam.d/linuxconf-pair: -------------------------------------------------------------------------------- 1 | #%PAM-1.0 2 | 3 | # You can change this file, but anything other than prompting the user 4 | # for a password is added to the stack, authentication will always fail. 5 | # Linuxconf only uses this stack for protocol authentication of a 6 | # username/password pair. 7 | # For all other authentication, it uses the linuxconf service. 8 | # For password changing, it uses the passwd service, so it will 9 | # conveniently share your configuration for the passwd program. 10 | 11 | auth sufficient /lib/security/pam_ldap.so 12 | auth required /lib/security/pam_unix_auth.so try_first_pass 13 | account sufficient /lib/security/pam_ldap.so 14 | account required /lib/security/pam_unix_acct.so 15 | -------------------------------------------------------------------------------- /mkinstalldirs: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | # mkinstalldirs --- make directory hierarchy 3 | # Author: Noah Friedman 4 | # Created: 1993-05-16 5 | # Public domain 6 | 7 | # $Id$ 8 | 9 | errstatus=0 10 | 11 | for file 12 | do 13 | set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'` 14 | shift 15 | 16 | pathcomp= 17 | for d 18 | do 19 | pathcomp="$pathcomp$d" 20 | case "$pathcomp" in 21 | -* ) pathcomp=./$pathcomp ;; 22 | esac 23 | 24 | if test ! -d "$pathcomp"; then 25 | echo "mkdir $pathcomp" 26 | 27 | mkdir "$pathcomp" || lasterr=$? 28 | 29 | if test ! -d "$pathcomp"; then 30 | errstatus=$lasterr 31 | fi 32 | fi 33 | 34 | pathcomp="$pathcomp/" 35 | done 36 | done 37 | 38 | exit $errstatus 39 | 40 | # mkinstalldirs ends here 41 | -------------------------------------------------------------------------------- /cvslib.pl: -------------------------------------------------------------------------------- 1 | #ident $Id$ 2 | 3 | $CVSVERSIONDIR = $ENV{'CVSVERSIONDIR'}; 4 | 5 | $INFOFILE = $CVSVERSIONDIR ne "" ? $CVSVERSIONDIR."/CVSVersionInfo.txt" : "CVSVersionInfo.txt"; 6 | 7 | $DISTDIR = $ENV{'HOME'} . "/dist"; 8 | 9 | sub getSGSFile 10 | { 11 | if (-f "version.h") { return "version.h"; } 12 | elsif (-f "vers.c") { return "vers.c"; } 13 | else { return; } 14 | } 15 | 16 | sub nameToTag 17 | { 18 | local($tag) = shift; 19 | $tag =~ s/\./\~/g; 20 | return ($tag); 21 | } 22 | 23 | sub getCVSRepository 24 | { 25 | if (!(-d "CVS")) 26 | { 27 | return; 28 | } 29 | 30 | open(ROOT, "CVS/Root") || return; 31 | open(REPOSITORY, "CVS/Repository") || return; 32 | local ($CVSROOT) = ; 33 | chop ($CVSROOT); 34 | if ($CVSROOT =~ '^:') { 35 | local(@C) = split(/:/, $CVSROOT); 36 | $CVSROOT = $C[3]; 37 | } 38 | local ($CVSREPOSITORY) = ; 39 | chop ($CVSREPOSITORY); 40 | close(ROOT); 41 | close(REPOSITORY); 42 | 43 | if ($CVSREPOSITORY =~ /^\//) 44 | { 45 | $CVSREPOSITORY =~ s/^$CVSROOT\///g; 46 | } 47 | return($CVSREPOSITORY); 48 | } 49 | 50 | sub getCVSVersionInfo 51 | { 52 | local ($VERSION, $PROJECT); 53 | 54 | if (-f $INFOFILE) 55 | { 56 | open(INFOFILE, $INFOFILE) || return; 57 | while() 58 | { 59 | if (/^#/) { next; } 60 | 61 | local ($key, $value) = split(/:\s+/); 62 | chop($value); 63 | 64 | if ($key eq "ProjectVersion") 65 | { 66 | $VERSION = $value; 67 | } 68 | elsif ($key eq "ProjectName") 69 | { 70 | $PROJECT = $value; 71 | } 72 | } 73 | } 74 | close(INFOFILE); 75 | return "$PROJECT-$VERSION"; 76 | } 77 | 78 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | noinst_PROGRAMS = pam_ldap.so 2 | EXTRA_DIST = COPYING.LIB CVSVersionInfo.txt ChangeLog README \ 3 | ldap.conf pam.conf pam_ldap.spec pam.d 4 | 5 | pam_ldap_so_SOURCES = pam_ldap.c pam_ldap.h md5.c md5.h vers.c 6 | pam_ldap_so_LDFLAGS = @pam_ldap_so_LDFLAGS@ 7 | 8 | man_MANS = pam_ldap.5 9 | 10 | DEFS = @DEFS@ 11 | 12 | if USE_NATIVE_LINKER 13 | NATIVE_LINK = $(pam_ldap_so_LD) $(AM_LDFLAGS) -o $@ 14 | else 15 | GNU_LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ 16 | endif 17 | 18 | # This is horrible but appears to be the only way to work with 19 | # recent versions of automake. Any better ideas, let me know. 20 | LINK = $(NATIVE_LINK) $(GNU_LINK) 21 | 22 | install-exec-local: pam_ldap.so 23 | @$(NORMAL_INSTALL) 24 | $(mkinstalldirs) $(DESTDIR)$(libdir)/security 25 | if EXTENSION_SO 26 | $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so 27 | else 28 | if EXTENSION_1 29 | $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/libpam_ldap.1 30 | else 31 | $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so.1 32 | (cd $(DESTDIR)$(libdir)/security; rm -f pam_ldap.so; ln -s pam_ldap.so.1 pam_ldap.so) 33 | endif 34 | endif 35 | 36 | install-data-local: 37 | @$(NORMAL_INSTALL) 38 | @if test ! -f $(DESTDIR)$(sysconfdir)/ldap.conf; then \ 39 | $(mkinstalldirs) $(DESTDIR)$(sysconfdir); \ 40 | $(INSTALL_DATA) -o root -g root $(srcdir)/ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \ 41 | fi 42 | 43 | uninstall-local: 44 | @$(NORMAL_UNINSTALL) 45 | 46 | vers.c: $(top_srcdir)/CVSVersionInfo.txt 47 | $(top_srcdir)/vers_string -v 48 | -------------------------------------------------------------------------------- /pam.conf: -------------------------------------------------------------------------------- 1 | #ident $Id$ 2 | # 3 | # PAM configuration for LDAP is sufficient, otherwise UNIX 4 | # mandatory authentication policy. 5 | # 6 | 7 | # 8 | # Authentication management 9 | # 10 | login auth sufficient /usr/lib/security/pam_ldap.so.1 11 | login auth required /usr/lib/security/pam_unix.so.1 try_first_pass 12 | login auth required /usr/lib/security/pam_dial_auth.so.1 13 | 14 | telnet auth sufficient /usr/lib/security/pam_ldap.so.1 15 | telnet auth required /usr/lib/security/pam_unix.so.1 try_first_pass 16 | 17 | rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 18 | rlogin auth sufficient /usr/lib/security/pam_ldap.so.1 19 | rlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass 20 | 21 | dtlogin auth sufficient /usr/lib/security/pam_ldap.so.1 22 | dtlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass 23 | 24 | rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 25 | 26 | other auth sufficient /usr/lib/security/pam_ldap.so.1 27 | other auth required /usr/lib/security/pam_unix.so.1 try_first_pass 28 | 29 | # 30 | # Account management 31 | # 32 | login account required /usr/lib/security/pam_ldap.so.1 33 | login account required /usr/lib/security/pam_unix.so.1 34 | 35 | dtlogin account required /usr/lib/security/pam_ldap.so.1 36 | dtlogin account required /usr/lib/security/pam_unix.so.1 37 | 38 | other account required /usr/lib/security/pam_ldap.so.1 39 | other account required /usr/lib/security/pam_unix.so.1 40 | 41 | # 42 | # Session management, not implemented by pam_ldap 43 | # 44 | other session required /usr/lib/security/pam_unix.so.1 45 | 46 | # 47 | # Password management 48 | # 49 | #other password required /usr/lib/security/pam_unix.so.1 50 | other password required /usr/lib/security/pam_ldap.so 51 | 52 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | pam_ldap was written by Luke Howard . 2 | 3 | Special thanks go to people who have volunteered their time, effort, 4 | and ideas to make this software available. 5 | 6 | Please note that unless specifically indicated otherwise, 7 | Luke Howard retains copyright in all contributed code. 8 | 9 | Eric Andresen 10 | Scott Balneaves 11 | David Begley 12 | Stephen Cremer 13 | Howard Chu 14 | Nalin Dahyabhai 15 | Taso N. Devetzis 16 | Cristian Gafton 17 | Ben Gardiner 18 | 19 | Ed Golden 20 | Manon Goo 21 | Bob Guo 22 | Norbert Klasen 23 | Thorsten Kukuk 24 | Tom Lear 25 | Elliot Lee 26 | Joe Little 27 | phillip Liu 28 | Jungle Lin 29 | Jeff Mandel 30 | Dean Michaels 31 | Doug Nazar 32 | Brian Nelson 33 | Thomas Noel 34 | Lars Oergel 35 | Petr Olivka 36 | Tero Pelander 37 | Chris Robertson 38 | Alex Schlessinger 39 | Henning P. Schmiedehausen 40 | Erich Schneider 41 | Aaron Spangla 42 | Jarkko Turkulainen 43 | Stein Vrale 44 | Bill Welliver 45 | Pawel Wieleba 46 | Helmut Wirth 47 | Alexander Zangerl 48 | 49 | If I have forgotton anyone, please let me know. 50 | 51 | Contributors should appraise themselves of the document at 52 | http://www.padl.com/Articles/GuidelinesforContributing.html. 53 | 54 | -- 55 | Luke Howard 56 | lukeh@padl.com 57 | 58 | -------------------------------------------------------------------------------- /vers_string: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # 3 | #ident $Id$ 4 | # 5 | # Implementation of SGS vers_string which uses CVSVersionInfo.txt. 6 | 7 | require "cvslib.pl"; 8 | 9 | $OUTFILE = (-f "version.h") ? "version.h" : "vers.c"; 10 | $AUTHOR = `whoami`; 11 | $HEADER = '$Id$'; 12 | 13 | if ($ENV{'PROGRAM'}) { $PROGRAM = $ENV{'PROGRAM'}; } 14 | 15 | chop($AUTHOR); 16 | chop($DATE=`date -u`); 17 | chop($CWD=`pwd`); 18 | 19 | ($PROJECT, $VERSION) = split(/\-/, &getCVSVersionInfo()); 20 | 21 | if (!defined($PROJECT)) { 22 | $PROJECT = "Unknown"; 23 | $PROGRAM = "Unknown"; 24 | } else { 25 | $SEP = "-"; 26 | if (!defined($PROGRAM)) { 27 | chop($PROGRAM=`basename $CWD`); 28 | } 29 | } 30 | 31 | if ($ARGV[0] eq "-f") { 32 | print $PROJECT, $SEP, $VERSION, "\n"; 33 | } elsif ($ARGV[0] eq "-l") { 34 | print "static const char SGS_VERS[160] = \""; 35 | print '@(#)LIBRARY:', $PROGRAM, ' PROJECT:', $PROJECT, $SEP, $VERSION, ' DEVELOPER:', $AUTHOR, ' BUILT:', $DATE; 36 | print "\";\n"; 37 | } elsif ($ARGV[0] eq "-c") { 38 | print "const char SGS_VERS[160] = \""; 39 | print '@(#)PROGRAM:', $PROGRAM, ' PROJECT:', $PROJECT, $SEP, $VERSION, ' DEVELOPER:', $AUTHOR, ' BUILT:', $DATE; 40 | print "\";\n"; 41 | print "const char VERS_NUM[10] = \"$VERSION\";\n"; 42 | } elsif ($ARGV[0] eq "-n") { 43 | print "$VERSION\n"; 44 | } elsif ($ARGV[0] eq "-B") { 45 | print 'PROGRAM:', $PROGRAM, ' PROJECT:', $PROJECT, $SEP, $VERSION, ' DEVELOPER:', $AUTHOR, ' BUILT:NO DATE SET (-B used)',"\n"; 46 | } elsif ($ARGV[0] eq "-v") { 47 | unlink($OUTFILE); 48 | open(OUTFILE,">$OUTFILE"); 49 | print OUTFILE "/* $OUTFILE built by $HEADER */\n"; 50 | print OUTFILE "\n"; 51 | if ($OUTFILE eq "version.h") { 52 | print OUTFILE "#define USE_SGS_VERS\n\n"; 53 | } 54 | print OUTFILE "const char SGS_VERS[160] = \""; 55 | print OUTFILE '@(#)PROGRAM:', $PROGRAM, ' PROJECT:', $PROJECT, $SEP, $VERSION, ' DEVELOPER:', $AUTHOR, ' BUILT:', $DATE; 56 | print OUTFILE "\";\n\n"; 57 | print OUTFILE "const char VERS_NUM[10] = \"$VERSION\";\n\n"; 58 | close(OUTFILE); 59 | } elsif ($ARGV[0] ne "") { 60 | print STDERR "$HEADER\n"; 61 | print STDERR "Copyright (C) 1997-2010 Luke Howard "; 62 | print STDERR "\n\n"; 63 | print STDERR "Unknown command line option $ARGV[0].\n"; 64 | print STDERR "Usage: vers_string [-f|-l|-c|-n|-B|-v]\n"; 65 | print STDERR "\t-f: echo project-n to stdout\n"; 66 | print STDERR "\t-l: echo static const char SGS_VERS to stdout\n"; 67 | print STDERR "\t-c: echo const char VERS_NUM and SGS_VERS to stdout\n"; 68 | print STDERR "\t-n: echo version number to stdout\n"; 69 | print STDERR "\t-B: emulate vers_string -B (why?)\n"; 70 | print STDERR "\t-v: generate $OUTFILE\n"; 71 | print STDERR "\tother options same as vers_string\n"; 72 | print STDERR "\n"; 73 | print STDERR "\tTo attach a project name and version number to a CVS\n"; 74 | print STDERR "\tmodule, use checkpoint\n"; 75 | print STDERR "\tTo find out the current project version, type cvsver\n"; 76 | print STDERR "\tTo create a new project, type cvsnew [project]\n"; 77 | print STDERR "\tTo sync with an existing project, type cvssync\n"; 78 | print STDERR "\tTo create a project distribution, type tarup\n"; 79 | print STDERR "\tTo commit a project, type commit [message]\n"; 80 | } else { 81 | print 'PROGRAM:', $PROGRAM, ' PROJECT:', $PROJECT, $SEP, $VERSION, ' DEVELOPER:', $AUTHOR, ' BUILT:', $DATE; 82 | print "\n"; 83 | } 84 | -------------------------------------------------------------------------------- /md5.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (C) 1999 Aladdin Enterprises. All rights reserved. 3 | 4 | This software is provided 'as-is', without any express or implied 5 | warranty. In no event will the authors be held liable for any damages 6 | arising from the use of this software. 7 | 8 | Permission is granted to anyone to use this software for any purpose, 9 | including commercial applications, and to alter it and redistribute it 10 | freely, subject to the following restrictions: 11 | 12 | 1. The origin of this software must not be misrepresented; you must not 13 | claim that you wrote the original software. If you use this software 14 | in a product, an acknowledgment in the product documentation would be 15 | appreciated but is not required. 16 | 2. Altered source versions must be plainly marked as such, and must not be 17 | misrepresented as being the original software. 18 | 3. This notice may not be removed or altered from any source distribution. 19 | 20 | L. Peter Deutsch 21 | ghost@aladdin.com 22 | 23 | */ 24 | /*$Id$ */ 25 | /* 26 | Independent implementation of MD5 (RFC 1321). 27 | 28 | This code implements the MD5 Algorithm defined in RFC 1321. 29 | It is derived directly from the text of the RFC and not from the 30 | reference implementation. 31 | 32 | The original and principal author of md5.h is L. Peter Deutsch 33 | . Other authors are noted in the change history 34 | that follows (in reverse chronological order): 35 | 36 | 1999-11-04 lpd Edited comments slightly for automatic TOC extraction. 37 | 1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5); 38 | added conditionalization for C++ compilation from Martin 39 | Purschke . 40 | 1999-05-03 lpd Original version. 41 | */ 42 | 43 | #ifndef md5_INCLUDED 44 | # define md5_INCLUDED 45 | 46 | /* 47 | * This code has some adaptations for the Ghostscript environment, but it 48 | * will compile and run correctly in any environment with 8-bit chars and 49 | * 32-bit ints. Specifically, it assumes that if the following are 50 | * defined, they have the same meaning as in Ghostscript: P1, P2, P3, 51 | * ARCH_IS_BIG_ENDIAN. 52 | */ 53 | 54 | typedef unsigned char md5_byte_t; /* 8-bit byte */ 55 | typedef unsigned int md5_word_t; /* 32-bit word */ 56 | 57 | /* Define the state of the MD5 Algorithm. */ 58 | typedef struct md5_state_s { 59 | md5_word_t count[2]; /* message length in bits, lsw first */ 60 | md5_word_t abcd[4]; /* digest buffer */ 61 | md5_byte_t buf[64]; /* accumulate block */ 62 | } md5_state_t; 63 | 64 | #ifdef __cplusplus 65 | extern "C" 66 | { 67 | #endif 68 | 69 | /* Initialize the algorithm. */ 70 | #ifdef P1 71 | void _pam_ldap_md5_init(P1(md5_state_t *pms)); 72 | #else 73 | void _pam_ldap_md5_init(md5_state_t *pms); 74 | #endif 75 | 76 | /* Append a string to the message. */ 77 | #ifdef P3 78 | void _pam_ldap_md5_append(P3(md5_state_t *pms, const md5_byte_t *data, int nbytes)); 79 | #else 80 | void _pam_ldap_md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes); 81 | #endif 82 | 83 | /* Finish the message and return the digest. */ 84 | #ifdef P2 85 | void _pam_ldap_md5_finish(P2(md5_state_t *pms, md5_byte_t digest[16])); 86 | #else 87 | void _pam_ldap_md5_finish(md5_state_t *pms, md5_byte_t digest[16]); 88 | #endif 89 | 90 | #ifdef __cplusplus 91 | } /* end extern "C" */ 92 | #endif 93 | 94 | #endif /* md5_INCLUDED */ 95 | -------------------------------------------------------------------------------- /chsh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # chsh implementation for LDAP 3 | # Copyright (C) 2000 Tom Lear 4 | 5 | # This program is free software; you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation; either version 2 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program; if not, write to the Free Software 17 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | # 19 | 20 | if($ARGV[0] eq '-s') { 21 | shift; 22 | $shell=shift; 23 | } 24 | 25 | $user=$ARGV[0]; 26 | if($user eq '') { 27 | $user=(getpwuid($<))[0]; 28 | } else { 29 | die "You can't change that user.\n" if($< and $) { 37 | next if(m/^\s*($|#)/); 38 | m/^\s*(\S+)\s+(.*?)\s*$/; 39 | $CONF{$1}=$2; 40 | } 41 | close(CONF); 42 | open(CONF,"/etc/ldap.secret") and chomp($CONF{'rootbindpw'}=); 43 | close(CONF); 44 | 45 | use Net::LDAP; 46 | 47 | $ldap=Net::LDAP->new($CONF{'host'}); 48 | 49 | if($< or $CONF{'rootbinddn'} eq '') { 50 | $ENV{'PATH'}=''; 51 | system "/bin/stty -echo"; 52 | print 'Password:'; 53 | chomp($password = ); 54 | print "\n"; 55 | system "/bin/stty echo"; 56 | %bindargs=('dn' => "$CONF{pam_login_attribute}=$user,ou=People,$CONF{base}", 57 | 'password' => $password, 58 | ); 59 | } else { 60 | %bindargs=('dn' => $CONF{'rootbinddn'}, 61 | 'password' => $CONF{'rootbindpw'}, 62 | ); 63 | } 64 | $bindargs{'version'}=$CONF{'ldap_version'}?$CONF{'ldap_version'}:2; 65 | 66 | $ldap->bind(%bindargs) or die "unable to bind to ldap server: $@"; 67 | 68 | # check if the old shell is valid 69 | $oldshell=(getpwnam($user))[8]; 70 | open(IN,"/etc/shells"); 71 | while() { 72 | chomp; 73 | $valid=1 if($oldshell eq $_); 74 | } 75 | close(IN); 76 | die "can't change shell for `$user'\n" if($< and !$valid); 77 | 78 | # get the new shell if neccesary 79 | if($shell eq '') { 80 | print "Enter the new value, or press return for the default\n\n"; 81 | print "\t Login Shell [$oldshell]: "; 82 | $shell=; 83 | chomp $shell; 84 | $shell=$oldshell if($shell eq ''); 85 | } 86 | 87 | # check the shells validity 88 | if($<) { 89 | $valid=0; 90 | open(IN,"/etc/shells"); 91 | while() { 92 | chomp; 93 | $valid=1 if($shell eq $_); 94 | } 95 | close(IN); 96 | die "$shell is an invalid shell.\n" if(!$valid); 97 | } 98 | 99 | # change the shell 100 | $ret=$ldap->modify("$CONF{pam_login_attribute}=$user,ou=People,$CONF{base}", 101 | replace => {'loginShell' => $shell}); 102 | if($ret->code) { 103 | printf STDERR ("failed: %s\n",$ret->error); 104 | } else { 105 | print "changed user `$user' shell to `$shell'\n"; 106 | } 107 | 108 | -------------------------------------------------------------------------------- /chfn: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # chfn implementation for LDAP 3 | # Copyright (C) 2000 Tom Lear 4 | 5 | # This program is free software; you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation; either version 2 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program; if not, write to the Free Software 17 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | # 19 | 20 | # read login.defs 21 | open(CONF,"/etc/login.defs") or die "$!\n"; 22 | while() { 23 | next if(m/^\s*($|#)/); 24 | $CHFN_RESTRICT=$1 if(m/^\s*CHFN_RESTRICT\s+(.*?)\s*$/); 25 | } 26 | close(CONF); 27 | $CHFN_RESTRICT='rwh' if($CHFN_RESTRICT eq 'yes'); 28 | $CHFN_RESTRICT='frwh' if($CHFN_RESTRICT eq 'no'); 29 | 30 | $CHFN_RESTRICT='frwho' if($<==0); 31 | 32 | while($ARGV[0]=~m/^-([frwho])$/) { 33 | shift; 34 | my $let=$1; 35 | $new{$let}=shift; 36 | die "You can't change that field.\n" if($CHFN_RESTRICT!~m/$let/); 37 | } 38 | 39 | $user=$ARGV[0]; 40 | if($user eq '') { 41 | $user=(getpwuid($<))[0]; 42 | } else { 43 | die "You can't change that user.\n" if($< and $) { 51 | next if(m/^\s*($|#)/); 52 | m/^\s*(\S+)\s+(.*?)\s*$/; 53 | $CONF{$1}=$2; 54 | } 55 | close(CONF); 56 | open(CONF,"/etc/ldap.secret") and chomp($CONF{'rootbindpw'}=); 57 | close(CONF); 58 | 59 | %FIELDS=( 60 | 'f' => 'Full Name', 61 | 'r' => 'Room Number', 62 | 'w' => 'Work Phone', 63 | 'h' => 'Home Phone', 64 | 'o' => 'Other', 65 | ); 66 | 67 | use Net::LDAP; 68 | 69 | $ldap=Net::LDAP->new($CONF{'host'}); 70 | 71 | if($< or $CONF{'rootbinddn'} eq '') { 72 | $ENV{'PATH'}=''; 73 | system "/bin/stty -echo"; 74 | print 'Password:'; 75 | chomp($password = ); 76 | print "\n"; 77 | system "/bin/stty echo"; 78 | %bindargs=('dn' => "$CONF{pam_login_attribute}=$user,ou=People,$CONF{base}", 79 | 'password' => $password, 80 | ); 81 | } else { 82 | %bindargs=('dn' => $CONF{'rootbinddn'}, 83 | 'password' => $CONF{'rootbindpw'}, 84 | ); 85 | } 86 | $bindargs{'version'}=$CONF{'ldap_version'}?$CONF{'ldap_version'}:2; 87 | 88 | $ldap->bind(%bindargs) or die "unable to bind to ldap server: $@"; 89 | 90 | # get the current values 91 | @gecos=split(',',(getpwnam($user))[6]); 92 | 93 | # get the new entries if neccesary 94 | if(!defined %new) { 95 | print "Enter the new value, or press return for the default\n"; 96 | @fields=('f','r','w','h'); 97 | push(@fields, 'o') if($<==0); 98 | foreach(@fields) { 99 | if($CHFN_RESTRICT=~m/$_/) { 100 | print "\t$FIELDS{$_} [$gecos[$i]]: "; 101 | chomp($new{$_}=); 102 | $new{$_}=$gecos[$i] if($new{$_} eq ''); 103 | } else { 104 | print "\t$FIELDS{$_}: $gecos[$i]\n"; 105 | } 106 | $i++; 107 | } 108 | } 109 | 110 | # check the entries validity 111 | $i=0; 112 | foreach('f','r','w','h','o') { 113 | die "invalid entry: \"$new{$_}\"\n" if($new{$_}!~m/^[ -~]*$/ or $new{$_}=~m/[:,=]/); 114 | $gecos[$i]=$new{$_} if(defined $new{$_}); 115 | $i++; 116 | } 117 | 118 | # change the gecos field 119 | $gecos[3].=''; 120 | $ret=$ldap->modify("$CONF{pam_login_attribute}=$user,ou=People,$CONF{base}", 121 | replace => {'gecos' => join(',',@gecos)}); 122 | if($ret->code) { 123 | printf STDERR ("failed: %s\n",$ret->error); 124 | } 125 | 126 | -------------------------------------------------------------------------------- /pam_ldap.spec: -------------------------------------------------------------------------------- 1 | Summary: PAM module for LDAP. 2 | Name: pam_ldap 3 | Version: 185 4 | Release: 1 5 | Source0: ftp://ftp.padl.com/pub/%{name}-%{version}.tar.gz 6 | Source1: ldap.conf 7 | URL: http://www.padl.com/ 8 | Copyright: LGPL 9 | Group: System Environment/Base 10 | BuildRoot: %{_tmppath}/%{name}-root 11 | BuildPrereq: openldap-devel 12 | Requires: openldap cyrus-sasl openssl 13 | Obsoletes: pam_ldap 14 | 15 | %description 16 | This package includes a LDAP access clients: pam_ldap. 17 | 18 | Pam_ldap is a module for Linux-PAM that supports password changes, V2/V3 19 | clients, Netscapes SSL/OpenSSL, ypldapd, Netscape Directory Server password 20 | policies, access authorization, crypted hashes, etc. 21 | 22 | Install nss_ldap if you need LDAP access clients. 