ClashTheBunny · August 21, 2018 01:12
diff --git a/0001-Add-option-to-bind-early-in-ldappasswd.patch b/0001-Add-option-to-bind-early-in-ldappasswd.patch
 From d55d963af8f42fe4caa4dac1d39968aad7864437 Mon Sep 17 00:00:00 2001
 From: Randall Mason <[email protected]>
 Date: Mon, 20 Aug 2018 19:16:32 -0500
 Subject: [PATCH] Add option to bind early in ldappasswd

 ldappasswd is slightly different from a standard passwd workflow in that it
 requests an old password, then a new password, then the old password
 again.  This confuses people who are used to the unix passwd tool as
 well as people who use password manager.  I've seen quite a few people
 who have generated a new password, overwriting the old one, and then
 need a password reset because they still need to bind to modify their
 password.

 This patch adds an option to bind at the beginning of the process so
 that you can pass '-E' to ldappasswd and it will bind early in the
 process so that the process is the same as the standard passwd.  All it
 does is run the bind towards the beginning of the process instead of the
 end.

 The attached patch file is derived from OpenLDAP Software. All of
 the modifications to OpenLDAP Software represented in the following
 patch(es) were developed by Randall Mason [email protected]. I have not
 assigned rights and/or interest in this work to any party.

 I, Randall Mason, hereby place the following modifications to
 OpenLDAP Software (and only these modifications) into the public domain.
 Hence, these modifications may be freely used and/or redistributed for
 any purpose with or without attribution and/or other notice.
 ---
 clients/tools/ldappasswd.c | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

 diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c
 index 501d0bad5..231cb8e10 100644
 --- a/clients/tools/ldappasswd.c
 +++ b/clients/tools/ldappasswd.c
 @@ -56,6 +56,7 @@
 static struct berval newpw = { 0, NULL };
 static struct berval oldpw = { 0, NULL };
 
 +static int   want_bindearly = 0;
 static int   want_newpw = 0;
 static int   want_oldpw = 0;
 
 @@ -69,6 +70,7 @@ usage( void )
 	fprintf( stderr,_("usage: %s [options] [user]\n"), prog);
 	fprintf( stderr, _("  user: the authentication identity, commonly a DN\n"));
 	fprintf( stderr, _("Password change options:\n"));
 +	fprintf( stderr, _("  -E         bind early\n"));
 	fprintf( stderr, _("  -a secret  old password\n"));
 	fprintf( stderr, _("  -A         prompt for old password\n"));
 	fprintf( stderr, _("  -t file    read file for old password\n"));
 @@ -80,7 +82,7 @@ usage( void )
 }
 
 
 -const char options[] = "a:As:St:T:"
 +const char options[] = "Ea:As:St:T:"
 	"d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
 
 int
 @@ -117,6 +119,11 @