23 | 24 | %prep 25 | %setup -q -a 0 26 | 27 | %build 28 | ./configure 29 | make 30 | 31 | %install 32 | [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT 33 | mkdir -p $RPM_BUILD_ROOT/{etc,lib/security} 34 | 35 | install -m 755 pam_ldap.so \ 36 | $RPM_BUILD_ROOT/lib/security/ 37 | 38 | install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/etc/ldap.conf 39 | 40 | chmod 755 $RPM_BUILD_ROOT/lib/security/*.so* 41 | 42 | %clean 43 | [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT 44 | 45 | %files 46 | %defattr(-,root,root) 47 | %attr(0755,root,root) /lib/security/*.so* 48 | %attr(0644,root,root) %config(noreplace) /etc/ldap.conf 49 | %doc AUTHORS NEWS COPYING COPYING.LIB README ChangeLog pam.d 50 | 51 | %changelog 52 | * Mon Jan 08 2001 Joe Little 53 | - first PAM_LDAP specific RPM, stolen from the previously maintained nss_ldap 54 | 55 | * Thu Jan 04 2001 Joe Little 56 | - changed Makefile.RPM.openldap2 to a patch instead of a source file 57 | - updated to pam_ldap 86 and nss_ldap 126 58 | 59 | * Wed Jan 03 2001 Joe Little 60 | - update to pam_ldap 84 and a change in the included Makefile to have libnss 61 | instead of just nss* in /usr/lib 62 | 63 | * Tue Jan 02 2001 Joe Little 64 | - update to pam_ldap 82 and nss_ldap 124 65 | 66 | * Tue Dec 05 2000 Joe Little 67 | - changed provided nss-Makefile to use dynamic lber/ldap libs; fixes nss_ldap 68 | 69 | * Fri Oct 27 2000 Joe Little 70 | - updated my build for nss_ldap and pam_ldap to solve race condition as told by 71 | Luke Howard 72 | 73 | * Thu Oct 19 2000 Joe Little 74 | - insured install uses openldap2 specific makefile 75 | - fixed doc inclusion issue - which affect pam.d samples being provided 76 | 77 | * Wed Oct 11 2000 Joe Little 78 | - updated for latest nss/pam versions, and for building against openldap 2.x 79 | - also added req for cyrus-sasl 80 | 81 | * Thu Jul 27 2000 Nalin Dahyabhai 82 | - update to pam_ldap 67 to fix a bug in template user code 83 | - convert symlink in /usr/lib to a relative one (#16132) 84 | 85 | * Thu Jul 27 2000 Nalin Dahyabhai 86 | - update to nss_ldap 113 and pam_ldap 66 87 | 88 | * Wed Jul 12 2000 Prospector 89 | - automatic rebuild 90 | 91 | * Tue Jun 27 2000 Matt Wilson 92 | - changed all the -,- in attr statements to root,root 93 | 94 | * Tue Jun 27 2000 Nalin Dahyabhai 95 | - update pam_ldap to 63 96 | 97 | * Wed May 31 2000 Nalin Dahyabhai 98 | - update pam_ldap to 56 99 | 100 | * Tue May 30 2000 Nalin Dahyabhai 101 | - update pam_ldap to 55 102 | - back out no-threads patch for pam_ldap, not needed any more 103 | 104 | * Thu May 25 2000 Nalin Dahyabhai 105 | - update to 110 106 | - revert prototype patch, looks like a problem with the new glibc after all 107 | 108 | * Fri May 19 2000 Nalin Dahyabhai 109 | - get libpthread out of the NSS module 110 | - fix prototype problems in getpwXXX() 111 | 112 | * Mon May 15 2000 Nalin Dahyabhai 113 | - update to nss_ldap 109 114 | 115 | * Sat Apr 29 2000 Nalin Dahyabhai 116 | - update pam_ldap 51 117 | 118 | * Tue Apr 25 2000 Nalin Dahyabhai 119 | - update to nss_ldap 108 and pam_ldap 49 120 | 121 | * Thu Apr 20 2000 Nalin Dahyabhai 122 | - update to pam_ldap 48 123 | 124 | * Thu Mar 30 2000 Nalin Dahyabhai 125 | - update to nss_ldap 107 126 | - note: check http://www.advogato.org/person/lukeh/ for Luke's changelog 127 | 128 | * Tue Mar 21 2000 Nalin Dahyabhai 129 | - update to nss_ldap 106 130 | 131 | * Wed Feb 9 2000 Nalin Dahyabhai 132 | - update to nss_ldap 105 133 | 134 | * Mon Feb 7 2000 Nalin Dahyabhai 135 | - update to nss_ldap 104 and pam_ldap 46 136 | - disable link against libpthread in pam_ldap 137 | 138 | * Tue Feb 1 2000 Nalin Dahyabhai 139 | - remove migration tools, because this package requires openldap now, which 140 | also includes them 141 | 142 | * Fri Jan 28 2000 Nalin Dahyabhai 143 | - update to nss_ldap 103 144 | 145 | * Mon Jan 24 2000 Preston Brown 146 | - fix typo in linuxconf-pair pam cfg file (#7800) 147 | 148 | * Tue Jan 11 2000 Preston Brown 149 | - v99, made it require pam_ldap 150 | - added perl migration tools 151 | - integrate pam_ldap stuff 152 | 153 | * Fri Oct 22 1999 Bill Nottingham 154 | - statically link ldap libraries (they're in /usr/lib) 155 | 156 | * Tue Aug 10 1999 Cristian Gafton 157 | - use the ldap.conf file as an external source 158 | - don't forcibly build the support for version 3 159 | - imported the default spec file from the tarball and fixed it up for RH 6.1 160 | -------------------------------------------------------------------------------- /config.h.in: -------------------------------------------------------------------------------- 1 | /* config.h.in. Generated from configure.in by autoheader. */ 2 | /* Define to the number of arguments to ldap_set_rebindproc */ 3 | #undef LDAP_SET_REBIND_PROC_ARGS 4 | 5 | /* define to the number of args to gethostbyname_r */ 6 | #undef GETHOSTBYNAME_R_ARGS 7 | 8 | /* define to support PADL ypldapd locator */ 9 | #undef YPLDAPD 10 | 11 | 12 | #define PAM_LDAP_PATH_CONF "/etc/ldap.conf" 13 | #define PAM_LDAP_PATH_ROOTPASSWD "/etc/ldap.secret" 14 | 15 | 16 | /* Define to 1 if you have the header file. */ 17 | #undef HAVE_CRYPT_H 18 | 19 | /* Define to 1 if you have the header file. */ 20 | #undef HAVE_DES_H 21 | 22 | /* Define to 1 if you have the `gethostbyname' function. */ 23 | #undef HAVE_GETHOSTBYNAME 24 | 25 | /* Define to 1 if you have the `gethostbyname_r' function. */ 26 | #undef HAVE_GETHOSTBYNAME_R 27 | 28 | /* Define to 1 if you have the header file. */ 29 | #undef HAVE_INTTYPES_H 30 | 31 | /* Define to 1 if you have the header file. */ 32 | #undef HAVE_LBER_H 33 | 34 | /* Define to 1 if you have the `ldapssl_init' function. */ 35 | #undef HAVE_LDAPSSL_INIT 36 | 37 | /* Define to 1 if you have the `ldap_controls_free' function. */ 38 | #undef HAVE_LDAP_CONTROLS_FREE 39 | 40 | /* Define to 1 if you have the `ldap_get_lderrno' function. */ 41 | #undef HAVE_LDAP_GET_LDERRNO 42 | 43 | /* Define to 1 if you have the `ldap_get_option' function. */ 44 | #undef HAVE_LDAP_GET_OPTION 45 | 46 | /* Define to 1 if you have the header file. */ 47 | #undef HAVE_LDAP_H 48 | 49 | /* Define to 1 if you have the `ldap_init' function. */ 50 | #undef HAVE_LDAP_INIT 51 | 52 | /* Define to 1 if you have the `ldap_initialize' function. */ 53 | #undef HAVE_LDAP_INITIALIZE 54 | 55 | /* Define to 1 if you have the `ldap_memfree' function. */ 56 | #undef HAVE_LDAP_MEMFREE 57 | 58 | /* Define to 1 if you have the `ldap_parse_result' function. */ 59 | #undef HAVE_LDAP_PARSE_RESULT 60 | 61 | /* Define to 1 if you have the `ldap_pvt_tls_set_option' function. */ 62 | #undef HAVE_LDAP_PVT_TLS_SET_OPTION 63 | 64 | /* Define to 1 if you have the `ldap_sasl_bind' function. */ 65 | #undef HAVE_LDAP_SASL_BIND 66 | 67 | /* Define to 1 if you have the `ldap_sasl_interactive_bind_s' function. */ 68 | #undef HAVE_LDAP_SASL_INTERACTIVE_BIND_S 69 | 70 | /* Define to 1 if you have the `ldap_set_lderrno' function. */ 71 | #undef HAVE_LDAP_SET_LDERRNO 72 | 73 | /* Define to 1 if you have the `ldap_set_option' function. */ 74 | #undef HAVE_LDAP_SET_OPTION 75 | 76 | /* Define to 1 if you have the `ldap_set_rebind_proc' function. */ 77 | #undef HAVE_LDAP_SET_REBIND_PROC 78 | 79 | /* Define to 1 if you have the header file. */ 80 | #undef HAVE_LDAP_SSL_H 81 | 82 | /* Define to 1 if you have the `ldap_start_tls_s' function. */ 83 | #undef HAVE_LDAP_START_TLS_S 84 | 85 | /* Define to 1 if you have the `crypt' library (-lcrypt). */ 86 | #undef HAVE_LIBCRYPT 87 | 88 | /* Define to 1 if you have the `dl' library (-ldl). */ 89 | #undef HAVE_LIBDL 90 | 91 | /* Define to 1 if you have the `lber' library (-llber). */ 92 | #undef HAVE_LIBLBER 93 | 94 | /* Define to 1 if you have the `nsl' library (-lnsl). */ 95 | #undef HAVE_LIBNSL 96 | 97 | /* Define to 1 if you have the `pam' library (-lpam). */ 98 | #undef HAVE_LIBPAM 99 | 100 | /* Define to 1 if you have the `pthread' library (-lpthread). */ 101 | #undef HAVE_LIBPTHREAD 102 | 103 | /* Define to 1 if you have the `resolv' library (-lresolv). */ 104 | #undef HAVE_LIBRESOLV 105 | 106 | /* Define to 1 if you have the header file. */ 107 | #undef HAVE_MEMORY_H 108 | 109 | /* Define to 1 if you have the header file. */ 110 | #undef HAVE_PAM_PAM_APPL_H 111 | 112 | /* Define to 1 if you have the header file. */ 113 | #undef HAVE_PAM_PAM_MISC_H 114 | 115 | /* Define to 1 if you have the header file. */ 116 | #undef HAVE_PAM_PAM_MODULES_H 117 | 118 | /* Define to 1 if you have the header file. */ 119 | #undef HAVE_SASL_H 120 | 121 | /* Define to 1 if you have the header file. */ 122 | #undef HAVE_SASL_SASL_H 123 | 124 | /* Define to 1 if you have the header file. */ 125 | #undef HAVE_SECURITY_PAM_APPL_H 126 | 127 | /* Define to 1 if you have the header file. */ 128 | #undef HAVE_SECURITY_PAM_MISC_H 129 | 130 | /* Define to 1 if you have the header file. */ 131 | #undef HAVE_SECURITY_PAM_MODULES_H 132 | 133 | /* Define to 1 if you have the header file. */ 134 | #undef HAVE_STDINT_H 135 | 136 | /* Define to 1 if you have the header file. */ 137 | #undef HAVE_STDLIB_H 138 | 139 | /* Define to 1 if you have the header file. */ 140 | #undef HAVE_STRINGS_H 141 | 142 | /* Define to 1 if you have the header file. */ 143 | #undef HAVE_STRING_H 144 | 145 | /* Define to 1 if you have the header file. */ 146 | #undef HAVE_SYS_STAT_H 147 | 148 | /* Define to 1 if you have the header file. */ 149 | #undef HAVE_SYS_TYPES_H 150 | 151 | /* Define to 1 if you have the header file. */ 152 | #undef HAVE_UNISTD_H 153 | 154 | /* Name of package */ 155 | #undef PACKAGE 156 | 157 | /* Define to the address where bug reports for this package should be sent. */ 158 | #undef PACKAGE_BUGREPORT 159 | 160 | /* Define to the full name of this package. */ 161 | #undef PACKAGE_NAME 162 | 163 | /* Define to the full name and version of this package. */ 164 | #undef PACKAGE_STRING 165 | 166 | /* Define to the one symbol short name of this package. */ 167 | #undef PACKAGE_TARNAME 168 | 169 | /* Define to the version of this package. */ 170 | #undef PACKAGE_VERSION 171 | 172 | /* Define to 1 if you have the ANSI C header files. */ 173 | #undef STDC_HEADERS 174 | 175 | /* Version number of package */ 176 | #undef VERSION 177 | -------------------------------------------------------------------------------- /certutil: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | #ident $Id$ 3 | # 4 | # certutil -- manage trusted X.509 certificates 5 | # inspired by Netscape PKCS #11 toolkit 6 | # contributed by Jarkko Turkulainen 7 | # 8 | # 9 | # INTRODUCTION 10 | # 11 | # certutil can be used with various OpenSSL routines and tools 12 | # that utilize OpenSSL. Example: 13 | # 14 | # $ openssl s_client -CApath certdir 15 | # 16 | # where certdir is a directory created by certutil. Other well known 17 | # programs that use the same format are stunnel, sendmail and pam_ldap 18 | # 19 | # 20 | # 21 | # HOWTO 22 | # 23 | # 1. Initialize certificate database 24 | # 25 | # Simply by adding a new certificate. If the certificate directory 26 | # doesn't exist, the script asks for creating a one. Example: 27 | # 28 | # $ certutil -a -n "First Cert" -i cert.pem -d /home/jt/mycerts 29 | # ./certutil: cannot access /home/jt/mycerts, create? [y/N] y 30 | # 31 | # 32 | # 2. Add new certificate 33 | # 34 | # $ certutil -a -n "My Cert" -i cert.pem [-d certdir] 35 | # 36 | # Note that nickname (-n) must exist. certdir is optional - if it's 37 | # not given, $PWD is used. The directory must have a file named certs.dat. 38 | # If that file doesn't exist, the script refuses to do anything. If your 39 | # certs.dat file is corrupted, "rm -rf" the whole dir and start from 40 | # the scratch. cert.pem is the actual certificate. 41 | # 42 | # 3. Delete certificate 43 | # 44 | # $ certutil -r -n "My Cert" [-d certdir] 45 | # 46 | # This command removes the certificate named "My Cert". certdir is 47 | # optional, see 2. 48 | # 49 | # 4. List certificates 50 | # 51 | # $ certutil -l [-d certdir] 52 | # 53 | # And again, certdir is optional. 54 | # 55 | # 5. View certificate properties 56 | # 57 | # $ certutil -v -n "My Cert" [-d certdir] 58 | # 59 | # 60 | 61 | 62 | # Print usage 63 | usage() { 64 | cat << EOF 65 | 66 | Usage: $0 -l [-d dir] 67 | -a -n name -i file [-d dir] 68 | -r -n name [-d dir] 69 | -v -n name [-d dir] 70 | 71 | Commands: 72 | -l -- List certificates (requires a valid dir) 73 | -a -- Add certificate and create dir if necessary 74 | -r -- Remove certificate (requires a valid dir) 75 | -v -- View certificate (requires a valid dir) 76 | 77 | Parameters: 78 | dir -- Certificate directory, or \$PWD if not given 79 | name -- Nickname of the certificate 80 | file -- Certificate file in PEM format 81 | 82 | EOF 83 | exit 1 84 | } 85 | 86 | # Check path 87 | check_path() { 88 | 89 | # check the directory 90 | if [ ! -d $CDIR -a $ADD -eq 1 ]; then 91 | echo -n "$0: cannot access $CDIR, create? [y/N] " 92 | read LINE 93 | case $LINE in 94 | y|Y) 95 | mkdir $CDIR 96 | chmod 700 $CDIR 97 | touch $CDIR/certs.dat 98 | chmod 600 $CDIR/certs.dat 99 | ;; 100 | *) 101 | exit 1 102 | ;; 103 | esac 104 | fi 105 | 106 | # check certs.dat 107 | if [ ! -e $CDIR/certs.dat ]; then 108 | echo "$0: please specify a valid cert directory" 109 | exit 1 110 | fi 111 | } 112 | 113 | # Add certificates 114 | add_cert() { 115 | check_path 116 | if [ ! -e $FILE ]; then 117 | echo "$0: cannot find $FILE" 118 | exit 1 119 | fi 120 | HASH=`openssl x509 -in $FILE -hash -noout 2>/dev/null`.0 121 | if [ $? -ne 0 ]; then 122 | echo "$0: unable to load certificate $FILE" 123 | exit 1 124 | fi 125 | 126 | if grep "^$CNAME|" $CDIR/certs.dat 1>/dev/null 2>&1; then 127 | echo "$0: nickname already in use" 128 | exit 1 129 | fi 130 | 131 | if [ -e $CDIR/$HASH ]; then 132 | echo "$0: certificate already in directory" 133 | echo `openssl x509 -in $CDIR/$HASH -subject -noout` 134 | exit 1 135 | else 136 | cp $FILE $CDIR/$HASH 137 | chmod 600 $CDIR/$HASH 138 | echo "$CNAME|$HASH" >> $CDIR/certs.dat 139 | chmod 600 $CDIR/certs.dat 140 | fi 141 | 142 | } 143 | 144 | # List certificates 145 | # 146 | # (this is too slow...) 147 | # 148 | list_cert() { 149 | check_path 150 | echo 151 | echo "Certificates in directory $CDIR" 152 | echo 153 | printf "%-30s%s\n" nickname subject/issuer 154 | echo "----------------------------------------------------------------------------" 155 | cat $CDIR/certs.dat | while read LINE; do 156 | NICK=`echo $LINE | cut -d "|" -f 1` 157 | HASH=`echo $LINE | cut -d "|" -f 2` 158 | SUBJECT=`openssl x509 -in $CDIR/$HASH -subject -noout` 159 | ISSUER=`openssl x509 -in $CDIR/$HASH -issuer -noout` 160 | printf "%-30s%s\n" "$NICK" "$SUBJECT" 161 | printf "%-30s%s\n\n" "" "$ISSUER" 162 | 163 | done 164 | } 165 | 166 | # Remove certificates 167 | remove_cert() { 168 | check_path 169 | ( 170 | cat $CDIR/certs.dat | while read LINE; do 171 | NICK=`echo $LINE | cut -d "|" -f 1` 172 | HASH=`echo $LINE | cut -d "|" -f 2` 173 | if [ "$CNAME" = "$NICK" ]; then 174 | rm $CDIR/$HASH 175 | else 176 | echo $LINE 177 | fi 178 | done 179 | ) > /tmp/$$ 180 | mv /tmp/$$ $CDIR/certs.dat 181 | chmod 600 $CDIR/certs.dat 182 | } 183 | 184 | # View certificate 185 | view_cert() { 186 | check_path 187 | cat $CDIR/certs.dat | while read LINE; do 188 | NICK=`echo $LINE | cut -d "|" -f 1` 189 | HASH=`echo $LINE | cut -d "|" -f 2` 190 | if [ "$CNAME" = "$NICK" ]; then 191 | openssl x509 -in $CDIR/$HASH -text 192 | return 1 193 | fi 194 | done 195 | } 196 | 197 | # Parse option string 198 | ADD=0 199 | REMOVE=0 200 | LIST=0 201 | VIEW=0 202 | while getopts "arlvd:n:i:" OPT; do 203 | case $OPT in 204 | a) 205 | ADD=1 206 | ;; 207 | r) 208 | REMOVE=1 209 | ;; 210 | l) 211 | LIST=1 212 | ;; 213 | v) 214 | VIEW=1 215 | ;; 216 | d) 217 | CDIR=$OPTARG 218 | ;; 219 | n) 220 | CNAME=$OPTARG 221 | ;; 222 | i) 223 | FILE=$OPTARG 224 | ;; 225 | *) 226 | usage 227 | ;; 228 | esac 229 | done 230 | 231 | # Default options 232 | CDIR=${CDIR:=.} 233 | 234 | # Check command line options 235 | if [ $ADD -eq 1 -a $REMOVE -eq 0 -a $LIST -eq 0 -a $VIEW -eq 0 ]; then 236 | if [ -n "$CNAME" -a -n "$FILE" ]; then 237 | add_cert 238 | else 239 | echo "$0: missing certificate name or file" 240 | usage 241 | fi 242 | elif [ $REMOVE -eq 1 -a $ADD -eq 0 -a $LIST -eq 0 -a $VIEW -eq 0 ]; then 243 | if [ -n "$CNAME" ]; then 244 | remove_cert 245 | else 246 | echo "$0: missing certificate name" 247 | usage 248 | fi 249 | elif [ $LIST -eq 1 -a $ADD -eq 0 -a $REMOVE -eq 0 -a $VIEW -eq 0 ]; then 250 | list_cert 251 | elif [ $VIEW -eq 1 -a $ADD -eq 0 -a $REMOVE -eq 0 -a $LIST -eq 0 ]; then 252 | if [ -n "$CNAME" ]; then 253 | if view_cert; then 254 | echo "$0: cert named \"$CNAME\" not found" 255 | exit 1 256 | fi 257 | else 258 | echo "$0: missing certificate name" 259 | usage 260 | fi 261 | else 262 | usage 263 | fi 264 | -------------------------------------------------------------------------------- /install-sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # install - install a program, script, or datafile 4 | # This comes from X11R5 (mit/util/scripts/install.sh). 5 | # 6 | # Copyright 1991 by the Massachusetts Institute of Technology 7 | # 8 | # Permission to use, copy, modify, distribute, and sell this software and its 9 | # documentation for any purpose is hereby granted without fee, provided that 10 | # the above copyright notice appear in all copies and that both that 11 | # copyright notice and this permission notice appear in supporting 12 | # documentation, and that the name of M.I.T. not be used in advertising or 13 | # publicity pertaining to distribution of the software without specific, 14 | # written prior permission. M.I.T. makes no representations about the 15 | # suitability of this software for any purpose. It is provided "as is" 16 | # without express or implied warranty. 17 | # 18 | # Calling this script install-sh is preferred over install.sh, to prevent 19 | # `make' implicit rules from creating a file called install from it 20 | # when there is no Makefile. 21 | # 22 | # This script is compatible with the BSD install script, but was written 23 | # from scratch. It can only install one file at a time, a restriction 24 | # shared with many OS's install programs. 25 | 26 | 27 | # set DOITPROG to echo to test this script 28 | 29 | # Don't use :- since 4.3BSD and earlier shells don't like it. 30 | doit="${DOITPROG-}" 31 | 32 | 33 | # put in absolute paths if you don't have them in your path; or use env. vars. 34 | 35 | mvprog="${MVPROG-mv}" 36 | cpprog="${CPPROG-cp}" 37 | chmodprog="${CHMODPROG-chmod}" 38 | chownprog="${CHOWNPROG-chown}" 39 | chgrpprog="${CHGRPPROG-chgrp}" 40 | stripprog="${STRIPPROG-strip}" 41 | rmprog="${RMPROG-rm}" 42 | mkdirprog="${MKDIRPROG-mkdir}" 43 | 44 | transformbasename="" 45 | transform_arg="" 46 | instcmd="$mvprog" 47 | chmodcmd="$chmodprog 0755" 48 | chowncmd="" 49 | chgrpcmd="" 50 | stripcmd="" 51 | rmcmd="$rmprog -f" 52 | mvcmd="$mvprog" 53 | src="" 54 | dst="" 55 | dir_arg="" 56 | 57 | while [ x"$1" != x ]; do 58 | case $1 in 59 | -c) instcmd="$cpprog" 60 | shift 61 | continue;; 62 | 63 | -d) dir_arg=true 64 | shift 65 | continue;; 66 | 67 | -m) chmodcmd="$chmodprog $2" 68 | shift 69 | shift 70 | continue;; 71 | 72 | -o) chowncmd="$chownprog $2" 73 | shift 74 | shift 75 | continue;; 76 | 77 | -g) chgrpcmd="$chgrpprog $2" 78 | shift 79 | shift 80 | continue;; 81 | 82 | -s) stripcmd="$stripprog" 83 | shift 84 | continue;; 85 | 86 | -t=*) transformarg=`echo $1 | sed 's/-t=//'` 87 | shift 88 | continue;; 89 | 90 | -b=*) transformbasename=`echo $1 | sed 's/-b=//'` 91 | shift 92 | continue;; 93 | 94 | *) if [ x"$src" = x ] 95 | then 96 | src=$1 97 | else 98 | # this colon is to work around a 386BSD /bin/sh bug 99 | : 100 | dst=$1 101 | fi 102 | shift 103 | continue;; 104 | esac 105 | done 106 | 107 | if [ x"$src" = x ] 108 | then 109 | echo "install: no input file specified" 110 | exit 1 111 | else 112 | true 113 | fi 114 | 115 | if [ x"$dir_arg" != x ]; then 116 | dst=$src 117 | src="" 118 | 119 | if [ -d $dst ]; then 120 | instcmd=: 121 | chmodcmd="" 122 | else 123 | instcmd=mkdir 124 | fi 125 | else 126 | 127 | # Waiting for this to be detected by the "$instcmd $src $dsttmp" command 128 | # might cause directories to be created, which would be especially bad 129 | # if $src (and thus $dsttmp) contains '*'. 130 | 131 | if [ -f $src -o -d $src ] 132 | then 133 | true 134 | else 135 | echo "install: $src does not exist" 136 | exit 1 137 | fi 138 | 139 | if [ x"$dst" = x ] 140 | then 141 | echo "install: no destination specified" 142 | exit 1 143 | else 144 | true 145 | fi 146 | 147 | # If destination is a directory, append the input filename; if your system 148 | # does not like double slashes in filenames, you may need to add some logic 149 | 150 | if [ -d $dst ] 151 | then 152 | dst="$dst"/`basename $src` 153 | else 154 | true 155 | fi 156 | fi 157 | 158 | ## this sed command emulates the dirname command 159 | dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` 160 | 161 | # Make sure that the destination directory exists. 162 | # this part is taken from Noah Friedman's mkinstalldirs script 163 | 164 | # Skip lots of stat calls in the usual case. 165 | if [ ! -d "$dstdir" ]; then 166 | defaultIFS=' 167 | ' 168 | IFS="${IFS-${defaultIFS}}" 169 | 170 | oIFS="${IFS}" 171 | # Some sh's can't handle IFS=/ for some reason. 172 | IFS='%' 173 | set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` 174 | IFS="${oIFS}" 175 | 176 | pathcomp='' 177 | 178 | while [ $# -ne 0 ] ; do 179 | pathcomp="${pathcomp}${1}" 180 | shift 181 | 182 | if [ ! -d "${pathcomp}" ] ; 183 | then 184 | $mkdirprog "${pathcomp}" 185 | else 186 | true 187 | fi 188 | 189 | pathcomp="${pathcomp}/" 190 | done 191 | fi 192 | 193 | if [ x"$dir_arg" != x ] 194 | then 195 | $doit $instcmd $dst && 196 | 197 | if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && 198 | if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && 199 | if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && 200 | if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi 201 | else 202 | 203 | # If we're going to rename the final executable, determine the name now. 204 | 205 | if [ x"$transformarg" = x ] 206 | then 207 | dstfile=`basename $dst` 208 | else 209 | dstfile=`basename $dst $transformbasename | 210 | sed $transformarg`$transformbasename 211 | fi 212 | 213 | # don't allow the sed command to completely eliminate the filename 214 | 215 | if [ x"$dstfile" = x ] 216 | then 217 | dstfile=`basename $dst` 218 | else 219 | true 220 | fi 221 | 222 | # Make a temp file name in the proper directory. 223 | 224 | dsttmp=$dstdir/#inst.$$# 225 | 226 | # Move or copy the file name to the temp name 227 | 228 | $doit $instcmd $src $dsttmp && 229 | 230 | trap "rm -f ${dsttmp}" 0 && 231 | 232 | # and set any options; do chmod last to preserve setuid bits 233 | 234 | # If any of these fail, we abort the whole thing. If we want to 235 | # ignore errors from any of these, just make sure not to ignore 236 | # errors from the above "$doit $instcmd $src $dsttmp" command. 237 | 238 | if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && 239 | if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && 240 | if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && 241 | if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && 242 | 243 | # Now rename the file to the real destination. 244 | 245 | $doit $rmcmd -f $dstdir/$dstfile && 246 | $doit $mvcmd $dsttmp $dstdir/$dstfile 247 | 248 | fi && 249 | 250 | 251 | exit 0 252 | -------------------------------------------------------------------------------- /configure.in: -------------------------------------------------------------------------------- 1 | AC_INIT(pam_ldap.c) 2 | AC_CANONICAL_SYSTEM 3 | AC_PREFIX_DEFAULT() 4 | 5 | AM_INIT_AUTOMAKE(pam_ldap, 185) 6 | AM_CONFIG_HEADER(config.h) 7 | 8 | AC_PROG_CC 9 | AC_PROG_CPP 10 | AC_PROG_INSTALL 11 | 12 | AC_ARG_ENABLE(ypldapd, [ --enable-ypldapd enable PADL ypldapd specific features], [AC_DEFINE(YPLDAPD)]) 13 | AC_ARG_ENABLE(ssl, [ --disable-ssl disable SSL/TSL support]) 14 | AC_ARG_WITH(ldap-lib, [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]]) 15 | AC_ARG_WITH(ldap-dir, [ --with-ldap-dir=DIR base directory of ldap SDK]) 16 | AC_ARG_WITH(ldap-conf-file, [ --with-ldap-conf-file path to LDAP configuration file], [AC_DEFINE_UNQUOTED(PAM_LDAP_PATH_CONF, "$with_ldap_conf_file")]) 17 | AC_ARG_WITH(ldap-secret-file, [ --with-ldap-secret-file path to LDAP root secret file], [AC_DEFINE_UNQUOTED(PAM_LDAP_PATH_ROOTPASSWD, "$with_ldap_secret_file")]) 18 | 19 | if test "$ac_cv_prog_gcc" = "yes"; then CFLAGS="$CFLAGS -Wall -fPIC"; fi 20 | 21 | dnl This is needed for the native Solaris LDAP SDK 22 | CPPFLAGS="$CPPFLAGS -DLDAP_REFERRALS -DLDAP_DEPRECATED" 23 | 24 | case "$target_os" in 25 | freebsd*) CPPFLAGS="$CPPFLAGS -DPIC -D_REENTRANT" ;; 26 | aix*) CPPFLAGS="$CPPFLAGS -D_THREAD_SAFE" ;; 27 | *) CPPFLAGS="$CPPFLAGS -D_REENTRANT" ;; 28 | esac 29 | 30 | case "$target_os" in 31 | aix*) if test "$ac_cv_prog_gcc" = "yes"; then 32 | pam_ldap_so_LD="/usr/ccs/bin/ld" 33 | fi 34 | LDFLAGS="$LDFLAGS -Wl,-brtl" 35 | pam_ldap_so_LDFLAGS="-bM:SRE -bnoentry -bE:\$(srcdir)/exports.aix -brtl -lc" 36 | TARGET_OS="AIX" ;; 37 | darwin*) pam_ldap_so_LDFLAGS="-bundle" ;; 38 | hpux*) pam_ldap_so_LD="/bin/ld" 39 | pam_ldap_so_LDFLAGS="-b -dynamic -G `cat exports.hpux`" 40 | TARGET_OS="HPUX" ;; 41 | solaris*) pam_ldap_so_LD="/usr/ccs/bin/ld" 42 | pam_ldap_so_LDFLAGS="-B dynamic -M \$(srcdir)/exports.solaris -G -B group -lc" ;; 43 | linux*) pam_ldap_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux" ;; 44 | *) pam_ldap_so_LDFLAGS="-shared" ;; 45 | esac 46 | 47 | AC_SUBST(pam_ldap_so_LD) 48 | AC_SUBST(pam_ldap_so_LDFLAGS) 49 | 50 | AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$pam_ldap_so_LD") 51 | AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu") 52 | AM_CONDITIONAL(EXTENSION_1, test "$TARGET_OS" = "HPUX") 53 | 54 | if test -n "$with_ldap_dir"; then 55 | CPPFLAGS="$CPPFLAGS -I$with_ldap_dir/include" 56 | LDFLAGS="$LDFLAGS -L$with_ldap_dir/lib" 57 | case "$target_os" in 58 | aix*) LDFLAGS="$LDFLAGS -Wl,-blibpath:$with_ldap_dir/lib" 59 | pam_ldap_so_LDFLAGS="$pam_ldap_so_LDFLAGS -L$with_ldap_dir/lib -blibpath:$with_ldap_dir/lib" ;; 60 | hpux*) LDFLAGS="$LDFLAGS -Wl,+b$with_ldap_dir/lib" 61 | pam_ldap_so_LDFLAGS="$pam_ldap_so_LDFLAGS -L$with_ldap_dir/lib +b$with_ldap_dir/lib" ;; 62 | solaris*) LDFLAGS="$LDFLAGS -R$with_ldap_dir/lib" 63 | pam_ldap_so_LDFLAGS="$pam_ldap_so_LDFLAGS -L$with_ldap_dir/lib -R$with_ldap_dir/lib" ;; 64 | *) LDFLAGS="$LDFLAGS -Wl,-rpath,$with_ldap_dir/lib" ;; 65 | esac 66 | fi 67 | 68 | AC_CHECK_HEADERS(security/pam_appl.h security/pam_misc.h security/pam_modules.h) 69 | AC_CHECK_HEADERS(pam/pam_appl.h pam/pam_misc.h pam/pam_modules.h) 70 | AC_CHECK_HEADERS(des.h crypt.h) 71 | AC_CHECK_HEADERS(lber.h) 72 | AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate )) 73 | AC_CHECK_HEADERS(ldap_ssl.h) 74 | AC_CHECK_HEADERS(sasl/sasl.h) 75 | AC_CHECK_HEADERS(sasl.h) 76 | 77 | AC_CHECK_LIB(dl, main) 78 | AC_CHECK_LIB(pam, main) 79 | dnl AC_CHECK_LIB(pthread, main) 80 | AC_CHECK_LIB(resolv, main) 81 | AC_CHECK_LIB(crypt, main) 82 | AC_CHECK_LIB(nsl, main) 83 | 84 | AC_CHECK_FUNCS(gethostbyname) 85 | if test "$ac_cv_func_gethostbyname" = "no"; then 86 | unset ac_cv_func_gethostbyname 87 | AC_CHECK_LIB(nsl, main) 88 | AC_CHECK_FUNCS(gethostbyname) 89 | fi 90 | 91 | 92 | dnl check which ldap library we have 93 | if test -z "$with_ldap_lib"; then 94 | with_ldap_lib=auto 95 | fi 96 | 97 | if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then 98 | AC_CHECK_LIB(lber, main) 99 | AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes) 100 | fi 101 | 102 | if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then 103 | AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread) 104 | fi 105 | if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then 106 | AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread) 107 | if test -z "$found_ldap_lib"; then 108 | AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread) 109 | fi 110 | if test -z "$found_ldap_lib"; then 111 | AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes need_pthread=no,,) 112 | fi 113 | if test -z "$found_ldap_lib"; then 114 | AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes need_pthread=no,,) 115 | fi 116 | fi 117 | if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then 118 | AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes need_pthread=yes,, -lpthread) 119 | fi 120 | 121 | if test -z "$found_ldap_lib"; then 122 | AC_MSG_ERROR(could not locate a valid LDAP library) 123 | fi 124 | 125 | if test "$need_pthread" = "yes"; then 126 | AC_CHECK_LIB(pthread, main) 127 | fi 128 | 129 | AC_CHECK_FUNCS(ldap_init ldap_get_lderrno ldap_set_lderrno ldap_parse_result ldap_memfree ldap_controls_free ldap_set_option ldap_get_option) 130 | if test "$enable_ssl" \!= "no"; then 131 | AC_CHECK_FUNCS(ldapssl_init ldap_start_tls_s ldap_pvt_tls_set_option) 132 | fi 133 | AC_CHECK_FUNCS(ldap_initialize) 134 | AC_CHECK_FUNCS(ldap_sasl_bind ldap_sasl_interactive_bind_s) 135 | AC_CHECK_FUNCS(gethostbyname_r) 136 | 137 | if test "$ac_cv_func_gethostbyname_r" = "yes"; then 138 | AC_CACHE_CHECK(whether gethostbyname_r takes 6 arguments, xad_cv_gethostbyname_r_args, [ 139 | AC_TRY_COMPILE([ 140 | #include ], [gethostbyname_r(0, 0, 0, 0, 0, 0);], [xad_cv_gethostbyname_r_args=6], [ 141 | AC_TRY_COMPILE([ 142 | #include ], 143 | [gethostbyname_r(0, 0, 0, 0, 0);], [xad_cv_gethostbyname_r_args=5], [xad_cv_gethostbyname_r_args=3] 144 | )]) ]) 145 | AC_DEFINE_UNQUOTED(GETHOSTBYNAME_R_ARGS, $xad_cv_gethostbyname_r_args) 146 | fi 147 | 148 | AC_CHECK_FUNCS(ldap_set_rebind_proc) 149 | AC_CACHE_CHECK(whether ldap_set_rebind_proc takes 3 arguments, pam_ldap_cv_ldap_set_rebind_proc, [ 150 | AC_TRY_COMPILE([ 151 | #include 152 | #include ], [ldap_set_rebind_proc(0, 0, 0);], [pam_ldap_cv_ldap_set_rebind_proc=3], [pam_ldap_cv_ldap_set_rebind_proc=2]) ]) 153 | AC_DEFINE_UNQUOTED(LDAP_SET_REBIND_PROC_ARGS, $pam_ldap_cv_ldap_set_rebind_proc) 154 | 155 | AC_OUTPUT(Makefile) 156 | -------------------------------------------------------------------------------- /missing: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | # Common stub for a few missing GNU programs while installing. 3 | # Copyright (C) 1996, 1997 Free Software Foundation, Inc. 4 | # Franc,ois Pinard , 1996. 5 | 6 | # This program is free software; you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License as published by 8 | # the Free Software Foundation; either version 2, or (at your option) 9 | # any later version. 10 | 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | 16 | # You should have received a copy of the GNU General Public License 17 | # along with this program; if not, write to the Free Software 18 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 19 | # 02111-1307, USA. 20 | 21 | if test $# -eq 0; then 22 | echo 1>&2 "Try \`$0 --help' for more information" 23 | exit 1 24 | fi 25 | 26 | case "$1" in 27 | 28 | -h|--h|--he|--hel|--help) 29 | echo "\ 30 | $0 [OPTION]... PROGRAM [ARGUMENT]... 31 | 32 | Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an 33 | error status if there is no known handling for PROGRAM. 34 | 35 | Options: 36 | -h, --help display this help and exit 37 | -v, --version output version information and exit 38 | 39 | Supported PROGRAM values: 40 | aclocal touch file \`aclocal.m4' 41 | autoconf touch file \`configure' 42 | autoheader touch file \`config.h.in' 43 | automake touch all \`Makefile.in' files 44 | bison create \`y.tab.[ch]', if possible, from existing .[ch] 45 | flex create \`lex.yy.c', if possible, from existing .c 46 | lex create \`lex.yy.c', if possible, from existing .c 47 | makeinfo touch the output file 48 | yacc create \`y.tab.[ch]', if possible, from existing .[ch]" 49 | ;; 50 | 51 | -v|--v|--ve|--ver|--vers|--versi|--versio|--version) 52 | echo "missing - GNU libit 0.0" 53 | ;; 54 | 55 | -*) 56 | echo 1>&2 "$0: Unknown \`$1' option" 57 | echo 1>&2 "Try \`$0 --help' for more information" 58 | exit 1 59 | ;; 60 | 61 | aclocal) 62 | echo 1>&2 "\ 63 | WARNING: \`$1' is missing on your system. You should only need it if 64 | you modified \`acinclude.m4' or \`configure.in'. You might want 65 | to install the \`Automake' and \`Perl' packages. Grab them from 66 | any GNU archive site." 67 | touch aclocal.m4 68 | ;; 69 | 70 | autoconf) 71 | echo 1>&2 "\ 72 | WARNING: \`$1' is missing on your system. You should only need it if 73 | you modified \`configure.in'. You might want to install the 74 | \`Autoconf' and \`GNU m4' packages. Grab them from any GNU 75 | archive site." 76 | touch configure 77 | ;; 78 | 79 | autoheader) 80 | echo 1>&2 "\ 81 | WARNING: \`$1' is missing on your system. You should only need it if 82 | you modified \`acconfig.h' or \`configure.in'. You might want 83 | to install the \`Autoconf' and \`GNU m4' packages. Grab them 84 | from any GNU archive site." 85 | files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' configure.in` 86 | test -z "$files" && files="config.h" 87 | touch_files= 88 | for f in $files; do 89 | case "$f" in 90 | *:*) touch_files="$touch_files "`echo "$f" | 91 | sed -e 's/^[^:]*://' -e 's/:.*//'`;; 92 | *) touch_files="$touch_files $f.in";; 93 | esac 94 | done 95 | touch $touch_files 96 | ;; 97 | 98 | automake) 99 | echo 1>&2 "\ 100 | WARNING: \`$1' is missing on your system. You should only need it if 101 | you modified \`Makefile.am', \`acinclude.m4' or \`configure.in'. 102 | You might want to install the \`Automake' and \`Perl' packages. 103 | Grab them from any GNU archive site." 104 | find . -type f -name Makefile.am -print | 105 | sed 's/\.am$/.in/' | 106 | while read f; do touch "$f"; done 107 | ;; 108 | 109 | bison|yacc) 110 | echo 1>&2 "\ 111 | WARNING: \`$1' is missing on your system. You should only need it if 112 | you modified a \`.y' file. You may need the \`Bison' package 113 | in order for those modifications to take effect. You can get 114 | \`Bison' from any GNU archive site." 115 | rm -f y.tab.c y.tab.h 116 | if [ $# -ne 1 ]; then 117 | eval LASTARG="\${$#}" 118 | case "$LASTARG" in 119 | *.y) 120 | SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'` 121 | if [ -f "$SRCFILE" ]; then 122 | cp "$SRCFILE" y.tab.c 123 | fi 124 | SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'` 125 | if [ -f "$SRCFILE" ]; then 126 | cp "$SRCFILE" y.tab.h 127 | fi 128 | ;; 129 | esac 130 | fi 131 | if [ ! -f y.tab.h ]; then 132 | echo >y.tab.h 133 | fi 134 | if [ ! -f y.tab.c ]; then 135 | echo 'main() { return 0; }' >y.tab.c 136 | fi 137 | ;; 138 | 139 | lex|flex) 140 | echo 1>&2 "\ 141 | WARNING: \`$1' is missing on your system. You should only need it if 142 | you modified a \`.l' file. You may need the \`Flex' package 143 | in order for those modifications to take effect. You can get 144 | \`Flex' from any GNU archive site." 145 | rm -f lex.yy.c 146 | if [ $# -ne 1 ]; then 147 | eval LASTARG="\${$#}" 148 | case "$LASTARG" in 149 | *.l) 150 | SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'` 151 | if [ -f "$SRCFILE" ]; then 152 | cp "$SRCFILE" lex.yy.c 153 | fi 154 | ;; 155 | esac 156 | fi 157 | if [ ! -f lex.yy.c ]; then 158 | echo 'main() { return 0; }' >lex.yy.c 159 | fi 160 | ;; 161 | 162 | makeinfo) 163 | echo 1>&2 "\ 164 | WARNING: \`$1' is missing on your system. You should only need it if 165 | you modified a \`.texi' or \`.texinfo' file, or any other file 166 | indirectly affecting the aspect of the manual. The spurious 167 | call might also be the consequence of using a buggy \`make' (AIX, 168 | DU, IRIX). You might want to install the \`Texinfo' package or 169 | the \`GNU make' package. Grab either from any GNU archive site." 170 | file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'` 171 | if test -z "$file"; then 172 | file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` 173 | file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file` 174 | fi 175 | touch $file 176 | ;; 177 | 178 | *) 179 | echo 1>&2 "\ 180 | WARNING: \`$1' is needed, and you do not seem to have it handy on your 181 | system. You might have modified some files without having the 182 | proper tools for further handling them. Check the \`README' file, 183 | it often tells you about the needed prerequirements for installing 184 | this package. You may also peek at any GNU archive site, in case 185 | some other package would contain this missing \`$1' program." 186 | exit 1 187 | ;; 188 | esac 189 | 190 | exit 0 191 | -------------------------------------------------------------------------------- /ns-pwd-policy.schema: -------------------------------------------------------------------------------- 1 | #ident $Id$ 2 | # 3 | # Netscape password policy schema 4 | # draft-vchu-ldap-pwd-policy-00.txt 5 | # 6 | 7 | attributetype ( 2.16.840.1.113730.3.1.97 8 | NAME 'passwordMaxAge' 9 | DESC 'the number of seconds after which user passwords will expire' 10 | EQUALITY integerMatch 11 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 12 | 13 | attributetype ( 2.16.840.1.113730.3.1.98 14 | NAME 'passwordExp' 15 | DESC 'a flag which indicates whether passwords will expire after a 16 | given number of seconds' 17 | EQUALITY booleanMatch 18 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) 19 | 20 | attributetype ( 2.16.840.1.113730.3.1.99 21 | NAME 'passwordMinLength' 22 | DESC 'the minimum number of characters that must be used in a password' 23 | EQUALITY integerMatch 24 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 25 | 26 | attributetype ( 2.16.840.1.113730.3.1.100 27 | NAME 'passwordKeepHistory' 28 | DESC 'a flag which indicates whether passwords can be reused' 29 | EQUALITY booleanMatch 30 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) 31 | 32 | attributetype ( 2.16.840.1.113730.3.1.101 33 | NAME 'passwordInHistory' 34 | DESC 'the number of passwords the directory server stores in history' 35 | EQUALITY integerMatch 36 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 37 | 38 | attributetype ( 2.16.840.1.113730.3.1.102 39 | NAME 'passwordChange' 40 | DESC 'a flag which indicates whether users can change their passwords' 41 | EQUALITY booleanMatch 42 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) 43 | 44 | attributetype ( 2.16.840.1.113730.3.1.103 45 | NAME 'passwordCheckSyntax' 46 | DESC 'a flag which indicates whether the password syntax will be checked 47 | before the password is saved' 48 | EQUALITY booleanMatch 49 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) 50 | 51 | attributetype ( 2.16.840.1.113730.3.1.104 52 | NAME 'passwordWarning' 53 | DESC 'the number of seconds before a users password is due to expire that 54 | the user will be sent a warning message' 55 | EQUALITY integerMatch 56 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 57 | 58 | attributetype ( 2.16.840.1.113730.3.1.105 59 | NAME 'passwordLockout' 60 | DESC 'a flag which indicates whether users will be locked out of the 61 | directory after a given number of consecutive failed bind attempts' 62 | EQUALITY booleanMatch 63 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) 64 | 65 | attributetype ( 2.16.840.1.113730.3.1.106 66 | NAME 'passwordMaxFailure' 67 | DESC 'the number of consecutive failed bind attempts after which a user 68 | will be locked out of the directory' 69 | EQUALITY integerMatch 70 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 71 | 72 | attributetype ( 2.16.840.1.113730.3.1.108 73 | NAME 'passwordUnlock' 74 | DESC 'a flag which indicates whether a user will be locked out of the 75 | directory for a given number of seconds or until the administrator 76 | resets the password after an account lockout' 77 | EQUALITY booleanMatch 78 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) 79 | 80 | attributetype ( 2.16.840.1.113730.3.1.109 81 | NAME 'passwordLockoutDuration' 82 | DESC 'the number of seconds that users will be locked out of the directory 83 | after an account lockout' 84 | EQUALITY integerMatch 85 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 86 | 87 | attributetype ( 2.16.840.1.113730.3.1.220 88 | NAME 'passwordMustChange' 89 | DESC 'a flag which indicates whether users must change their passwords when 90 | they first bind to the directory server' 91 | EQUALITY booleanMatch 92 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) 93 | 94 | attributetype ( 2.16.840.1.113730.3.1.221 95 | NAME 'passwordStorageScheme' 96 | DESC 'the type of hash algorithm used to store directory server passwords' 97 | EQUALITY caseIgnoreMatch 98 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 99 | 100 | attributetype ( 2.16.840.1.113730.3.1.222 101 | NAME 'passwordMinAge' 102 | DESC 'the number of seconds that must elapse before a user can change their 103 | password again' 104 | EQUALITY integerMatch 105 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 106 | 107 | attributetype ( 2.16.840.1.113730.3.1.223 108 | NAME 'passwordResetFailureCount' 109 | DESC 'the number of seconds after which the password failure counter will 110 | be reset' 111 | EQUALITY integerMatch 112 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 113 | 114 | objectclass ( 2.16.840.1.113730.3.2.13 115 | NAME 'passwordPolicy' 116 | AUXILIARY 117 | SUP top 118 | DESC 'Password Policy object class to hold password policy information' 119 | MAY ( passwordMaxAge $ passwordExp $ passwordMinLength $ 120 | passwordKeepHistory $ passwordInHistory $ passwordChange $ 121 | passwordCheckSyntax $ passwordWarning $ passwordLockout $ 122 | passwordMaxFailure $ passwordUnlock $ passwordLockoutDuration $ 123 | passwordMustChange $ passwordStorageScheme $ passwordMinAge $ 124 | passwordResetFailureCount ) 125 | ) 126 | 127 | attributetype ( 2.16.840.1.113730.3.1.91 128 | NAME 'passwordExpirationTime' 129 | DESC 'the time the entrys password expires' 130 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 131 | EQUALITY generalizedTimeMatch 132 | ORDERING generalizedTimeOrderingMatch 133 | SINGLE-VALUE USAGE dSAOperation ) 134 | 135 | attributetype ( 2.16.840.1.113730.3.1.92 136 | NAME 'passwordExpWarned' 137 | DESC 'a flag which indicates whether a password expiration warning is sent 138 | to the client' 139 | EQUALITY booleanMatch 140 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 141 | SINGLE-VALUE USAGE dSAOperation ) 142 | 143 | attributetype ( 2.16.840.1.113730.3.1.93 144 | NAME 'passwordRetryCount' 145 | DESC 'the count of consecutive failed password attempts' 146 | EQUALITY integerMatch 147 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 148 | SINGLE-VALUE USAGE dSAOperation ) 149 | 150 | attributetype ( 2.16.840.1.113730.3.1.94 151 | NAME 'retryCountResetTime' 152 | DESC 'the time to reset the passwordRetryCount' 153 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 154 | EQUALITY generalizedTimeMatch 155 | ORDERING generalizedTimeOrderingMatch 156 | SINGLE-VALUE USAGE dSAOperation ) 157 | 158 | attributetype ( 2.16.840.1.113730.3.1.95 159 | NAME 'accountUnlockTime' 160 | DESC 'the time that the user can bind again after an account lockout' 161 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 162 | EQUALITY generalizedTimeMatch 163 | ORDERING generalizedTimeOrderingMatch 164 | SINGLE-VALUE USAGE dSAOperation ) 165 | 166 | attributetype ( 2.16.840.1.113730.3.1.96 167 | NAME 'passwordHistory' 168 | DESC 'the history of users passwords' 169 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 170 | EQUALITY octetStringMatch USAGE dSAOperation ) 171 | 172 | attributetype ( 2.16.840.1.113730.3.1.214 173 | NAME 'passwordAllowChangeTime' 174 | DESC 'the time that the user is allowed change the password' 175 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 176 | EQUALITY generalizedTimeMatch 177 | ORDERING generalizedTimeOrderingMatch 178 | SINGLE-VALUE USAGE dSAOperation ) 179 | 180 | objectclass ( 2.16.840.1.113730.3.2.12 181 | NAME 'passwordObject' 182 | AUXILIARY 183 | SUP top 184 | DESC 'Password object class to hold password policy information for each 185 | entry' 186 | MAY ( passwordExpirationTime $ passwordExpWarned $ passwordRetryCount $ 187 | retryCountResetTime $ accountUnlockTime $ passwordHistory $ 188 | passwordAllowChangeTime ) 189 | ) 190 | 191 | -------------------------------------------------------------------------------- /INSTALL: -------------------------------------------------------------------------------- 1 | Basic Installation 2 | ================== 3 | 4 | These are generic installation instructions. 5 | 6 | The `configure' shell script attempts to guess correct values for 7 | various system-dependent variables used during compilation. It uses 8 | those values to create a `Makefile' in each directory of the package. 9 | It may also create one or more `.h' files containing system-dependent 10 | definitions. Finally, it creates a shell script `config.status' that 11 | you can run in the future to recreate the current configuration, a file 12 | `config.cache' that saves the results of its tests to speed up 13 | reconfiguring, and a file `config.log' containing compiler output 14 | (useful mainly for debugging `configure'). 15 | 16 | If you need to do unusual things to compile the package, please try 17 | to figure out how `configure' could check whether to do them, and mail 18 | diffs or instructions to the address given in the `README' so they can 19 | be considered for the next release. If at some point `config.cache' 20 | contains results you don't want to keep, you may remove or edit it. 21 | 22 | The file `configure.in' is used to create `configure' by a program 23 | called `autoconf'. You only need `configure.in' if you want to change 24 | it or regenerate `configure' using a newer version of `autoconf'. 25 | 26 | The simplest way to compile this package is: 27 | 28 | 1. `cd' to the directory containing the package's source code and type 29 | `./configure' to configure the package for your system. If you're 30 | using `csh' on an old version of System V, you might need to type 31 | `sh ./configure' instead to prevent `csh' from trying to execute 32 | `configure' itself. 33 | 34 | Running `configure' takes awhile. While running, it prints some 35 | messages telling which features it is checking for. 36 | 37 | 2. Type `make' to compile the package. 38 | 39 | 3. Optionally, type `make check' to run any self-tests that come with 40 | the package. 41 | 42 | 4. Type `make install' to install the programs and any data files and 43 | documentation. 44 | 45 | 5. You can remove the program binaries and object files from the 46 | source code directory by typing `make clean'. To also remove the 47 | files that `configure' created (so you can compile the package for 48 | a different kind of computer), type `make distclean'. There is 49 | also a `make maintainer-clean' target, but that is intended mainly 50 | for the package's developers. If you use it, you may have to get 51 | all sorts of other programs in order to regenerate files that came 52 | with the distribution. 53 | 54 | Compilers and Options 55 | ===================== 56 | 57 | Some systems require unusual options for compilation or linking that 58 | the `configure' script does not know about. You can give `configure' 59 | initial values for variables by setting them in the environment. Using 60 | a Bourne-compatible shell, you can do that on the command line like 61 | this: 62 | CC=c89 CFLAGS=-O2 LIBS=-lposix ./configure 63 | 64 | Or on systems that have the `env' program, you can do it like this: 65 | env CPPFLAGS=-I/usr/local/include LDFLAGS=-s ./configure 66 | 67 | Compiling For Multiple Architectures 68 | ==================================== 69 | 70 | You can compile the package for more than one kind of computer at the 71 | same time, by placing the object files for each architecture in their 72 | own directory. To do this, you must use a version of `make' that 73 | supports the `VPATH' variable, such as GNU `make'. `cd' to the 74 | directory where you want the object files and executables to go and run 75 | the `configure' script. `configure' automatically checks for the 76 | source code in the directory that `configure' is in and in `..'. 77 | 78 | If you have to use a `make' that does not supports the `VPATH' 79 | variable, you have to compile the package for one architecture at a time 80 | in the source code directory. After you have installed the package for 81 | one architecture, use `make distclean' before reconfiguring for another 82 | architecture. 83 | 84 | Installation Names 85 | ================== 86 | 87 | By default, `make install' will install the package's files in 88 | `/usr/local/bin', `/usr/local/man', etc. You can specify an 89 | installation prefix other than `/usr/local' by giving `configure' the 90 | option `--prefix=PATH'. 91 | 92 | You can specify separate installation prefixes for 93 | architecture-specific files and architecture-independent files. If you 94 | give `configure' the option `--exec-prefix=PATH', the package will use 95 | PATH as the prefix for installing programs and libraries. 96 | Documentation and other data files will still use the regular prefix. 97 | 98 | In addition, if you use an unusual directory layout you can give 99 | options like `--bindir=PATH' to specify different values for particular 100 | kinds of files. Run `configure --help' for a list of the directories 101 | you can set and what kinds of files go in them. 102 | 103 | If the package supports it, you can cause programs to be installed 104 | with an extra prefix or suffix on their names by giving `configure' the 105 | option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. 106 | 107 | Optional Features 108 | ================= 109 | 110 | Some packages pay attention to `--enable-FEATURE' options to 111 | `configure', where FEATURE indicates an optional part of the package. 112 | They may also pay attention to `--with-PACKAGE' options, where PACKAGE 113 | is something like `gnu-as' or `x' (for the X Window System). The 114 | `README' should mention any `--enable-' and `--with-' options that the 115 | package recognizes. 116 | 117 | For packages that use the X Window System, `configure' can usually 118 | find the X include and library files automatically, but if it doesn't, 119 | you can use the `configure' options `--x-includes=DIR' and 120 | `--x-libraries=DIR' to specify their locations. 121 | 122 | Specifying the System Type 123 | ========================== 124 | 125 | There may be some features `configure' can not figure out 126 | automatically, but needs to determine by the type of host the package 127 | will run on. Usually `configure' can figure that out, but if it prints 128 | a message saying it can not guess the host type, give it the 129 | `--host=TYPE' option. TYPE can either be a short name for the system 130 | type, such as `sun4', or a canonical name with three fields: 131 | CPU-COMPANY-SYSTEM 132 | 133 | See the file `config.sub' for the possible values of each field. If 134 | `config.sub' isn't included in this package, then this package doesn't 135 | need to know the host type. 136 | 137 | If you are building compiler tools for cross-compiling, you can also 138 | use the `--target=TYPE' option to select the type of system they will 139 | produce code for and the `--build=TYPE' option to select the type of 140 | system on which you are compiling the package. 141 | 142 | Sharing Defaults 143 | ================ 144 | 145 | If you want to set default values for `configure' scripts to share, 146 | you can create a site shell script called `config.site' that gives 147 | default values for variables like `CC', `cache_file', and `prefix'. 148 | `configure' looks for `PREFIX/share/config.site' if it exists, then 149 | `PREFIX/etc/config.site' if it exists. Or, you can set the 150 | `CONFIG_SITE' environment variable to the location of the site script. 151 | A warning: not all `configure' scripts look for a site script. 152 | 153 | Operation Controls 154 | ================== 155 | 156 | `configure' recognizes the following options to control how it 157 | operates. 158 | 159 | `--cache-file=FILE' 160 | Use and save the results of the tests in FILE instead of 161 | `./config.cache'. Set FILE to `/dev/null' to disable caching, for 162 | debugging `configure'. 163 | 164 | `--help' 165 | Print a summary of the options to `configure', and exit. 166 | 167 | `--quiet' 168 | `--silent' 169 | `-q' 170 | Do not print messages saying which checks are being made. To 171 | suppress all normal output, redirect it to `/dev/null' (any error 172 | messages will still be shown). 173 | 174 | `--srcdir=DIR' 175 | Look for the package's source code in directory DIR. Usually 176 | `configure' can determine that directory automatically. 177 | 178 | `--version' 179 | Print the version of Autoconf used to generate the `configure' 180 | script, and exit. 181 | 182 | `configure' also accepts some other, not widely useful, options. 183 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | 2 | This is yet another pam_ldap module. 3 | 4 | The advantages of this particular version are: 5 | 6 | o Support for changing passwords in LDAP, optionally 7 | with NDS or Active Directory servers 8 | 9 | o Support for the V3 client API and protocol (to minimize 10 | rebinds) 11 | 12 | o Support for Netscape's SSL API and proprietary extensions 13 | 14 | o Compatibility with the nss_ldap configuration file format 15 | and POSIX configuration profile semantics 16 | 17 | o Supports ypldapd LDAP locator for plug-and-play installation 18 | 19 | o Supports Netscape Directory Server 3.x password policies and 20 | password expiration controls 21 | 22 | o Supports access authorization on the "host" attribute of the 23 | account objectclass, and on group membership 24 | 25 | o Supports generating crypted hashes locally for use with 26 | OpenLDAP and other University of Michigan derived LDAP 27 | servers 28 | 29 | o Bundled with Debian (Potato) and RedHat (Rawhide) 30 | distributions. 31 | 32 | The module builds under both Linux 2.x and Solaris 2.x (see note below 33 | regarding Solaris 7 - aka Solaris 2.7 - and above). NOTE - you MUST 34 | use GNU Make (Solaris Make will not work). 35 | 36 | Thanks to fellow Aussie Chris Albone who wrote the initial 37 | pam_ldap_auth module. 38 | 39 | I am indebted to Doug Nazar for his contributions to 40 | this software. 41 | 42 | I've tested this with Netscape Directory Server 3.1 under NT and 43 | Solaris, the University of Michigan LDAP server, and Microsoft's 44 | Exchange Server. 45 | 46 | pam_ldap is only secure if used with a secure SASL mechanism (like 47 | CRAM-MD5) or with transport security (like SSL/TLS). With simple 48 | authentication, it is less secure than using UNIX hashed passwords, 49 | because the LDAP bind request sends the password in the clear. 50 | 51 | Here are some possible deployment scenarios: 52 | 53 | o pam_ldap with account information in /etc flat files, 54 | kept manually in sync with LDAP 55 | 56 | o pam_ldap with account information in LDAP, using 57 | nss_ldap 58 | 59 | o pam_ldap with account information in NIS, using 60 | ypldapd 61 | 62 | FAQS 63 | ==== 64 | 65 | Don't forget to ensure that pam_ldap's link dependencies are 66 | satisfied after installation (you can verify this by doing 67 | ldd /usr/lib/security/pam_ldap.so.1). You must ensure that 68 | any libraries that it depends on (such as the LDAP client 69 | library) can be located by the dynamic linker. Otherwise, 70 | libpam may fail to load the pam_ldap module. 71 | 72 | Q: Using the Netscape LDAP library with pam_ldap on Solaris 8 73 | - aka Solaris 2.8 - fails to link properly! David Begley writes: 74 | 75 | There are two releases of the Netscape LDAP library, one marked 76 | for Solaris 8 and the other marked for Solaris 2.6 - the additional 77 | catch is that the Solaris 8 library is a 64-bit library (this is marked 78 | on Netscape's site) whilst the other is a 32-bit library. 79 | 80 | It doesn't matter if you have a 64-bit UltraSPARC processor running 81 | the 64-bit Solaris kernel, if your compiler only works with 32-bit 82 | objects then it won't successfully link the 64-bit Solaris 8 83 | Netscape LDAP library. 84 | 85 | GCC (up to version 2.95.2) does not work properly with 64-bit objects 86 | under Solaris, so just use the Solaris 2.6 (32-bit) Netscape LDAP 87 | library and everything should be fine. 88 | 89 | Q: Can I use a third-party client LDAP library (such as Netscape's) 90 | on Solaris 7? David Begley writes: 91 | 92 | Yes, but if you have the Solaris 7 LDAP library installed (package 93 | SUNWlldap or SUNWldapx) configure will find it before the third-party 94 | library - in this case, you can't rely on the auto-lib-type detection of 95 | configure and must use the "--with-ldap-lib=" parameter. 96 | 97 | Q: Why does linking fail on Solaris 2.6 (complaining about 98 | relocations remaining against libcrypt)? David Begley 99 | writes: 100 | 101 | In short, the problem is that GCC is looking for a shared libcrypt 102 | (in response to the "--shared" parameter) which doesn't exist on 103 | Solaris 2.6 (but does on Solaris 7). The fix is quite simple, use 104 | "-G" instead of "--shared" (could this be a GCC bug?). This change 105 | should already be included in newer versions of pam_ldap. 106 | 107 | It doesn't look like libcrypt is even needed if you're using the 108 | Netscape LDAP client library (maybe it's required for OpenLDAP?). 109 | 110 | Q: Where is ldap_ssl.h? It's in the Netscape LDAP 111 | C SDK. Download it from developer.netscape.com. If you 112 | don't want to use SSL, removed -DSSL from CFLAGS. I 113 | don't have any experience building with the SSL/TLS 114 | support in OpenLDAP. 115 | 116 | Q: I get an undefined symbol "re_comp" under 117 | FreeBSD. Try linking against libgnuregex (set 118 | LDFLAGS=-lgnuregex before configuring). 119 | 120 | Q: I get undefined symbols "pam_sm_authenticate" 121 | &c. Make sure that you compile with -DPIC, eg: 122 | CFLAGS=-DPIC LDFLAGS=-lgnuregex ./configure 123 | 124 | Q: The pam_nds_passwd, pam_ad_passwd, and 125 | pam_crypt options don't seem to work anymore. Why? 126 | These have been replaced with the pam_password 127 | attribute, which takes the values: 128 | 129 | pam_password [clear|crypt|md5|nds|ad|exop] 130 | 131 | clear -- send the new password in cleartext to 132 | the server. Use with Netscape 133 | Directory Server, others. 134 | 135 | crypt -- crypt the password using the UNIX 136 | crypt(3) library call before updating 137 | userPassword. 138 | 139 | md5 -- use inbuilt MD5 code to hash password 140 | 141 | nds -- do the right thing for updating 142 | NDS passwords 143 | 144 | ad -- do the right thing for updating 145 | Active Directory passwords 146 | 147 | exop -- use the password change extended 148 | operation, used by OpenLDAP 149 | 150 | Q: Connecting to my LDAPv2 server used to 151 | work, but doesn't anymore. Why? 152 | LDAPv3 is now the default protocol. To 153 | use LDAPv2, if your client library doesn't 154 | fall back automatically, set 155 | 156 | ldap_version 2 157 | 158 | in /etc/ldap.conf. 159 | 160 | Scott M. Stone writes: 161 | Your openldap libs *and* your SSL/RSAREF libs must be DYNAMIC LIBRARIES 162 | or neither nss_ldap nor pam_ldap will work. 163 | 164 | Q: Solaris stdio bug 165 | 166 | Mark Blackman writes: 167 | 168 | Our problem was trigged by the Solaris bug where stdio can 169 | only open 256 STREAMS (fopen), i.e. 170 | >From http://www.science.uva.nl/pub/solaris/solaris2.html 171 | 172 | "Programs using stdio or even library calls that use stdio may break when they 173 | have more than 256 files open as that is the stdio limit. Programs using many 174 | filedescriptors should try and reserve a number of low numbered file 175 | descriptors for use by stdio." 176 | 177 | We are running a large application from Critical Path (imsd) and they open 178 | thousands of file descriptors under load. This is not a problem, however after 179 | all these descriptors are open and when pam_ldap is loadedp/called and it 180 | attempts to open its config file '/etc/ldap.conf', it fails because of the 181 | stdio bug that internally casts the 'int' file descriptor to a 'char' 182 | representation in the FILEHANDLE structure. 183 | 184 | To remedy this, we recommend that pam_ldap either keeps a set of compile time 185 | specified defaults in the binary and harmless ignore the absence 186 | of '/etc/ldap.conf' or to rewrite config file routines to use 187 | open/close instead of the STREAMS version fopen/fclose or 188 | to make it easy to link against SFIO 189 | (http://www.research.att.com/sw/tools/sfio/) 190 | 191 | Q: On Solaris, the following error was reported when OpenLDAP was 192 | compiled shared but OpenSSL not: 193 | 194 | fatal: relocation error: file /opt/lib/libldap.so.2: symbol 195 | SSL_load_error_strings: referenced symbol not found 196 | 197 | The workaround was to remove -M mapfile from the Makefile. 198 | 199 | SUPPORT 200 | ======= 201 | 202 | To discuss pam_ldap and related technologies, you may 203 | subscribe to the following mailing lists: 204 | 205 | 206 | and 207 | 208 | 209 | Send an electronic mail message with "subscribe" in the 210 | message body to join the list. 211 | 212 | Note that PADL now offer commercial support on a 213 | per-incident basis. 214 | 215 | To request a support incident, send email to: 216 | 217 | 218 | 219 | -- 220 | PADL Software Pty Ltd 221 | pamldap-support@padl.com 222 | http://www.padl.com/ 223 | 224 | -------------------------------------------------------------------------------- /ldap.conf: -------------------------------------------------------------------------------- 1 | # @(#)$Id$ 2 | # 3 | # This is the configuration file for the LDAP nameservice 4 | # switch library and the LDAP PAM module. 5 | # 6 | # PADL Software 7 | # http://www.padl.com 8 | # 9 | 10 | # Your LDAP server. Must be resolvable without using LDAP. 11 | # Multiple hosts may be specified, each separated by a 12 | # space. How long nss_ldap takes to failover depends on 13 | # whether your LDAP client library supports configurable 14 | # network or connect timeouts (see bind_timelimit). 15 | host 127.0.0.1 16 | 17 | # The distinguished name of the search base. 18 | base dc=padl,dc=com 19 | 20 | # Another way to specify your LDAP server is to provide an 21 | # uri with the server name. This allows to use 22 | # Unix Domain Sockets to connect to a local LDAP Server. 23 | #uri ldap://127.0.0.1/ 24 | #uri ldaps://127.0.0.1/ 25 | #uri ldapi://%2fvar%2frun%2fldapi_sock/ 26 | # Note: %2f encodes the '/' used as directory separator 27 | 28 | # The LDAP version to use (defaults to 3 29 | # if supported by client library) 30 | #ldap_version 3 31 | 32 | # The distinguished name to bind to the server with. 33 | # Optional: default is to bind anonymously. 34 | #binddn cn=proxyuser,dc=padl,dc=com 35 | 36 | # The credentials to bind with. 37 | # Optional: default is no credential. 38 | #bindpw secret 39 | 40 | # The distinguished name to bind to the server with 41 | # if the effective user ID is root. Password is 42 | # stored in /etc/ldap.secret (mode 600) 43 | #rootbinddn cn=manager,dc=padl,dc=com 44 | 45 | # The port. 46 | # Optional: default is 389. 47 | #port 389 48 | 49 | # The search scope. 50 | #scope sub 51 | #scope one 52 | #scope base 53 | 54 | # Search timelimit 55 | #timelimit 30 56 | 57 | # Bind/connect timelimit 58 | #bind_timelimit 30 59 | 60 | # Reconnect policy: hard (default) will retry connecting to 61 | # the software with exponential backoff, soft will fail 62 | # immediately. 63 | #bind_policy hard 64 | 65 | # Idle timelimit; client will close connections 66 | # (nss_ldap only) if the server has not been contacted 67 | # for the number of seconds specified below. 68 | #idle_timelimit 3600 69 | 70 | # Filter to AND with uid=%s 71 | #pam_filter objectclass=account 72 | 73 | # The user ID attribute (defaults to uid) 74 | #pam_login_attribute uid 75 | 76 | # Search the root DSE for the password policy (works 77 | # with Netscape Directory Server) 78 | #pam_lookup_policy yes 79 | 80 | # Check the 'host' attribute for access control 81 | # Default is no; if set to yes, and user has no 82 | # value for the host attribute, and pam_ldap is 83 | # configured for account management (authorization) 84 | # then the user will not be allowed to login. 85 | #pam_check_host_attr yes 86 | 87 | # Check the 'authorizedService' attribute for access 88 | # control 89 | # Default is no; if set to yes, and the user has no 90 | # value for the authorizedService attribute, and 91 | # pam_ldap is configured for account management 92 | # (authorization) then the user will not be allowed 93 | # to login. 94 | #pam_check_service_attr yes 95 | 96 | # Group to enforce membership of 97 | #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com 98 | 99 | # Group member attribute 100 | #pam_member_attribute uniquemember 101 | 102 | # Specify a minium or maximum UID number allowed 103 | #pam_min_uid 0 104 | #pam_max_uid 0 105 | 106 | # Template login attribute, default template user 107 | # (can be overriden by value of former attribute 108 | # in user's entry) 109 | #pam_login_attribute userPrincipalName 110 | #pam_template_login_attribute uid 111 | #pam_template_login nobody 112 | 113 | # HEADS UP: the pam_crypt, pam_nds_passwd, 114 | # and pam_ad_passwd options are no 115 | # longer supported. 116 | # 117 | # Do not hash the password at all; presume 118 | # the directory server will do it, if 119 | # necessary. This is the default. 120 | #pam_password clear 121 | 122 | # Hash password locally; required for University of 123 | # Michigan LDAP server, and works with Netscape 124 | # Directory Server if you're using the UNIX-Crypt 125 | # hash mechanism and not using the NT Synchronization 126 | # service. 127 | #pam_password crypt 128 | 129 | # Remove old password first, then update in 130 | # cleartext. Necessary for use with Novell 131 | # Directory Services (NDS) 132 | #pam_password clear_remove_old 133 | #pam_password nds 134 | 135 | # RACF is an alias for the above. For use with 136 | # IBM RACF 137 | #pam_password racf 138 | 139 | # Update Active Directory password, by 140 | # creating Unicode password and updating 141 | # unicodePwd attribute. 142 | #pam_password ad 143 | 144 | # Use the OpenLDAP password change 145 | # extended operation to update the password. 146 | #pam_password exop 147 | 148 | # Redirect users to a URL or somesuch on password 149 | # changes. 150 | #pam_password_prohibit_message Please visit http://internal to change your password. 151 | 152 | # RFC2307bis naming contexts 153 | # Syntax: 154 | # nss_base_XXX base?scope?filter 155 | # where scope is {base,one,sub} 156 | # and filter is a filter to be &'d with the 157 | # default filter. 158 | # You can omit the suffix eg: 159 | # nss_base_passwd ou=People, 160 | # to append the default base DN but this 161 | # may incur a small performance impact. 162 | #nss_base_passwd ou=People,dc=padl,dc=com?one 163 | #nss_base_shadow ou=People,dc=padl,dc=com?one 164 | #nss_base_group ou=Group,dc=padl,dc=com?one 165 | #nss_base_hosts ou=Hosts,dc=padl,dc=com?one 166 | #nss_base_services ou=Services,dc=padl,dc=com?one 167 | #nss_base_networks ou=Networks,dc=padl,dc=com?one 168 | #nss_base_protocols ou=Protocols,dc=padl,dc=com?one 169 | #nss_base_rpc ou=Rpc,dc=padl,dc=com?one 170 | #nss_base_ethers ou=Ethers,dc=padl,dc=com?one 171 | #nss_base_netmasks ou=Networks,dc=padl,dc=com?ne 172 | #nss_base_bootparams ou=Ethers,dc=padl,dc=com?one 173 | #nss_base_aliases ou=Aliases,dc=padl,dc=com?one 174 | #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one 175 | 176 | # attribute/objectclass mapping 177 | # Syntax: 178 | #nss_map_attribute rfc2307attribute mapped_attribute 179 | #nss_map_objectclass rfc2307objectclass mapped_objectclass 180 | 181 | # configure --enable-nds is no longer supported. 182 | # NDS mappings 183 | #nss_map_attribute uniqueMember member 184 | 185 | # Services for UNIX 3.5 mappings 186 | #nss_map_objectclass posixAccount User 187 | #nss_map_objectclass shadowAccount User 188 | #nss_map_attribute uid msSFU30Name 189 | #nss_map_attribute uniqueMember msSFU30PosixMember 190 | #nss_map_attribute userPassword msSFU30Password 191 | #nss_map_attribute homeDirectory msSFU30HomeDirectory 192 | #nss_map_attribute homeDirectory msSFUHomeDirectory 193 | #nss_map_objectclass posixGroup Group 194 | #pam_login_attribute msSFU30Name 195 | #pam_filter objectclass=User 196 | #pam_password ad 197 | 198 | # configure --enable-mssfu-schema is no longer supported. 199 | # Services for UNIX 2.0 mappings 200 | #nss_map_objectclass posixAccount User 201 | #nss_map_objectclass shadowAccount user 202 | #nss_map_attribute uid msSFUName 203 | #nss_map_attribute uniqueMember posixMember 204 | #nss_map_attribute userPassword msSFUPassword 205 | #nss_map_attribute homeDirectory msSFUHomeDirectory 206 | #nss_map_attribute shadowLastChange pwdLastSet 207 | #nss_map_objectclass posixGroup Group 208 | #nss_map_attribute cn msSFUName 209 | #pam_login_attribute msSFUName 210 | #pam_filter objectclass=User 211 | #pam_password ad 212 | 213 | # RFC 2307 (AD) mappings 214 | #nss_map_objectclass posixAccount user 215 | #nss_map_objectclass shadowAccount user 216 | #nss_map_attribute uid sAMAccountName 217 | #nss_map_attribute homeDirectory unixHomeDirectory 218 | #nss_map_attribute shadowLastChange pwdLastSet 219 | #nss_map_objectclass posixGroup group 220 | #nss_map_attribute uniqueMember member 221 | #pam_login_attribute sAMAccountName 222 | #pam_filter objectclass=User 223 | #pam_password ad 224 | 225 | # configure --enable-authpassword is no longer supported 226 | # AuthPassword mappings 227 | #nss_map_attribute userPassword authPassword 228 | 229 | # AIX SecureWay mappings 230 | #nss_map_objectclass posixAccount aixAccount 231 | #nss_base_passwd ou=aixaccount,?one 232 | #nss_map_attribute uid userName 233 | #nss_map_attribute gidNumber gid 234 | #nss_map_attribute uidNumber uid 235 | #nss_map_attribute userPassword passwordChar 236 | #nss_map_objectclass posixGroup aixAccessGroup 237 | #nss_base_group ou=aixgroup,?one 238 | #nss_map_attribute cn groupName 239 | #nss_map_attribute uniqueMember member 240 | #pam_login_attribute userName 241 | #pam_filter objectclass=aixAccount 242 | #pam_password clear 243 | 244 | # Netscape SDK LDAPS 245 | #ssl on 246 | 247 | # Netscape SDK SSL options 248 | #sslpath /etc/ssl/certs 249 | 250 | # OpenLDAP SSL mechanism 251 | # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 252 | #ssl start_tls 253 | #ssl on 254 | 255 | # OpenLDAP SSL options 256 | # Require and verify server certificate (yes/no) 257 | # Default is to use libldap's default behavior, which can be configured in 258 | # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for 259 | # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". 260 | #tls_checkpeer yes 261 | 262 | # CA certificates for server certificate verification 263 | # At least one of these are required if tls_checkpeer is "yes" 264 | #tls_cacertfile /etc/ssl/ca.cert 265 | #tls_cacertdir /etc/ssl/certs 266 | 267 | # Seed the PRNG if /dev/urandom is not provided 268 | #tls_randfile /var/run/egd-pool 269 | 270 | # SSL cipher suite 271 | # See man ciphers for syntax 272 | #tls_ciphers TLSv1 273 | 274 | # Client certificate and key 275 | # Use these, if your server requires client authentication. 276 | #tls_cert 277 | #tls_key 278 | 279 | # Disable SASL security layers. This is needed for AD. 280 | #sasl_secprops maxssf=0 281 | 282 | # Override the default Kerberos ticket cache location. 283 | #krb5_ccname FILE:/etc/.ldapcache 284 | 285 | # SASL mechanism for PAM authentication - use is experimental 286 | # at present and does not support password policy control 287 | #pam_sasl_mech DIGEST-MD5 288 | -------------------------------------------------------------------------------- /pam_ldap.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 1998-2004 Luke Howard. 3 | * This file is part of the pam_ldap library. 4 | * Contributed by Luke Howard, , 1998. 5 | * 6 | * The pam_ldap library is free software; you can redistribute it and/or 7 | * modify it under the terms of the GNU Library General Public License as 8 | * published by the Free Software Foundation; either version 2 of the 9 | * License, or (at your option) any later version. 10 | * 11 | * The pam_ldap library is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 | * Library General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Library General Public 17 | * License along with the pam_ldap library; see the file COPYING.LIB. If not, 18 | * write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, 19 | * Boston, MA 02111-1307, USA. 20 | */ 21 | 22 | #ifdef HAVE_SECURITY_PAM_APPL_H 23 | #include 24 | #elif defined(HAVE_PAM_PAM_APPL_H) 25 | #include 26 | #endif 27 | 28 | #ifdef HAVE_SECURITY_PAM_MISC_H 29 | #include 30 | #elif defined(HAVE_PAM_PAM_MISC_H) 31 | #include 32 | #endif 33 | 34 | #ifndef HAVE_PAM_PAM_MODULES_H 35 | #include 36 | #else 37 | #include 38 | #endif 39 | 40 | typedef struct pam_ssd 41 | { 42 | char *base; 43 | int scope; 44 | char *filter; 45 | struct pam_ssd *next; 46 | } pam_ssd_t; 47 | 48 | /* /etc/ldap.conf nss_ldap-style configuration */ 49 | typedef struct pam_ldap_config 50 | { 51 | /* file name read from */ 52 | char *configFile; 53 | /* URI */ 54 | char *uri; 55 | /* space delimited list of servers */ 56 | char *host; 57 | /* port, expected to be common to all servers */ 58 | int port; 59 | /* base DN, eg. dc=gnu,dc=org */ 60 | char *base; 61 | /* scope for searches */ 62 | int scope; 63 | /* deref policy */ 64 | int deref; 65 | /* bind dn/pw for "anonymous" authentication */ 66 | char *binddn; 67 | char *bindpw; 68 | /* bind dn/pw for "root" authentication */ 69 | char *rootbinddn; 70 | char *rootbindpw; 71 | /* SSL config states */ 72 | #define SSL_OFF 0 73 | #define SSL_LDAPS 1 74 | #define SSL_START_TLS 2 75 | int ssl_on; 76 | /* SSL path */ 77 | char *sslpath; 78 | /* list of SSDs to augment defaults */ 79 | pam_ssd_t *ssd; 80 | /* filter to AND with uid=%s */ 81 | char *filter; 82 | /* attribute to search on; defaults to uid. Use CN with ADS? */ 83 | char *userattr; 84 | /* attribute to set PAM_USER based on */ 85 | char *tmplattr; 86 | /* default template user */ 87 | char *tmpluser; 88 | /* search for Netscape password policy */ 89 | int getpolicy; 90 | /* host attribute checking, for access authorization */ 91 | int checkhostattr; 92 | /* service attribute checking, for access authorization */ 93 | int checkserviceattr; 94 | /* group name; optional, for access authorization */ 95 | char *groupdn; 96 | /* group membership attribute; defaults to uniquemember */ 97 | char *groupattr; 98 | /* LDAP protocol version */ 99 | int version; 100 | /* search timelimit */ 101 | int timelimit; 102 | /* bind timelimit */ 103 | int bind_timelimit; 104 | /* automatically chase referrals */ 105 | int referrals; 106 | /* restart interrupted syscalls, OpenLDAP only */ 107 | int restart; 108 | /* chauthtok config states */ 109 | #define PASSWORD_CLEAR 0 110 | #define PASSWORD_CRYPT 1 111 | #define PASSWORD_MD5 2 112 | #define PASSWORD_CLEAR_REMOVE_OLD 3 113 | #define PASSWORD_AD 4 114 | #define PASSWORD_EXOP 5 115 | #define PASSWORD_EXOP_SEND_OLD 6 116 | int password_type; 117 | /* stop all changes, present message */ 118 | char *password_prohibit_message; 119 | /* min uid */ 120 | uid_t min_uid; 121 | /* max uid */ 122 | uid_t max_uid; 123 | /* tls check peer */ 124 | int tls_checkpeer; 125 | /* tls ca certificate file */ 126 | char *tls_cacertfile; 127 | /* tls ca certificate dir */ 128 | char *tls_cacertdir; 129 | /* tls ciphersuite */ 130 | char *tls_ciphers; 131 | /* tls certificate */ 132 | char *tls_cert; 133 | /* tls key */ 134 | char *tls_key; 135 | /* tls randfile */ 136 | char *tls_randfile; 137 | /* directory for debug files */ 138 | char *logdir; 139 | /* ldap debug level */ 140 | int debug; 141 | /* SASL mechanism */ 142 | char *sasl_mechanism; 143 | } 144 | pam_ldap_config_t; 145 | 146 | /* Netscape global password policy attributes */ 147 | typedef struct pam_ldap_password_policy 148 | { 149 | int password_change; 150 | int password_check_syntax; 151 | int password_min_length; 152 | int password_exp; 153 | int password_max_age; 154 | int password_warning; 155 | int password_keep_history; 156 | int password_in_history; 157 | int password_lockout; 158 | int password_max_failure; 159 | int password_unlock; 160 | int password_lockout_duration; 161 | int password_reset_duration; 162 | } 163 | pam_ldap_password_policy_t; 164 | 165 | /* Standard Unix style shadow controls */ 166 | typedef struct pam_ldap_shadow 167 | { 168 | int shadowacct; /* is shadowAccount */ 169 | long int lstchg; /* Date of last change. */ 170 | long int min; /* Minimum number of days between changes. */ 171 | long int max; /* Maximum number of days between changes. */ 172 | long int warn; /* Number of days to warn user to change 173 | the password. */ 174 | long int inact; /* Number of days the account may be 175 | inactive. */ 176 | long int expire; /* Number of days since 1970-01-01 until 177 | account expires. */ 178 | long int flag; /* Reserved. */ 179 | } 180 | pam_ldap_shadow_t; 181 | 182 | /* Password controls sent to client */ 183 | #ifndef LDAP_CONTROL_PWEXPIRED 184 | #define LDAP_CONTROL_PWEXPIRED "2.16.840.1.113730.3.4.4" 185 | #endif /* LDAP_CONTROL_PWEXPIRED */ 186 | #ifndef LDAP_CONTROL_PWEXPIRING 187 | #define LDAP_CONTROL_PWEXPIRING "2.16.840.1.113730.3.4.5" 188 | #endif /* LDAP_CONTROL_PWEXPIRING */ 189 | #ifndef LDAP_CONTROL_PASSWORDPOLICYREQUEST 190 | #define LDAP_CONTROL_PASSWORDPOLICYREQUEST "1.3.6.1.4.1.42.2.27.8.5.1" 191 | #endif /* LDAP_CONTROL_PASSWORDPOLICYREQUEST */ 192 | #ifndef LDAP_CONTROL_PASSWORDPOLICYRESPONSE 193 | #define LDAP_CONTROL_PASSWORDPOLICYRESPONSE "1.3.6.1.4.1.42.2.27.8.5.1" 194 | #endif /* LDAP_CONTROL_PASSWORDPOLICYRESPONSE */ 195 | 196 | #define POLICY_WARN_TIME_BEFORE_EXPIRATION 128 197 | #define POLICY_WARN_GRACE_LOGINS_REMAINING 129 198 | 199 | #define POLICY_ERROR_SUCCESS -1 200 | #define POLICY_ERROR_PASSWORD_EXPIRED 0 201 | #define POLICY_ERROR_ACCOUNT_LOCKED 1 202 | #define POLICY_ERROR_CHANGE_AFTER_RESET 2 203 | #define POLICY_ERROR_PASSWORD_MOD_NOT_ALLOWED 3 204 | #define POLICY_ERROR_MUST_SUPPLY_OLD_PASSWORD 4 205 | #define POLICY_ERROR_INSUFFICIENT_PASSWORD_QUALITY 5 206 | #define POLICY_ERROR_PASSWORD_TOO_SHORT 6 207 | #define POLICY_ERROR_PASSWORD_TOO_YOUNG 7 208 | #define POLICY_ERROR_PASSWORD_INSUFFICIENT 8 209 | 210 | #ifndef LDAP_OPT_ON 211 | #define LDAP_OPT_ON ((void *) 1) 212 | #endif /* LDAP_OPT_ON */ 213 | #ifndef LDAP_OPT_OFF 214 | #define LDAP_OPT_OFF ((void *) 0) 215 | #endif /* LDAP_OPT_OFF */ 216 | 217 | #if defined(LDAP_EXOP_X_MODIFY_PASSWD) && !defined(LDAP_EXOP_MODIFY_PASSWD) 218 | #define LDAP_EXOP_MODIFY_PASSWD LDAP_EXOP_X_MODIFY_PASSWD 219 | #define LDAP_TAG_EXOP_MODIFY_PASSWD_ID LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID 220 | #define LDAP_TAG_EXOP_MODIFY_PASSWD_OLD LDAP_TAG_EXOP_X_MODIFY_PASSWD_OLD 221 | #define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW 222 | #endif 223 | 224 | /* Seconds in a day */ 225 | #define SECSPERDAY 86400 226 | 227 | /* Netscape per-use password attributes. Unused except for DN. */ 228 | typedef struct pam_ldap_user_info 229 | { 230 | /* user name, to validate info cache */ 231 | char *username; 232 | /* DN of user in directory */ 233 | char *userdn; 234 | /* temporary cache of user's bind credentials for rebind function */ 235 | char *userpw; 236 | /* host attribute from account objectclass */ 237 | char **hosts_allow; 238 | char **services_allow; 239 | /* seconds until password expires */ 240 | long password_expiration_time; 241 | /* grace logins remaining */ 242 | int grace_logins_remaining; 243 | /* password policy error */ 244 | int policy_error; 245 | /* bound as user DN */ 246 | int bound_as_user; 247 | /* user ID */ 248 | uid_t uid; 249 | /* mapped user */ 250 | char *tmpluser; 251 | /* shadow stuff */ 252 | pam_ldap_shadow_t shadow; 253 | } 254 | pam_ldap_user_info_t; 255 | 256 | /* 257 | * Per PAM-call LDAP session. We keep the user info and 258 | * LDAP handle cached to minimize binds and searches to 259 | * the directory, particularly as you can't rebind within 260 | * a V2 session. 261 | */ 262 | typedef struct pam_ldap_session 263 | { 264 | LDAP *ld; 265 | pam_ldap_config_t *conf; 266 | pam_ldap_user_info_t *info; 267 | } 268 | pam_ldap_session_t; 269 | 270 | #define OLD_PASSWORD_PROMPT "Enter login(LDAP) password: " 271 | #define NEW_PASSWORD_PROMPT "New password: " 272 | #define AGAIN_PASSWORD_PROMPT "Re-enter new password: " 273 | 274 | /* pam_ldap session */ 275 | #define PADL_LDAP_SESSION_DATA "PADL-LDAP-SESSION-DATA" 276 | /* expired user */ 277 | #define PADL_LDAP_AUTHTOK_DATA "PADL-LDAP-AUTHTOK-DATA" 278 | /* non-template user (pre-mapping) */ 279 | #define PADL_LDAP_AUTH_DATA "PADL-LDAP-AUTH-DATA" 280 | /* authtok for Solaris */ 281 | #define PADL_LDAP_OLDAUTHTOK_DATA "PADL-LDAP-OLDAUTHTOK-DATA" 282 | 283 | #ifndef PAM_EXTERN 284 | #define PAM_EXTERN 285 | #endif 286 | 287 | #ifndef _pam_overwrite 288 | #define _pam_overwrite(x) \ 289 | { \ 290 | register char *__xx__; \ 291 | if ((__xx__=x)) \ 292 | while (*__xx__) \ 293 | *__xx__++ = '\0'; \ 294 | } 295 | #endif 296 | 297 | #ifndef _pam_drop 298 | #define _pam_drop(X) \ 299 | if (X) { \ 300 | free(X); \ 301 | X=NULL; \ 302 | } 303 | #endif 304 | 305 | #ifndef FALSE 306 | #define FALSE 0 307 | #endif 308 | 309 | #ifndef TRUE 310 | #define TRUE !FALSE 311 | #endif 312 | 313 | #ifndef LDAP_FILT_MAXSIZ 314 | #define LDAP_FILT_MAXSIZ 1024 315 | #endif /* LDAP_FILT_MAXSIZ */ 316 | 317 | #define IGNORE_UNKNOWN_USER 0x01 318 | #define IGNORE_AUTHINFO_UNAVAIL 0x02 319 | 320 | #define STATUS_MAP_IGNORE_POLICY(_rc, _ignore_flags) do { \ 321 | if ((_rc) == PAM_USER_UNKNOWN && ((_ignore_flags) & IGNORE_UNKNOWN_USER)) \ 322 | rc = PAM_IGNORE; \ 323 | else if ((_rc) == PAM_AUTHINFO_UNAVAIL && ((_ignore_flags) & IGNORE_AUTHINFO_UNAVAIL)) \ 324 | rc = PAM_IGNORE; \ 325 | } while (0) 326 | 327 | /* PAM authentication routine */ 328 | #define PAM_SM_AUTH 329 | PAM_EXTERN int pam_sm_authenticate (pam_handle_t *, int, int, const char **); 330 | PAM_EXTERN int pam_sm_setcred (pam_handle_t *, int, int, const char **); 331 | 332 | /* PAM session management */ 333 | #define PAM_SM_SESSION 334 | PAM_EXTERN int pam_sm_open_session (pam_handle_t *, int, int, const char **); 335 | PAM_EXTERN int pam_sm_close_session (pam_handle_t *, int, int, const char **); 336 | 337 | /* PAM password changing routine */ 338 | #define PAM_SM_PASSWORD 339 | PAM_EXTERN int pam_sm_chauthtok (pam_handle_t *, int, int, const char **); 340 | 341 | /* PAM authorization routine */ 342 | #define PAM_SM_ACCOUNT 343 | PAM_EXTERN int pam_sm_acct_mgmt (pam_handle_t *, int, int, const char **); 344 | 345 | -------------------------------------------------------------------------------- /md5.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (C) 1999 Aladdin Enterprises. All rights reserved. 3 | 4 | This software is provided 'as-is', without any express or implied 5 | warranty. In no event will the authors be held liable for any damages 6 | arising from the use of this software. 7 | 8 | Permission is granted to anyone to use this software for any purpose, 9 | including commercial applications, and to alter it and redistribute it 10 | freely, subject to the following restrictions: 11 | 12 | 1. The origin of this software must not be misrepresented; you must not 13 | claim that you wrote the original software. If you use this software 14 | in a product, an acknowledgment in the product documentation would be 15 | appreciated but is not required. 16 | 2. Altered source versions must be plainly marked as such, and must not be 17 | misrepresented as being the original software. 18 | 3. This notice may not be removed or altered from any source distribution. 19 | 20 | L. Peter Deutsch 21 | ghost@aladdin.com 22 | 23 | */ 24 | /*$Id$ */ 25 | /* 26 | Independent implementation of MD5 (RFC 1321). 27 | 28 | This code implements the MD5 Algorithm defined in RFC 1321. 29 | It is derived directly from the text of the RFC and not from the 30 | reference implementation. 31 | 32 | The original and principal author of md5.c is L. Peter Deutsch 33 | . Other authors are noted in the change history 34 | that follows (in reverse chronological order): 35 | 36 | 1999-11-04 lpd Edited comments slightly for automatic TOC extraction. 37 | 1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5). 38 | 1999-05-03 lpd Original version. 39 | */ 40 | 41 | #include "md5.h" 42 | #include 43 | 44 | #ifdef TEST 45 | /* 46 | * Compile with -DTEST to create a self-contained executable test program. 47 | * The test program should print out the same values as given in section 48 | * A.5 of RFC 1321, reproduced below. 49 | */ 50 | main() 51 | { 52 | static const char *const test[7] = { 53 | "", /*d41d8cd98f00b204e9800998ecf8427e*/ 54 | "a", /*0cc175b9c0f1b6a831c399e269772661*/ 55 | "abc", /*900150983cd24fb0d6963f7d28e17f72*/ 56 | "message digest", /*f96b697d7cb7938d525a2f31aaf161d0*/ 57 | "abcdefghijklmnopqrstuvwxyz", /*c3fcd3d76192e4007dfb496cca67e13b*/ 58 | "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 59 | /*d174ab98d277d9f5a5611c2c9f419d9f*/ 60 | "12345678901234567890123456789012345678901234567890123456789012345678901234567890" /*57edf4a22be3c955ac49da2e2107b67a*/ 61 | }; 62 | int i; 63 | 64 | for (i = 0; i < 7; ++i) { 65 | md5_state_t state; 66 | md5_byte_t digest[16]; 67 | int di; 68 | 69 | md5_init(&state); 70 | md5_append(&state, (const md5_byte_t *)test[i], strlen(test[i])); 71 | md5_finish(&state, digest); 72 | printf("MD5 (\"%s\") = ", test[i]); 73 | for (di = 0; di < 16; ++di) 74 | printf("%02x", digest[di]); 75 | printf("\n"); 76 | } 77 | return 0; 78 | } 79 | #endif /* TEST */ 80 | 81 | 82 | /* 83 | * For reference, here is the program that computed the T values. 84 | */ 85 | #if 0 86 | #include 87 | main() 88 | { 89 | int i; 90 | for (i = 1; i <= 64; ++i) { 91 | unsigned long v = (unsigned long)(4294967296.0 * fabs(sin((double)i))); 92 | printf("#define T%d 0x%08lx\n", i, v); 93 | } 94 | return 0; 95 | } 96 | #endif 97 | /* 98 | * End of T computation program. 99 | */ 100 | #define T1 0xd76aa478 101 | #define T2 0xe8c7b756 102 | #define T3 0x242070db 103 | #define T4 0xc1bdceee 104 | #define T5 0xf57c0faf 105 | #define T6 0x4787c62a 106 | #define T7 0xa8304613 107 | #define T8 0xfd469501 108 | #define T9 0x698098d8 109 | #define T10 0x8b44f7af 110 | #define T11 0xffff5bb1 111 | #define T12 0x895cd7be 112 | #define T13 0x6b901122 113 | #define T14 0xfd987193 114 | #define T15 0xa679438e 115 | #define T16 0x49b40821 116 | #define T17 0xf61e2562 117 | #define T18 0xc040b340 118 | #define T19 0x265e5a51 119 | #define T20 0xe9b6c7aa 120 | #define T21 0xd62f105d 121 | #define T22 0x02441453 122 | #define T23 0xd8a1e681 123 | #define T24 0xe7d3fbc8 124 | #define T25 0x21e1cde6 125 | #define T26 0xc33707d6 126 | #define T27 0xf4d50d87 127 | #define T28 0x455a14ed 128 | #define T29 0xa9e3e905 129 | #define T30 0xfcefa3f8 130 | #define T31 0x676f02d9 131 | #define T32 0x8d2a4c8a 132 | #define T33 0xfffa3942 133 | #define T34 0x8771f681 134 | #define T35 0x6d9d6122 135 | #define T36 0xfde5380c 136 | #define T37 0xa4beea44 137 | #define T38 0x4bdecfa9 138 | #define T39 0xf6bb4b60 139 | #define T40 0xbebfbc70 140 | #define T41 0x289b7ec6 141 | #define T42 0xeaa127fa 142 | #define T43 0xd4ef3085 143 | #define T44 0x04881d05 144 | #define T45 0xd9d4d039 145 | #define T46 0xe6db99e5 146 | #define T47 0x1fa27cf8 147 | #define T48 0xc4ac5665 148 | #define T49 0xf4292244 149 | #define T50 0x432aff97 150 | #define T51 0xab9423a7 151 | #define T52 0xfc93a039 152 | #define T53 0x655b59c3 153 | #define T54 0x8f0ccc92 154 | #define T55 0xffeff47d 155 | #define T56 0x85845dd1 156 | #define T57 0x6fa87e4f 157 | #define T58 0xfe2ce6e0 158 | #define T59 0xa3014314 159 | #define T60 0x4e0811a1 160 | #define T61 0xf7537e82 161 | #define T62 0xbd3af235 162 | #define T63 0x2ad7d2bb 163 | #define T64 0xeb86d391 164 | 165 | static void 166 | md5_process(md5_state_t *pms, const md5_byte_t *data /*[64]*/) 167 | { 168 | md5_word_t 169 | a = pms->abcd[0], b = pms->abcd[1], 170 | c = pms->abcd[2], d = pms->abcd[3]; 171 | md5_word_t t; 172 | 173 | #ifndef ARCH_IS_BIG_ENDIAN 174 | # define ARCH_IS_BIG_ENDIAN 1 /* slower, default implementation */ 175 | #endif 176 | #if ARCH_IS_BIG_ENDIAN 177 | 178 | /* 179 | * On big-endian machines, we must arrange the bytes in the right 180 | * order. (This also works on machines of unknown byte order.) 181 | */ 182 | md5_word_t X[16]; 183 | const md5_byte_t *xp = data; 184 | int i; 185 | 186 | for (i = 0; i < 16; ++i, xp += 4) 187 | X[i] = xp[0] + (xp[1] << 8) + (xp[2] << 16) + (xp[3] << 24); 188 | 189 | #else /* !ARCH_IS_BIG_ENDIAN */ 190 | 191 | /* 192 | * On little-endian machines, we can process properly aligned data 193 | * without copying it. 194 | */ 195 | md5_word_t xbuf[16]; 196 | const md5_word_t *X; 197 | 198 | if (!((data - (const md5_byte_t *)0) & 3)) { 199 | /* data are properly aligned */ 200 | X = (const md5_word_t *)data; 201 | } else { 202 | /* not aligned */ 203 | memcpy(xbuf, data, 64); 204 | X = xbuf; 205 | } 206 | #endif 207 | 208 | #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32 - (n)))) 209 | 210 | /* Round 1. */ 211 | /* Let [abcd k s i] denote the operation 212 | a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */ 213 | #define F(x, y, z) (((x) & (y)) | (~(x) & (z))) 214 | #define SET(a, b, c, d, k, s, Ti)\ 215 | t = a + F(b,c,d) + X[k] + Ti;\ 216 | a = ROTATE_LEFT(t, s) + b 217 | /* Do the following 16 operations. */ 218 | SET(a, b, c, d, 0, 7, T1); 219 | SET(d, a, b, c, 1, 12, T2); 220 | SET(c, d, a, b, 2, 17, T3); 221 | SET(b, c, d, a, 3, 22, T4); 222 | SET(a, b, c, d, 4, 7, T5); 223 | SET(d, a, b, c, 5, 12, T6); 224 | SET(c, d, a, b, 6, 17, T7); 225 | SET(b, c, d, a, 7, 22, T8); 226 | SET(a, b, c, d, 8, 7, T9); 227 | SET(d, a, b, c, 9, 12, T10); 228 | SET(c, d, a, b, 10, 17, T11); 229 | SET(b, c, d, a, 11, 22, T12); 230 | SET(a, b, c, d, 12, 7, T13); 231 | SET(d, a, b, c, 13, 12, T14); 232 | SET(c, d, a, b, 14, 17, T15); 233 | SET(b, c, d, a, 15, 22, T16); 234 | #undef SET 235 | 236 | /* Round 2. */ 237 | /* Let [abcd k s i] denote the operation 238 | a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */ 239 | #define G(x, y, z) (((x) & (z)) | ((y) & ~(z))) 240 | #define SET(a, b, c, d, k, s, Ti)\ 241 | t = a + G(b,c,d) + X[k] + Ti;\ 242 | a = ROTATE_LEFT(t, s) + b 243 | /* Do the following 16 operations. */ 244 | SET(a, b, c, d, 1, 5, T17); 245 | SET(d, a, b, c, 6, 9, T18); 246 | SET(c, d, a, b, 11, 14, T19); 247 | SET(b, c, d, a, 0, 20, T20); 248 | SET(a, b, c, d, 5, 5, T21); 249 | SET(d, a, b, c, 10, 9, T22); 250 | SET(c, d, a, b, 15, 14, T23); 251 | SET(b, c, d, a, 4, 20, T24); 252 | SET(a, b, c, d, 9, 5, T25); 253 | SET(d, a, b, c, 14, 9, T26); 254 | SET(c, d, a, b, 3, 14, T27); 255 | SET(b, c, d, a, 8, 20, T28); 256 | SET(a, b, c, d, 13, 5, T29); 257 | SET(d, a, b, c, 2, 9, T30); 258 | SET(c, d, a, b, 7, 14, T31); 259 | SET(b, c, d, a, 12, 20, T32); 260 | #undef SET 261 | 262 | /* Round 3. */ 263 | /* Let [abcd k s t] denote the operation 264 | a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */ 265 | #define H(x, y, z) ((x) ^ (y) ^ (z)) 266 | #define SET(a, b, c, d, k, s, Ti)\ 267 | t = a + H(b,c,d) + X[k] + Ti;\ 268 | a = ROTATE_LEFT(t, s) + b 269 | /* Do the following 16 operations. */ 270 | SET(a, b, c, d, 5, 4, T33); 271 | SET(d, a, b, c, 8, 11, T34); 272 | SET(c, d, a, b, 11, 16, T35); 273 | SET(b, c, d, a, 14, 23, T36); 274 | SET(a, b, c, d, 1, 4, T37); 275 | SET(d, a, b, c, 4, 11, T38); 276 | SET(c, d, a, b, 7, 16, T39); 277 | SET(b, c, d, a, 10, 23, T40); 278 | SET(a, b, c, d, 13, 4, T41); 279 | SET(d, a, b, c, 0, 11, T42); 280 | SET(c, d, a, b, 3, 16, T43); 281 | SET(b, c, d, a, 6, 23, T44); 282 | SET(a, b, c, d, 9, 4, T45); 283 | SET(d, a, b, c, 12, 11, T46); 284 | SET(c, d, a, b, 15, 16, T47); 285 | SET(b, c, d, a, 2, 23, T48); 286 | #undef SET 287 | 288 | /* Round 4. */ 289 | /* Let [abcd k s t] denote the operation 290 | a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */ 291 | #define I(x, y, z) ((y) ^ ((x) | ~(z))) 292 | #define SET(a, b, c, d, k, s, Ti)\ 293 | t = a + I(b,c,d) + X[k] + Ti;\ 294 | a = ROTATE_LEFT(t, s) + b 295 | /* Do the following 16 operations. */ 296 | SET(a, b, c, d, 0, 6, T49); 297 | SET(d, a, b, c, 7, 10, T50); 298 | SET(c, d, a, b, 14, 15, T51); 299 | SET(b, c, d, a, 5, 21, T52); 300 | SET(a, b, c, d, 12, 6, T53); 301 | SET(d, a, b, c, 3, 10, T54); 302 | SET(c, d, a, b, 10, 15, T55); 303 | SET(b, c, d, a, 1, 21, T56); 304 | SET(a, b, c, d, 8, 6, T57); 305 | SET(d, a, b, c, 15, 10, T58); 306 | SET(c, d, a, b, 6, 15, T59); 307 | SET(b, c, d, a, 13, 21, T60); 308 | SET(a, b, c, d, 4, 6, T61); 309 | SET(d, a, b, c, 11, 10, T62); 310 | SET(c, d, a, b, 2, 15, T63); 311 | SET(b, c, d, a, 9, 21, T64); 312 | #undef SET 313 | 314 | /* Then perform the following additions. (That is increment each 315 | of the four registers by the value it had before this block 316 | was started.) */ 317 | pms->abcd[0] += a; 318 | pms->abcd[1] += b; 319 | pms->abcd[2] += c; 320 | pms->abcd[3] += d; 321 | } 322 | 323 | #ifdef __APPLE__ 324 | __private_extern__ 325 | #endif 326 | void _pam_ldap_md5_init(md5_state_t *pms) 327 | { 328 | pms->count[0] = pms->count[1] = 0; 329 | pms->abcd[0] = 0x67452301; 330 | pms->abcd[1] = 0xefcdab89; 331 | pms->abcd[2] = 0x98badcfe; 332 | pms->abcd[3] = 0x10325476; 333 | } 334 | 335 | #ifdef __APPLE__ 336 | __private_extern__ 337 | #endif 338 | void _pam_ldap_md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes) 339 | { 340 | const md5_byte_t *p = data; 341 | int left = nbytes; 342 | int offset = (pms->count[0] >> 3) & 63; 343 | md5_word_t nbits = (md5_word_t)(nbytes << 3); 344 | 345 | if (nbytes <= 0) 346 | return; 347 | 348 | /* Update the message length. */ 349 | pms->count[1] += nbytes >> 29; 350 | pms->count[0] += nbits; 351 | if (pms->count[0] < nbits) 352 | pms->count[1]++; 353 | 354 | /* Process an initial partial block. */ 355 | if (offset) { 356 | int copy = (offset + nbytes > 64 ? 64 - offset : nbytes); 357 | 358 | memcpy(pms->buf + offset, p, copy); 359 | if (offset + copy < 64) 360 | return; 361 | p += copy; 362 | left -= copy; 363 | md5_process(pms, pms->buf); 364 | } 365 | 366 | /* Process full blocks. */ 367 | for (; left >= 64; p += 64, left -= 64) 368 | md5_process(pms, p); 369 | 370 | /* Process a final partial block. */ 371 | if (left) 372 | memcpy(pms->buf, p, left); 373 | } 374 | 375 | #ifdef __APPLE__ 376 | __private_extern__ 377 | #endif 378 | void 379 | _pam_ldap_md5_finish(md5_state_t *pms, md5_byte_t digest[16]) 380 | { 381 | static const md5_byte_t pad[64] = { 382 | 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 383 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 384 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 385 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 386 | }; 387 | md5_byte_t data[8]; 388 | int i; 389 | 390 | /* Save the length before padding. */ 391 | for (i = 0; i < 8; ++i) 392 | data[i] = (md5_byte_t)(pms->count[i >> 2] >> ((i & 3) << 3)); 393 | /* Pad to 56 bytes mod 64. */ 394 | _pam_ldap_md5_append(pms, pad, ((55 - (pms->count[0] >> 3)) & 63) + 1); 395 | /* Append the length. */ 396 | _pam_ldap_md5_append(pms, data, 8); 397 | for (i = 0; i < 16; ++i) 398 | digest[i] = (md5_byte_t)(pms->abcd[i >> 2] >> ((i & 3) << 3)); 399 | } 400 | -------------------------------------------------------------------------------- /depcomp: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | 3 | # depcomp - compile a program generating dependencies as side-effects 4 | # Copyright 1999, 2000 Free Software Foundation, Inc. 5 | 6 | # This program is free software; you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License as published by 8 | # the Free Software Foundation; either version 2, or (at your option) 9 | # any later version. 10 | 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | 16 | # You should have received a copy of the GNU General Public License 17 | # along with this program; if not, write to the Free Software 18 | # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 19 | # 02111-1307, USA. 20 | 21 | # As a special exception to the GNU General Public License, if you 22 | # distribute this file as part of a program that contains a 23 | # configuration script generated by Autoconf, you may include it under 24 | # the same distribution terms that you use for the rest of that program. 25 | 26 | # Originally written by Alexandre Oliva . 27 | 28 | if test -z "$depmode" || test -z "$source" || test -z "$object"; then 29 | echo "depcomp: Variables source, object and depmode must be set" 1>&2 30 | exit 1 31 | fi 32 | # `libtool' can also be set to `yes' or `no'. 33 | 34 | depfile=${depfile-`echo "$object" | sed 's,\([^/]*\)$,.deps/\1,;s/\.\([^.]*\)$/.P\1/'`} 35 | tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`} 36 | 37 | rm -f "$tmpdepfile" 38 | 39 | # Some modes work just like other modes, but use different flags. We 40 | # parameterize here, but still list the modes in the big case below, 41 | # to make depend.m4 easier to write. Note that we *cannot* use a case 42 | # here, because this file can only contain one case statement. 43 | if test "$depmode" = hp; then 44 | # HP compiler uses -M and no extra arg. 45 | gccflag=-M 46 | depmode=gcc 47 | fi 48 | 49 | if test "$depmode" = dashXmstdout; then 50 | # This is just like dashmstdout with a different argument. 51 | dashmflag=-xM 52 | depmode=dashmstdout 53 | fi 54 | 55 | case "$depmode" in 56 | gcc3) 57 | ## gcc 3 implements dependency tracking that does exactly what 58 | ## we want. Yay! Note: for some reason libtool 1.4 doesn't like 59 | ## it if -MD -MP comes after the -MF stuff. Hmm. 60 | "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" 61 | stat=$? 62 | if test $stat -eq 0; then : 63 | else 64 | rm -f "$tmpdepfile" 65 | exit $stat 66 | fi 67 | mv "$tmpdepfile" "$depfile" 68 | ;; 69 | 70 | gcc) 71 | ## There are various ways to get dependency output from gcc. Here's 72 | ## why we pick this rather obscure method: 73 | ## - Don't want to use -MD because we'd like the dependencies to end 74 | ## up in a subdir. Having to rename by hand is ugly. 75 | ## (We might end up doing this anyway to support other compilers.) 76 | ## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like 77 | ## -MM, not -M (despite what the docs say). 78 | ## - Using -M directly means running the compiler twice (even worse 79 | ## than renaming). 80 | if test -z "$gccflag"; then 81 | gccflag=-MD, 82 | fi 83 | "$@" -Wp,"$gccflag$tmpdepfile" 84 | stat=$? 85 | if test $stat -eq 0; then : 86 | else 87 | rm -f "$tmpdepfile" 88 | exit $stat 89 | fi 90 | rm -f "$depfile" 91 | echo "$object : \\" > "$depfile" 92 | alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz 93 | ## The second -e expression handles DOS-style file names with drive letters. 94 | sed -e 's/^[^:]*: / /' \ 95 | -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile" 96 | ## This next piece of magic avoids the `deleted header file' problem. 97 | ## The problem is that when a header file which appears in a .P file 98 | ## is deleted, the dependency causes make to die (because there is 99 | ## typically no way to rebuild the header). We avoid this by adding 100 | ## dummy dependencies for each header file. Too bad gcc doesn't do 101 | ## this for us directly. 102 | tr ' ' ' 103 | ' < "$tmpdepfile" | 104 | ## Some versions of gcc put a space before the `:'. On the theory 105 | ## that the space means something, we add a space to the output as 106 | ## well. 107 | ## Some versions of the HPUX 10.20 sed can't process this invocation 108 | ## correctly. Breaking it into two sed invocations is a workaround. 109 | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" 110 | rm -f "$tmpdepfile" 111 | ;; 112 | 113 | hp) 114 | # This case exists only to let depend.m4 do its work. It works by 115 | # looking at the text of this script. This case will never be run, 116 | # since it is checked for above. 117 | exit 1 118 | ;; 119 | 120 | sgi) 121 | if test "$libtool" = yes; then 122 | "$@" "-Wp,-MDupdate,$tmpdepfile" 123 | else 124 | "$@" -MDupdate "$tmpdepfile" 125 | fi 126 | stat=$? 127 | if test $stat -eq 0; then : 128 | else 129 | rm -f "$tmpdepfile" 130 | exit $stat 131 | fi 132 | rm -f "$depfile" 133 | 134 | if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files 135 | echo "$object : \\" > "$depfile" 136 | 137 | # Clip off the initial element (the dependent). Don't try to be 138 | # clever and replace this with sed code, as IRIX sed won't handle 139 | # lines with more than a fixed number of characters (4096 in 140 | # IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines; 141 | # the IRIX cc adds comments like `#:fec' to the end of the 142 | # dependency line. 143 | tr ' ' ' 144 | ' < "$tmpdepfile" \ 145 | | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \ 146 | tr ' 147 | ' ' ' >> $depfile 148 | echo >> $depfile 149 | 150 | # The second pass generates a dummy entry for each header file. 151 | tr ' ' ' 152 | ' < "$tmpdepfile" \ 153 | | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \ 154 | >> $depfile 155 | else 156 | # The sourcefile does not contain any dependencies, so just 157 | # store a dummy comment line, to avoid errors with the Makefile 158 | # "include basename.Plo" scheme. 159 | echo "#dummy" > "$depfile" 160 | fi 161 | rm -f "$tmpdepfile" 162 | ;; 163 | 164 | aix) 165 | # The C for AIX Compiler uses -M and outputs the dependencies 166 | # in a .u file. This file always lives in the current directory. 167 | # Also, the AIX compiler puts `$object:' at the start of each line; 168 | # $object doesn't have directory information. 169 | stripped=`echo "$object" | sed -e 's,^.*/,,' -e 's/\(.*\)\..*$/\1/'` 170 | tmpdepfile="$stripped.u" 171 | outname="$stripped.o" 172 | if test "$libtool" = yes; then 173 | "$@" -Wc,-M 174 | else 175 | "$@" -M 176 | fi 177 | 178 | stat=$? 179 | if test $stat -eq 0; then : 180 | else 181 | rm -f "$tmpdepfile" 182 | exit $stat 183 | fi 184 | 185 | if test -f "$tmpdepfile"; then 186 | # Each line is of the form `foo.o: dependent.h'. 187 | # Do two passes, one to just change these to 188 | # `$object: dependent.h' and one to simply `dependent.h:'. 189 | sed -e "s,^$outname:,$object :," < "$tmpdepfile" > "$depfile" 190 | sed -e "s,^$outname: \(.*\)$,\1:," < "$tmpdepfile" >> "$depfile" 191 | else 192 | # The sourcefile does not contain any dependencies, so just 193 | # store a dummy comment line, to avoid errors with the Makefile 194 | # "include basename.Plo" scheme. 195 | echo "#dummy" > "$depfile" 196 | fi 197 | rm -f "$tmpdepfile" 198 | ;; 199 | 200 | tru64) 201 | # The Tru64 AIX compiler uses -MD to generate dependencies as a side 202 | # effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'. 203 | # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put 204 | # dependencies in `foo.d' instead, so we check for that too. 205 | # Subdirectories are respected. 206 | 207 | tmpdepfile1="$object.d" 208 | tmpdepfile2=`echo "$object" | sed -e 's/.o$/.d/'` 209 | if test "$libtool" = yes; then 210 | "$@" -Wc,-MD 211 | else 212 | "$@" -MD 213 | fi 214 | 215 | stat=$? 216 | if test $stat -eq 0; then : 217 | else 218 | rm -f "$tmpdepfile1" "$tmpdepfile2" 219 | exit $stat 220 | fi 221 | 222 | if test -f "$tmpdepfile1"; then 223 | tmpdepfile="$tmpdepfile1" 224 | else 225 | tmpdepfile="$tmpdepfile2" 226 | fi 227 | if test -f "$tmpdepfile"; then 228 | sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile" 229 | # That's a space and a tab in the []. 230 | sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" 231 | else 232 | echo "#dummy" > "$depfile" 233 | fi 234 | rm -f "$tmpdepfile" 235 | ;; 236 | 237 | #nosideeffect) 238 | # This comment above is used by automake to tell side-effect 239 | # dependency tracking mechanisms from slower ones. 240 | 241 | dashmstdout) 242 | # Important note: in order to support this mode, a compiler *must* 243 | # always write the proprocessed file to stdout, regardless of -o, 244 | # because we must use -o when running libtool. 245 | test -z "$dashmflag" && dashmflag=-M 246 | ( IFS=" " 247 | case " $* " in 248 | *" --mode=compile "*) # this is libtool, let us make it quiet 249 | for arg 250 | do # cycle over the arguments 251 | case "$arg" in 252 | "--mode=compile") 253 | # insert --quiet before "--mode=compile" 254 | set fnord "$@" --quiet 255 | shift # fnord 256 | ;; 257 | esac 258 | set fnord "$@" "$arg" 259 | shift # fnord 260 | shift # "$arg" 261 | done 262 | ;; 263 | esac 264 | "$@" $dashmflag | sed 's:^[^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile" 265 | ) & 266 | proc=$! 267 | "$@" 268 | stat=$? 269 | wait "$proc" 270 | if test "$stat" != 0; then exit $stat; fi 271 | rm -f "$depfile" 272 | cat < "$tmpdepfile" > "$depfile" 273 | tr ' ' ' 274 | ' < "$tmpdepfile" | \ 275 | ## Some versions of the HPUX 10.20 sed can't process this invocation 276 | ## correctly. Breaking it into two sed invocations is a workaround. 277 | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" 278 | rm -f "$tmpdepfile" 279 | ;; 280 | 281 | dashXmstdout) 282 | # This case only exists to satisfy depend.m4. It is never actually 283 | # run, as this mode is specially recognized in the preamble. 284 | exit 1 285 | ;; 286 | 287 | makedepend) 288 | # X makedepend 289 | ( 290 | shift 291 | cleared=no 292 | for arg in "$@"; do 293 | case $cleared in no) 294 | set ""; shift 295 | cleared=yes 296 | esac 297 | case "$arg" in 298 | -D*|-I*) 299 | set fnord "$@" "$arg"; shift;; 300 | -*) 301 | ;; 302 | *) 303 | set fnord "$@" "$arg"; shift;; 304 | esac 305 | done 306 | obj_suffix="`echo $object | sed 's/^.*\././'`" 307 | touch "$tmpdepfile" 308 | ${MAKEDEPEND-makedepend} 2>/dev/null -o"$obj_suffix" -f"$tmpdepfile" "$@" 309 | ) & 310 | proc=$! 311 | "$@" 312 | stat=$? 313 | wait "$proc" 314 | if test "$stat" != 0; then exit $stat; fi 315 | rm -f "$depfile" 316 | cat < "$tmpdepfile" > "$depfile" 317 | tail +3 "$tmpdepfile" | tr ' ' ' 318 | ' | \ 319 | ## Some versions of the HPUX 10.20 sed can't process this invocation 320 | ## correctly. Breaking it into two sed invocations is a workaround. 321 | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" 322 | rm -f "$tmpdepfile" "$tmpdepfile".bak 323 | ;; 324 | 325 | cpp) 326 | # Important note: in order to support this mode, a compiler *must* 327 | # always write the proprocessed file to stdout, regardless of -o, 328 | # because we must use -o when running libtool. 329 | ( IFS=" " 330 | case " $* " in 331 | *" --mode=compile "*) 332 | for arg 333 | do # cycle over the arguments 334 | case $arg in 335 | "--mode=compile") 336 | # insert --quiet before "--mode=compile" 337 | set fnord "$@" --quiet 338 | shift # fnord 339 | ;; 340 | esac 341 | set fnord "$@" "$arg" 342 | shift # fnord 343 | shift # "$arg" 344 | done 345 | ;; 346 | esac 347 | "$@" -E | 348 | sed -n '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' | 349 | sed '$ s: \\$::' > "$tmpdepfile" 350 | ) & 351 | proc=$! 352 | "$@" 353 | stat=$? 354 | wait "$proc" 355 | if test "$stat" != 0; then exit $stat; fi 356 | rm -f "$depfile" 357 | echo "$object : \\" > "$depfile" 358 | cat < "$tmpdepfile" >> "$depfile" 359 | sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile" 360 | rm -f "$tmpdepfile" 361 | ;; 362 | 363 | msvisualcpp) 364 | # Important note: in order to support this mode, a compiler *must* 365 | # always write the proprocessed file to stdout, regardless of -o, 366 | # because we must use -o when running libtool. 367 | ( IFS=" " 368 | case " $* " in 369 | *" --mode=compile "*) 370 | for arg 371 | do # cycle over the arguments 372 | case $arg in 373 | "--mode=compile") 374 | # insert --quiet before "--mode=compile" 375 | set fnord "$@" --quiet 376 | shift # fnord 377 | ;; 378 | esac 379 | set fnord "$@" "$arg" 380 | shift # fnord 381 | shift # "$arg" 382 | done 383 | ;; 384 | esac 385 | "$@" -E | 386 | sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile" 387 | ) & 388 | proc=$! 389 | "$@" 390 | stat=$? 391 | wait "$proc" 392 | if test "$stat" != 0; then exit $stat; fi 393 | rm -f "$depfile" 394 | echo "$object : \\" > "$depfile" 395 | . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile" 396 | echo " " >> "$depfile" 397 | . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile" 398 | rm -f "$tmpdepfile" 399 | ;; 400 | 401 | none) 402 | exec "$@" 403 | ;; 404 | 405 | *) 406 | echo "Unknown depmode $depmode" 1>&2 407 | exit 1 408 | ;; 409 | esac 410 | 411 | exit 0 412 | -------------------------------------------------------------------------------- /pam_ldap.5: -------------------------------------------------------------------------------- 1 | .TH pam_ldap 5 2 | .\" Copyright 1997-2005 Luke Howard." 3 | .\" Copying restrictions apply. See COPYING. 4 | .\" $Id$ 5 | .SH NAME 6 | pam_ldap \- LDAP pluggable authentication module 7 | .SH DESCRIPTION 8 | The 9 | .B pam_ldap 10 | module is a Pluggable Authentication Module (PAM) which provides 11 | for authentication, authorization and password changing against 12 | .I 13 | LDAP 14 | servers. 15 | .LP 16 | Features of the PADL pam_ldap module include support for transport layer 17 | security, SASL authentication, directory server-enforced password policy, 18 | and host- and group- based logon authorization. 19 | .LP 20 | The present version of 21 | .B 22 | pam_ldap 23 | supports AIX 5L, FreeBSD 3.x and above, HP-UX 11i, IRIX 6.x, Linux, 24 | Mac OS X 10.2 and above, and Solaris 2.6 and above. Many vendors provide 25 | their own LDAP authentication providers, often also called pam_ldap. 26 | This manual page applies to the 27 | PADL 28 | .B 29 | pam_ldap 30 | module only. If you are using a vendor provided module, consult the 31 | relevant documentation instead. 32 | .LP 33 | When authenticating or authorizing a user, 34 | .B 35 | pam_ldap 36 | first maps the user's login name to a distinguished name by searching 37 | the directory server. This must be possible using the local system's 38 | identity, specified in ldap.conf. (Note that presently only simple 39 | authentication is supported for authenticating in this initial step.) 40 | .LP 41 | To authenticate a user, 42 | .B 43 | pam_ldap 44 | attempts to bind to the directory server using the distinguished name 45 | of the user (retrieved previously). Both simple and SASL authentication 46 | mechanisms are supported; in the former case, one should take care to 47 | use transport security to prevent the user's password being transmitted 48 | in the clear. 49 | .LP 50 | A variety of authorization primitives are supported by 51 | .B 52 | pam_ldap, 53 | discussed in the configuration section below. 54 | .LP 55 | Finally, 56 | .B 57 | pam_ldap 58 | supports a number of password change protocols used by directory servers 59 | from various vendors. (Some directory servers support 60 | more than one password change protocol.) 61 | .LP 62 | Whilst 63 | .B 64 | pam_ldap 65 | is generally configured in the system LDAP naming configuration file 66 | (ldap.conf), some options can be configured in the PAM configuration 67 | file, to allow for per-service granularity. These options include 68 | the path to the LDAP naming configuration file to use, so in effect 69 | all options can be configured on a per-service basis. Options are 70 | listed below under PAM Configuration. 71 | .SH CONFIGURATION 72 | .B 73 | pam_ldap 74 | stores its configuration in the 75 | .B 76 | ldap.conf 77 | file. (It should be noted that some LDAP client libraries, such as 78 | OpenLDAP, also use a configuration file of the same name. 79 | .B 80 | pam_ldap 81 | supports many of the same configuration file options as OpenLDAP, 82 | but it adds several that are specific to the functionality it provides. 83 | It is not guaranteed that 84 | .B 85 | pam_ldap 86 | will continue to match the configuration file semantics of OpenLDAP. 87 | You may wish to use different files.) 88 | .LP 89 | Configuration file options consist of a keyword followed by a 90 | space and any arguments. The following options are supported by 91 | both 92 | .B 93 | pam_ldap 94 | and the PADL 95 | .B 96 | nss_ldap 97 | module: 98 | .B 99 | .TP 100 | .B host 101 | Specifies the name(s) or IP address(es) of the 102 | .I 103 | LDAP 104 | server(s) to connect to. In the case that 105 | .B 106 | nss_ldap 107 | is used for host name resolution, each server should be specified as an 108 | IP address or name that can be resolved without using 109 | .I 110 | LDAP. 111 | Multiple servers may be specified, each separated by a space. 112 | The failover time depends on whether the 113 | .I 114 | LDAP 115 | client library supports configurable network or connect timeouts 116 | (see 117 | .B bind_timelimit 118 | below). 119 | .TP 120 | .B base 121 | Specifies the default base distinguished name (DN) to use for searches. 122 | .TP 123 | .B uri 124 | For 125 | .I 126 | LDAP 127 | client libraries that support it, specifies the URI(s) of the LDAP 128 | server(s) to connect to. The URI scheme may be 129 | .B 130 | ldap, 131 | .B 132 | ldapi, 133 | or 134 | .B 135 | ldaps, 136 | specifying LDAP over TCP, IPC and SSL respectively. If applicable, 137 | a port number can be specified; the default port number for the 138 | selected protocol is used if omitted. This option takes 139 | precedence over the 140 | .B 141 | host 142 | option; it is not possible to combine the two. 143 | .TP 144 | .B 145 | ldap_version 146 | Specifies the version of the 147 | .I 148 | LDAP 149 | protocol to use. Presently 150 | .B 151 | version 152 | must be 2 or 3. The default is to use the maximum version supported 153 | by the client library. 154 | .TP 155 | .B binddn 156 | Specifies the distinguished name with which to bind to the directory 157 | server(s). This option is optional; the default is to bind 158 | anonymously. 159 | .TP 160 | .B bindpw 161 | Specifies the cleartext credentials with which to bind. This option 162 | is only applicable when used with 163 | .B binddn 164 | above. The default is no credential (anonymous bind). When binding to 165 | the directory using 166 | .I 167 | SASL 168 | or other authentication mechanisms apart from simple binds, this 169 | option is not used. 170 | .TP 171 | .B rootbinddn 172 | This option has the same syntax and effect as the 173 | .B binddn 174 | option above, except it applies when the effective user ID is 175 | zero. If not specified, then the identity specified in 176 | .B binddn 177 | is used instead. Because the configuration file may be readable by 178 | many users, the root bind DN credentials are stored in the 179 | .B ldap.secret 180 | file instead. This file is usually in the same directory as the 181 | configuration file. 182 | .TP 183 | .B port 184 | Specifies the port to connect to; this option is used with the 185 | .B host 186 | option, and is ignored with the 187 | .B uri 188 | option. 189 | .TP 190 | .B scope 191 | Specifies the search scope (subtree, one level or base object). The 192 | default scope is subtree; base scope is almost never useful for 193 | nameservice lookups. 194 | .TP 195 | .B deref 196 | Specifies the policy for dereferencing aliases. The default policy is 197 | to never dereference aliases. 198 | .TP 199 | .B timelimit 200 | Specifies the time limit (in seconds) to use when performing searches. A value 201 | of zero (0), which is the default, is to wait indefinitely for 202 | searches to be completed. 203 | .TP 204 | .B bind_timelimit 205 | Specifies the time limit (in seconds) to use when connecting to the directory 206 | server. This is distinct from the time limit specified in 207 | .B timelimit 208 | and affects the initial server connection only. (Server connections 209 | are otherwise cached.) Only some 210 | .I 211 | LDAP 212 | client libraries have the underlying functionality necessary to 213 | support this option. The default bind timelimit is 30 seconds. 214 | .TP 215 | .B referrals 216 | Specifies whether automatic referral chasing should be enabled. The 217 | default behaviour is specifed by the 218 | .I LDAP 219 | client library. 220 | .TP 221 | .B restart 222 | Specifies whether the 223 | .I LDAP 224 | client library should restart the 225 | .BR 226 | select(2) 227 | system call when interrupted. This feature is not supported by all 228 | client libraries. 229 | .TP 230 | .B logdir 231 | Specifies the directory used for logging by the 232 | .I LDAP 233 | client library. This feature is not supported by all client 234 | libraries. 235 | .TP 236 | .B debug 237 | Specifies the debug level used for logging by the 238 | .I LDAP 239 | client library. This feature is not supported by all client 240 | libraries, and does not apply to the 241 | .B nss_ldap 242 | and 243 | .B pam_ldap 244 | modules themselves (debugging, if any, is configured separately 245 | and usually at compile time). 246 | .TP 247 | .B ssl 248 | Specifies whether to use SSL/TLS or not (the default is not to). If 249 | .B 250 | start_tls 251 | is specified then StartTLS is used rather than raw LDAP over SSL. 252 | Not all 253 | .I LDAP 254 | client libraries support both SSL and StartTLS, and all related 255 | configuration options. 256 | .TP 257 | .B sslpath 258 | For the Netscape and Mozilla 259 | .I 260 | LDAP 261 | client libraries only, this specifies the path to the X.509 262 | certificate database. 263 | .TP 264 | .B tls_checkpeer 265 | Specifies whether to require and verify the server certificate 266 | or not, when using SSL/TLS with the OpenLDAP client library. 267 | The default is to use the default behaviour of the client 268 | library; for OpenLDAP 2.0 and earlier it is "no", for OpenLDAP 269 | 2.1 and later it is "yes". At least one of 270 | .B tls_cacertdir 271 | and 272 | .B tls_cacertfile 273 | is required if peer verification is enabled. 274 | .TP 275 | .B tls_cacertdir 276 | Specifies the directory containing X.509 certificates for peer 277 | authentication. 278 | .TP 279 | .B tls_cacertfile 280 | Specifies the path to the X.509 certificate for peer authentication. 281 | .TP 282 | .B tls_randfile 283 | Specifies the path to an entropy source. 284 | .TP 285 | .B tls_ciphers 286 | Specifies the ciphers to use for TLS. See your TLS implementation's 287 | documentation for further information. 288 | .TP 289 | .B tls_cert 290 | Specifies the path to the file containing the local certificate for 291 | client TLS authentication. 292 | .TP 293 | .B tls_key 294 | Specifies the path to the file containing the private key for client 295 | TLS authentication. 296 | .TP 297 | The following configuration options apply to pam_ldap only: 298 | .TP 299 | .B pam_login_attribute 300 | Specifies the attribute to use when constructing the attribute value 301 | assertion for retrieving a directory entry for a user's login name. 302 | The default is "uid", for compatibility with RFC 2307. 303 | .TP 304 | .B pam_filter 305 | Specifies a filter to use when retrieving user information. The user 306 | entry must match the attribute value assertion of 307 | (pam_login_attribute=login_name) as well as any filter specified 308 | here. There is no default for this option. 309 | .TP 310 | .B pam_lookup_policy 311 | Specifies whether to search the root DSE for password policy. The 312 | default is "no". 313 | .TP 314 | .B pam_check_host_attr 315 | Specifies whether the "host" attribute should be checked for logon 316 | authorization ("account" in the PAM stack). The default is not to. 317 | If set to "yes" and a user has no 318 | value for the "host" attribute, then the user will be unable to 319 | login. 320 | .TP 321 | .B pam_check_service_attr 322 | Specifies whether the "authorizedService" attribute should be checked 323 | for logon authorization ("account" in the PAM stack). The default is not 324 | to. If set to "yes" and a user has no value for the "authorizedService" 325 | attribute, then the user will be unable to login. 326 | .TP 327 | .B pam_groupdn 328 | Specifies the distinguished name of a group to which a user must belong 329 | for logon authorization to succeed. 330 | .B pam_member_attribute 331 | Specifies the attribute to use when testing a user's membership of a 332 | group specified in the 333 | .B pam_groupdn 334 | option. 335 | .TP 336 | .B pam_min_uid 337 | If specified, a user must have a POSIX user ID of at least 338 | .B uid 339 | in order for logon authorization to succeed. 340 | .TP 341 | .B pam_max_uid 342 | If specified, a user must have a POSIX user ID of no greater than 343 | .B uid 344 | in order for logon authorization to succeed. 345 | .TP 346 | .B pam_template_login_attribute 347 | When using template users (not supported by all PAM applications), 348 | specifies the attribute containing the user's actual login name. 349 | The 350 | .B pam_ldap 351 | module will set PAM_USER to the value of this attribute if present in the 352 | user's entry, otherwise it defaults to the user specified in the 353 | .B pam_template_login 354 | option. 355 | .TP 356 | .B pam_template_login 357 | When using template users (not supported by all PAM applications), 358 | .B 359 | pam_ldap 360 | will set PAM_USER to the value of this option if the user does not 361 | contain a template login attribute. 362 | .TP 363 | .B pam_password 364 | Specifies the password change protocol to use. The following protocols 365 | are supported: 366 | .RS 367 | .TP 368 | .B clear 369 | Change password using an LDAPModify request, replacing the userPassword 370 | value with the new cleartext password. 371 | .TP 372 | .B clear_remove_old 373 | Change password using an LDAPModify request, first removing the userPassword 374 | value containing the old cleartext password, and then adding the userPassword 375 | value with the new cleartext password. This protocol is necessary for use 376 | with Novell NDS and IBM RACF. 377 | .TP 378 | .B crypt 379 | Change password using an LDAPModify request, first generating a one way 380 | hash of the new password using 381 | .BR crypt(3) 382 | and then replacing userPassword value with the new hashed password. 383 | .TP 384 | .B md5 385 | Change password using an LDAPModify request, first generating a one way 386 | hash of the new password using MD5 and then replacing userPassword value 387 | with the new hashed password. 388 | .TP 389 | .B nds 390 | This is an alias for 391 | .B clear_remove_old. 392 | .TP 393 | .B racf 394 | This is an alias for 395 | .B clear_remove_old. 396 | .TP 397 | .B ad 398 | Change password using an LDAPModify request, using the Active Directory 399 | Services Interface (ADSI) password change protocol. 400 | .TP 401 | .B exop 402 | Change password using the RFC 3062 password modify extended operation 403 | (only the new password is sent). 404 | .TP 405 | .B exop_send_old 406 | Change password using the RFC 3062 password modify extended operation 407 | (both the old and new passwords are sent). 408 | .RE 409 | .TP 410 | .B pam_password_prohibit_message 411 | Specifies a message to send to users indicating that passwords cannot 412 | be changed. This could be used to redirect users to another means of 413 | changing passwords. 414 | .TP 415 | .B pam_sasl_mech 416 | Specifies the SASL mechanism to use for PAM authentication. This 417 | requires SASL libraries be installed. Support for this functionality 418 | presently experimental and does not support password policy controls. 419 | .SH PAM CONFIGURATION 420 | It is possible to configure some aspects of 421 | .B pam_ldap 422 | on a per-service basis, in the PAM configuration file (this is usually 423 | /etc/pam.conf; for PAM implementations based on Linux-PAM, per-service 424 | files in /etc/pam.d are also supported). 425 | .LP 426 | The following options may be specified as arguments to the 427 | .B pam_ldap 428 | module: 429 | .TP 430 | .B 431 | config= 432 | Specifies that 433 | .B pam_ldap 434 | should use the configuration file in 435 | .B path 436 | instead of ldap.conf to retrieve its global configuration. Configuring 437 | multiple instances of 438 | .B pam_ldap 439 | for the same service with different configuration files is not supported, 440 | because the configuration information is cached. 441 | .TP 442 | .B 443 | use_first_pass 444 | Specifies that 445 | .B pam_ldap 446 | should always use the first password provided in the authentication 447 | stack. 448 | .TP 449 | .B 450 | try_first_pass 451 | Specifies that 452 | .B pam_ldap 453 | should first try the first password provided in the authentication 454 | stack, and then prompt the user for their 455 | .I 456 | LDAP 457 | password if authentication fails. 458 | .TP 459 | .B 460 | ignore_unknown_user 461 | Specifies that 462 | .B pam_ldap 463 | should return PAM_IGNORE for users that are not present in 464 | .I LDAP. 465 | This forces the PAM framework to ignore the 466 | .B pam_ldap 467 | module. This option is useful where certain accounts do not reside in 468 | .I LDAP, 469 | but one wishes to make 470 | .B pam_ldap 471 | "required" for all accounts in the directory. In this case one would 472 | make both 473 | .B pam_ldap 474 | and the other module (for example, pam_unix) "required" and enable 475 | the 476 | .B ignore_unknown_user 477 | option. (For this to work, the other module must behave similarly for 478 | users in the directory; in the case of a module such as pam_unix that 479 | uses the system accounts database, using 480 | .BR nss_ldap(5) 481 | should be sufficient to meet this requirement.) 482 | .TP 483 | .B ignore_authinfo_unavail 484 | Specifies that 485 | .B pam_ldap 486 | should return PAM_IGNORE if it cannot contact the 487 | .I LDAP 488 | server. This option forces the PAM framework to ignore the 489 | .B pam_ldap 490 | module in this case. 491 | .TP 492 | .B no_warn 493 | Specifies that warning messages should not be propagated to the PAM 494 | application. 495 | .TP 496 | .B use_authtok 497 | Analogous to 498 | .B use_first_pass 499 | for password changing only. 500 | .TP 501 | .B debug 502 | This option is recognized by 503 | .B pam_ldap 504 | but is presently ignored. 505 | .SH AUTHOR 506 | The 507 | .B pam_ldap 508 | module was developed by PADL Software Pty Ltd (www.padl.com). 509 | .SH FILES 510 | .TP 511 | /etc/ldap.conf, /etc/ldap.secret, /etc/pam.conf 512 | .SH SEE ALSO 513 | .BR pam (8) 514 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 5 | 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Library General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License 307 | along with this program; if not, write to the Free Software 308 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 309 | 310 | 311 | Also add information on how to contact you by electronic and paper mail. 312 | 313 | If the program is interactive, make it output a short notice like this 314 | when it starts in an interactive mode: 315 | 316 | Gnomovision version 69, Copyright (C) year name of author 317 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 318 | This is free software, and you are welcome to redistribute it 319 | under certain conditions; type `show c' for details. 320 | 321 | The hypothetical commands `show w' and `show c' should show the appropriate 322 | parts of the General Public License. Of course, the commands you use may 323 | be called something other than `show w' and `show c'; they could even be 324 | mouse-clicks or menu items--whatever suits your program. 325 | 326 | You should also get your employer (if you work as a programmer) or your 327 | school, if any, to sign a "copyright disclaimer" for the program, if 328 | necessary. Here is a sample; alter the names: 329 | 330 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 331 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 332 | 333 | , 1 April 1989 334 | Ty Coon, President of Vice 335 | 336 | This General Public License does not permit incorporating your program into 337 | proprietary programs. If your program is a subroutine library, you may 338 | consider it more useful to permit linking proprietary applications with the 339 | library. If this is what you want to do, use the GNU Library General 340 | Public License instead of this License. 341 | -------------------------------------------------------------------------------- /Makefile.in: -------------------------------------------------------------------------------- 1 | # Makefile.in generated by automake 1.9.6 from Makefile.am. 2 | # @configure_input@ 3 | 4 | # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 5 | # 2003, 2004, 2005 Free Software Foundation, Inc. 6 | # This Makefile.in is free software; the Free Software Foundation 7 | # gives unlimited permission to copy and/or distribute it, 8 | # with or without modifications, as long as this notice is preserved. 9 | 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY, to the extent permitted by law; without 12 | # even the implied warranty of MERCHANTABILITY or FITNESS FOR A 13 | # PARTICULAR PURPOSE. 14 | 15 | @SET_MAKE@ 16 | 17 | srcdir = @srcdir@ 18 | top_srcdir = @top_srcdir@ 19 | VPATH = @srcdir@ 20 | pkgdatadir = $(datadir)/@PACKAGE@ 21 | pkglibdir = $(libdir)/@PACKAGE@ 22 | pkgincludedir = $(includedir)/@PACKAGE@ 23 | top_builddir = . 24 | am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd 25 | INSTALL = @INSTALL@ 26 | install_sh_DATA = $(install_sh) -c -m 644 27 | install_sh_PROGRAM = $(install_sh) -c 28 | install_sh_SCRIPT = $(install_sh) -c 29 | INSTALL_HEADER = $(INSTALL_DATA) 30 | transform = $(program_transform_name) 31 | NORMAL_INSTALL = : 32 | PRE_INSTALL = : 33 | POST_INSTALL = : 34 | NORMAL_UNINSTALL = : 35 | PRE_UNINSTALL = : 36 | POST_UNINSTALL = : 37 | build_triplet = @build@ 38 | host_triplet = @host@ 39 | target_triplet = @target@ 40 | noinst_PROGRAMS = pam_ldap.so$(EXEEXT) 41 | DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \ 42 | $(srcdir)/Makefile.in $(srcdir)/config.h.in \ 43 | $(top_srcdir)/configure AUTHORS COPYING COPYING.LIB ChangeLog \ 44 | INSTALL NEWS acconfig.h config.guess config.sub depcomp \ 45 | install-sh missing mkinstalldirs 46 | subdir = . 47 | ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 48 | am__aclocal_m4_deps = $(top_srcdir)/configure.in 49 | am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ 50 | $(ACLOCAL_M4) 51 | am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ 52 | configure.lineno configure.status.lineno 53 | mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs 54 | CONFIG_HEADER = config.h 55 | CONFIG_CLEAN_FILES = 56 | PROGRAMS = $(noinst_PROGRAMS) 57 | am_pam_ldap_so_OBJECTS = pam_ldap.$(OBJEXT) md5.$(OBJEXT) \ 58 | vers.$(OBJEXT) 59 | pam_ldap_so_OBJECTS = $(am_pam_ldap_so_OBJECTS) 60 | pam_ldap_so_LDADD = $(LDADD) 61 | DEFAULT_INCLUDES = -I. -I$(srcdir) -I. 62 | depcomp = $(SHELL) $(top_srcdir)/depcomp 63 | am__depfiles_maybe = depfiles 64 | COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ 65 | $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) 66 | CCLD = $(CC) 67 | SOURCES = $(pam_ldap_so_SOURCES) 68 | DIST_SOURCES = $(pam_ldap_so_SOURCES) 69 | man5dir = $(mandir)/man5 70 | am__installdirs = "$(DESTDIR)$(man5dir)" 71 | NROFF = nroff 72 | MANS = $(man_MANS) 73 | ETAGS = etags 74 | CTAGS = ctags 75 | DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) 76 | distdir = $(PACKAGE)-$(VERSION) 77 | top_distdir = $(distdir) 78 | am__remove_distdir = \ 79 | { test ! -d $(distdir) \ 80 | || { find $(distdir) -type d ! -perm -200 -exec chmod u+w {} ';' \ 81 | && rm -fr $(distdir); }; } 82 | DIST_ARCHIVES = $(distdir).tar.gz 83 | GZIP_ENV = --best 84 | distuninstallcheck_listfiles = find . -type f -print 85 | distcleancheck_listfiles = find . -type f -print 86 | ACLOCAL = @ACLOCAL@ 87 | AMDEP_FALSE = @AMDEP_FALSE@ 88 | AMDEP_TRUE = @AMDEP_TRUE@ 89 | AMTAR = @AMTAR@ 90 | AUTOCONF = @AUTOCONF@ 91 | AUTOHEADER = @AUTOHEADER@ 92 | AUTOMAKE = @AUTOMAKE@ 93 | AWK = @AWK@ 94 | CC = @CC@ 95 | CCDEPMODE = @CCDEPMODE@ 96 | CFLAGS = @CFLAGS@ 97 | CPP = @CPP@ 98 | CPPFLAGS = @CPPFLAGS@ 99 | CYGPATH_W = @CYGPATH_W@ 100 | DEFS = @DEFS@ 101 | DEPDIR = @DEPDIR@ 102 | ECHO_C = @ECHO_C@ 103 | ECHO_N = @ECHO_N@ 104 | ECHO_T = @ECHO_T@ 105 | EGREP = @EGREP@ 106 | EXEEXT = @EXEEXT@ 107 | EXTENSION_1_FALSE = @EXTENSION_1_FALSE@ 108 | EXTENSION_1_TRUE = @EXTENSION_1_TRUE@ 109 | EXTENSION_SO_FALSE = @EXTENSION_SO_FALSE@ 110 | EXTENSION_SO_TRUE = @EXTENSION_SO_TRUE@ 111 | INSTALL_DATA = @INSTALL_DATA@ 112 | INSTALL_PROGRAM = @INSTALL_PROGRAM@ 113 | INSTALL_SCRIPT = @INSTALL_SCRIPT@ 114 | INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ 115 | LDFLAGS = @LDFLAGS@ 116 | LIBOBJS = @LIBOBJS@ 117 | LIBS = @LIBS@ 118 | LTLIBOBJS = @LTLIBOBJS@ 119 | MAKEINFO = @MAKEINFO@ 120 | OBJEXT = @OBJEXT@ 121 | PACKAGE = @PACKAGE@ 122 | PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ 123 | PACKAGE_NAME = @PACKAGE_NAME@ 124 | PACKAGE_STRING = @PACKAGE_STRING@ 125 | PACKAGE_TARNAME = @PACKAGE_TARNAME@ 126 | PACKAGE_VERSION = @PACKAGE_VERSION@ 127 | PATH_SEPARATOR = @PATH_SEPARATOR@ 128 | SET_MAKE = @SET_MAKE@ 129 | SHELL = @SHELL@ 130 | STRIP = @STRIP@ 131 | USE_NATIVE_LINKER_FALSE = @USE_NATIVE_LINKER_FALSE@ 132 | USE_NATIVE_LINKER_TRUE = @USE_NATIVE_LINKER_TRUE@ 133 | VERSION = @VERSION@ 134 | ac_ct_CC = @ac_ct_CC@ 135 | ac_ct_STRIP = @ac_ct_STRIP@ 136 | am__fastdepCC_FALSE = @am__fastdepCC_FALSE@ 137 | am__fastdepCC_TRUE = @am__fastdepCC_TRUE@ 138 | am__include = @am__include@ 139 | am__leading_dot = @am__leading_dot@ 140 | am__quote = @am__quote@ 141 | am__tar = @am__tar@ 142 | am__untar = @am__untar@ 143 | bindir = @bindir@ 144 | build = @build@ 145 | build_alias = @build_alias@ 146 | build_cpu = @build_cpu@ 147 | build_os = @build_os@ 148 | build_vendor = @build_vendor@ 149 | datadir = @datadir@ 150 | exec_prefix = @exec_prefix@ 151 | host = @host@ 152 | host_alias = @host_alias@ 153 | host_cpu = @host_cpu@ 154 | host_os = @host_os@ 155 | host_vendor = @host_vendor@ 156 | includedir = @includedir@ 157 | infodir = @infodir@ 158 | install_sh = @install_sh@ 159 | libdir = @libdir@ 160 | libexecdir = @libexecdir@ 161 | localstatedir = @localstatedir@ 162 | mandir = @mandir@ 163 | mkdir_p = @mkdir_p@ 164 | oldincludedir = @oldincludedir@ 165 | pam_ldap_so_LD = @pam_ldap_so_LD@ 166 | pam_ldap_so_LDFLAGS = @pam_ldap_so_LDFLAGS@ 167 | prefix = @prefix@ 168 | program_transform_name = @program_transform_name@ 169 | sbindir = @sbindir@ 170 | sharedstatedir = @sharedstatedir@ 171 | sysconfdir = @sysconfdir@ 172 | target = @target@ 173 | target_alias = @target_alias@ 174 | target_cpu = @target_cpu@ 175 | target_os = @target_os@ 176 | target_vendor = @target_vendor@ 177 | EXTRA_DIST = COPYING.LIB CVSVersionInfo.txt ChangeLog README \ 178 | ldap.conf pam.conf pam_ldap.spec pam.d 179 | 180 | pam_ldap_so_SOURCES = pam_ldap.c pam_ldap.h md5.c md5.h vers.c 181 | man_MANS = pam_ldap.5 182 | @USE_NATIVE_LINKER_TRUE@NATIVE_LINK = $(pam_ldap_so_LD) $(AM_LDFLAGS) -o $@ 183 | @USE_NATIVE_LINKER_FALSE@GNU_LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ 184 | 185 | # This is horrible but appears to be the only way to work with 186 | # recent versions of automake. Any better ideas, let me know. 187 | LINK = $(NATIVE_LINK) $(GNU_LINK) 188 | all: config.h 189 | $(MAKE) $(AM_MAKEFLAGS) all-am 190 | 191 | .SUFFIXES: 192 | .SUFFIXES: .c .o .obj 193 | am--refresh: 194 | @: 195 | $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) 196 | @for dep in $?; do \ 197 | case '$(am__configure_deps)' in \ 198 | *$$dep*) \ 199 | echo ' cd $(srcdir) && $(AUTOMAKE) --gnu '; \ 200 | cd $(srcdir) && $(AUTOMAKE) --gnu \ 201 | && exit 0; \ 202 | exit 1;; \ 203 | esac; \ 204 | done; \ 205 | echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu Makefile'; \ 206 | cd $(top_srcdir) && \ 207 | $(AUTOMAKE) --gnu Makefile 208 | .PRECIOUS: Makefile 209 | Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status 210 | @case '$?' in \ 211 | *config.status*) \ 212 | echo ' $(SHELL) ./config.status'; \ 213 | $(SHELL) ./config.status;; \ 214 | *) \ 215 | echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \ 216 | cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \ 217 | esac; 218 | 219 | $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) 220 | $(SHELL) ./config.status --recheck 221 | 222 | $(top_srcdir)/configure: $(am__configure_deps) 223 | cd $(srcdir) && $(AUTOCONF) 224 | $(ACLOCAL_M4): $(am__aclocal_m4_deps) 225 | cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) 226 | 227 | config.h: stamp-h1 228 | @if test ! -f $@; then \ 229 | rm -f stamp-h1; \ 230 | $(MAKE) stamp-h1; \ 231 | else :; fi 232 | 233 | stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status 234 | @rm -f stamp-h1 235 | cd $(top_builddir) && $(SHELL) ./config.status config.h 236 | $(srcdir)/config.h.in: $(am__configure_deps) $(top_srcdir)/acconfig.h 237 | cd $(top_srcdir) && $(AUTOHEADER) 238 | rm -f stamp-h1 239 | touch $@ 240 | 241 | distclean-hdr: 242 | -rm -f config.h stamp-h1 243 | 244 | clean-noinstPROGRAMS: 245 | -test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS) 246 | pam_ldap.so$(EXEEXT): $(pam_ldap_so_OBJECTS) $(pam_ldap_so_DEPENDENCIES) 247 | @rm -f pam_ldap.so$(EXEEXT) 248 | $(LINK) $(pam_ldap_so_LDFLAGS) $(pam_ldap_so_OBJECTS) $(pam_ldap_so_LDADD) $(LIBS) 249 | 250 | mostlyclean-compile: 251 | -rm -f *.$(OBJEXT) 252 | 253 | distclean-compile: 254 | -rm -f *.tab.c 255 | 256 | @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Po@am__quote@ 257 | @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_ldap.Po@am__quote@ 258 | @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vers.Po@am__quote@ 259 | 260 | .c.o: 261 | @am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ 262 | @am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi 263 | @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ 264 | @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ 265 | @am__fastdepCC_FALSE@ $(COMPILE) -c $< 266 | 267 | .c.obj: 268 | @am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \ 269 | @am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi 270 | @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ 271 | @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ 272 | @am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` 273 | uninstall-info-am: 274 | install-man5: $(man5_MANS) $(man_MANS) 275 | @$(NORMAL_INSTALL) 276 | test -z "$(man5dir)" || $(mkdir_p) "$(DESTDIR)$(man5dir)" 277 | @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ 278 | l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ 279 | for i in $$l2; do \ 280 | case "$$i" in \ 281 | *.5*) list="$$list $$i" ;; \ 282 | esac; \ 283 | done; \ 284 | for i in $$list; do \ 285 | if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ 286 | else file=$$i; fi; \ 287 | ext=`echo $$i | sed -e 's/^.*\\.//'`; \ 288 | case "$$ext" in \ 289 | 5*) ;; \ 290 | *) ext='5' ;; \ 291 | esac; \ 292 | inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ 293 | inst=`echo $$inst | sed -e 's/^.*\///'`; \ 294 | inst=`echo $$inst | sed '$(transform)'`.$$ext; \ 295 | echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ 296 | $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ 297 | done 298 | uninstall-man5: 299 | @$(NORMAL_UNINSTALL) 300 | @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ 301 | l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ 302 | for i in $$l2; do \ 303 | case "$$i" in \ 304 | *.5*) list="$$list $$i" ;; \ 305 | esac; \ 306 | done; \ 307 | for i in $$list; do \ 308 | ext=`echo $$i | sed -e 's/^.*\\.//'`; \ 309 | case "$$ext" in \ 310 | 5*) ;; \ 311 | *) ext='5' ;; \ 312 | esac; \ 313 | inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ 314 | inst=`echo $$inst | sed -e 's/^.*\///'`; \ 315 | inst=`echo $$inst | sed '$(transform)'`.$$ext; \ 316 | echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ 317 | rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ 318 | done 319 | 320 | ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) 321 | list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ 322 | unique=`for i in $$list; do \ 323 | if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ 324 | done | \ 325 | $(AWK) ' { files[$$0] = 1; } \ 326 | END { for (i in files) print i; }'`; \ 327 | mkid -fID $$unique 328 | tags: TAGS 329 | 330 | TAGS: $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \ 331 | $(TAGS_FILES) $(LISP) 332 | tags=; \ 333 | here=`pwd`; \ 334 | list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \ 335 | unique=`for i in $$list; do \ 336 | if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ 337 | done | \ 338 | $(AWK) ' { files[$$0] = 1; } \ 339 | END { for (i in files) print i; }'`; \ 340 | if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ 341 | test -n "$$unique" || unique=$$empty_fix; \ 342 | $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ 343 | $$tags $$unique; \ 344 | fi 345 | ctags: CTAGS 346 | CTAGS: $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \ 347 | $(TAGS_FILES) $(LISP) 348 | tags=; \ 349 | here=`pwd`; \ 350 | list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \ 351 | unique=`for i in $$list; do \ 352 | if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ 353 | done | \ 354 | $(AWK) ' { files[$$0] = 1; } \ 355 | END { for (i in files) print i; }'`; \ 356 | test -z "$(CTAGS_ARGS)$$tags$$unique" \ 357 | || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ 358 | $$tags $$unique 359 | 360 | GTAGS: 361 | here=`$(am__cd) $(top_builddir) && pwd` \ 362 | && cd $(top_srcdir) \ 363 | && gtags -i $(GTAGS_ARGS) $$here 364 | 365 | distclean-tags: 366 | -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags 367 | 368 | distdir: $(DISTFILES) 369 | $(am__remove_distdir) 370 | mkdir $(distdir) 371 | @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ 372 | topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ 373 | list='$(DISTFILES)'; for file in $$list; do \ 374 | case $$file in \ 375 | $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ 376 | $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ 377 | esac; \ 378 | if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ 379 | dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ 380 | if test "$$dir" != "$$file" && test "$$dir" != "."; then \ 381 | dir="/$$dir"; \ 382 | $(mkdir_p) "$(distdir)$$dir"; \ 383 | else \ 384 | dir=''; \ 385 | fi; \ 386 | if test -d $$d/$$file; then \ 387 | if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ 388 | cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ 389 | fi; \ 390 | cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ 391 | else \ 392 | test -f $(distdir)/$$file \ 393 | || cp -p $$d/$$file $(distdir)/$$file \ 394 | || exit 1; \ 395 | fi; \ 396 | done 397 | -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \ 398 | ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ 399 | ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ 400 | ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \ 401 | || chmod -R a+r $(distdir) 402 | dist-gzip: distdir 403 | tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz 404 | $(am__remove_distdir) 405 | 406 | dist-bzip2: distdir 407 | tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2 408 | $(am__remove_distdir) 409 | 410 | dist-tarZ: distdir 411 | tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z 412 | $(am__remove_distdir) 413 | 414 | dist-shar: distdir 415 | shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz 416 | $(am__remove_distdir) 417 | 418 | dist-zip: distdir 419 | -rm -f $(distdir).zip 420 | zip -rq $(distdir).zip $(distdir) 421 | $(am__remove_distdir) 422 | 423 | dist dist-all: distdir 424 | tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz 425 | $(am__remove_distdir) 426 | 427 | # This target untars the dist file and tries a VPATH configuration. Then 428 | # it guarantees that the distribution is self-contained by making another 429 | # tarfile. 430 | distcheck: dist 431 | case '$(DIST_ARCHIVES)' in \ 432 | *.tar.gz*) \ 433 | GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(am__untar) ;;\ 434 | *.tar.bz2*) \ 435 | bunzip2 -c $(distdir).tar.bz2 | $(am__untar) ;;\ 436 | *.tar.Z*) \ 437 | uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ 438 | *.shar.gz*) \ 439 | GZIP=$(GZIP_ENV) gunzip -c $(distdir).shar.gz | unshar ;;\ 440 | *.zip*) \ 441 | unzip $(distdir).zip ;;\ 442 | esac 443 | chmod -R a-w $(distdir); chmod a+w $(distdir) 444 | mkdir $(distdir)/_build 445 | mkdir $(distdir)/_inst 446 | chmod a-w $(distdir) 447 | dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ 448 | && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ 449 | && cd $(distdir)/_build \ 450 | && ../configure --srcdir=.. --prefix="$$dc_install_base" \ 451 | $(DISTCHECK_CONFIGURE_FLAGS) \ 452 | && $(MAKE) $(AM_MAKEFLAGS) \ 453 | && $(MAKE) $(AM_MAKEFLAGS) dvi \ 454 | && $(MAKE) $(AM_MAKEFLAGS) check \ 455 | && $(MAKE) $(AM_MAKEFLAGS) install \ 456 | && $(MAKE) $(AM_MAKEFLAGS) installcheck \ 457 | && $(MAKE) $(AM_MAKEFLAGS) uninstall \ 458 | && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \ 459 | distuninstallcheck \ 460 | && chmod -R a-w "$$dc_install_base" \ 461 | && ({ \ 462 | (cd ../.. && umask 077 && mkdir "$$dc_destdir") \ 463 | && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \ 464 | && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \ 465 | && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \ 466 | distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \ 467 | } || { rm -rf "$$dc_destdir"; exit 1; }) \ 468 | && rm -rf "$$dc_destdir" \ 469 | && $(MAKE) $(AM_MAKEFLAGS) dist \ 470 | && rm -rf $(DIST_ARCHIVES) \ 471 | && $(MAKE) $(AM_MAKEFLAGS) distcleancheck 472 | $(am__remove_distdir) 473 | @(echo "$(distdir) archives ready for distribution: "; \ 474 | list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \ 475 | sed -e '1{h;s/./=/g;p;x;}' -e '$${p;x;}' 476 | distuninstallcheck: 477 | @cd $(distuninstallcheck_dir) \ 478 | && test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \ 479 | || { echo "ERROR: files left after uninstall:" ; \ 480 | if test -n "$(DESTDIR)"; then \ 481 | echo " (check DESTDIR support)"; \ 482 | fi ; \ 483 | $(distuninstallcheck_listfiles) ; \ 484 | exit 1; } >&2 485 | distcleancheck: distclean 486 | @if test '$(srcdir)' = . ; then \ 487 | echo "ERROR: distcleancheck can only run from a VPATH build" ; \ 488 | exit 1 ; \ 489 | fi 490 | @test `$(distcleancheck_listfiles) | wc -l` -eq 0 \ 491 | || { echo "ERROR: files left in build directory after distclean:" ; \ 492 | $(distcleancheck_listfiles) ; \ 493 | exit 1; } >&2 494 | check-am: all-am 495 | check: check-am 496 | all-am: Makefile $(PROGRAMS) $(MANS) config.h 497 | installdirs: 498 | for dir in "$(DESTDIR)$(man5dir)"; do \ 499 | test -z "$$dir" || $(mkdir_p) "$$dir"; \ 500 | done 501 | install: install-am 502 | install-exec: install-exec-am 503 | install-data: install-data-am 504 | uninstall: uninstall-am 505 | 506 | install-am: all-am 507 | @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am 508 | 509 | installcheck: installcheck-am 510 | install-strip: 511 | $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ 512 | install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ 513 | `test -z '$(STRIP)' || \ 514 | echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install 515 | mostlyclean-generic: 516 | 517 | clean-generic: 518 | 519 | distclean-generic: 520 | -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) 521 | 522 | maintainer-clean-generic: 523 | @echo "This command is intended for maintainers to use" 524 | @echo "it deletes files that may require special tools to rebuild." 525 | clean: clean-am 526 | 527 | clean-am: clean-generic clean-noinstPROGRAMS mostlyclean-am 528 | 529 | distclean: distclean-am 530 | -rm -f $(am__CONFIG_DISTCLEAN_FILES) 531 | -rm -rf ./$(DEPDIR) 532 | -rm -f Makefile 533 | distclean-am: clean-am distclean-compile distclean-generic \ 534 | distclean-hdr distclean-tags 535 | 536 | dvi: dvi-am 537 | 538 | dvi-am: 539 | 540 | html: html-am 541 | 542 | info: info-am 543 | 544 | info-am: 545 | 546 | install-data-am: install-data-local install-man 547 | 548 | install-exec-am: install-exec-local 549 | 550 | install-info: install-info-am 551 | 552 | install-man: install-man5 553 | 554 | installcheck-am: 555 | 556 | maintainer-clean: maintainer-clean-am 557 | -rm -f $(am__CONFIG_DISTCLEAN_FILES) 558 | -rm -rf $(top_srcdir)/autom4te.cache 559 | -rm -rf ./$(DEPDIR) 560 | -rm -f Makefile 561 | maintainer-clean-am: distclean-am maintainer-clean-generic 562 | 563 | mostlyclean: mostlyclean-am 564 | 565 | mostlyclean-am: mostlyclean-compile mostlyclean-generic 566 | 567 | pdf: pdf-am 568 | 569 | pdf-am: 570 | 571 | ps: ps-am 572 | 573 | ps-am: 574 | 575 | uninstall-am: uninstall-info-am uninstall-local uninstall-man 576 | 577 | uninstall-man: uninstall-man5 578 | 579 | .PHONY: CTAGS GTAGS all all-am am--refresh check check-am clean \ 580 | clean-generic clean-noinstPROGRAMS ctags dist dist-all \ 581 | dist-bzip2 dist-gzip dist-shar dist-tarZ dist-zip distcheck \ 582 | distclean distclean-compile distclean-generic distclean-hdr \ 583 | distclean-tags distcleancheck distdir distuninstallcheck dvi \ 584 | dvi-am html html-am info info-am install install-am \ 585 | install-data install-data-am install-data-local install-exec \ 586 | install-exec-am install-exec-local install-info \ 587 | install-info-am install-man install-man5 install-strip \ 588 | installcheck installcheck-am installdirs maintainer-clean \ 589 | maintainer-clean-generic mostlyclean mostlyclean-compile \ 590 | mostlyclean-generic pdf pdf-am ps ps-am tags uninstall \ 591 | uninstall-am uninstall-info-am uninstall-local uninstall-man \ 592 | uninstall-man5 593 | 594 | 595 | install-exec-local: pam_ldap.so 596 | @$(NORMAL_INSTALL) 597 | $(mkinstalldirs) $(DESTDIR)$(libdir)/security 598 | @EXTENSION_SO_TRUE@ $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so 599 | @EXTENSION_1_TRUE@@EXTENSION_SO_FALSE@ $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/libpam_ldap.1 600 | @EXTENSION_1_FALSE@@EXTENSION_SO_FALSE@ $(INSTALL_PROGRAM) -o root -g root pam_ldap.so $(DESTDIR)$(libdir)/security/pam_ldap.so.1 601 | @EXTENSION_1_FALSE@@EXTENSION_SO_FALSE@ (cd $(DESTDIR)$(libdir)/security; rm -f pam_ldap.so; ln -s pam_ldap.so.1 pam_ldap.so) 602 | 603 | install-data-local: 604 | @$(NORMAL_INSTALL) 605 | @if test ! -f $(DESTDIR)$(sysconfdir)/ldap.conf; then \ 606 | $(mkinstalldirs) $(DESTDIR)$(sysconfdir); \ 607 | $(INSTALL_DATA) -o root -g root $(srcdir)/ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \ 608 | fi 609 | 610 | uninstall-local: 611 | @$(NORMAL_UNINSTALL) 612 | 613 | vers.c: $(top_srcdir)/CVSVersionInfo.txt 614 | $(top_srcdir)/vers_string -v 615 | # Tell versions [3.59,3.63) of GNU make to not export all variables. 616 | # Otherwise a system limit (for SysV at least) may be exceeded. 617 | .NOEXPORT: 618 | --------------------------------------------------------------------------------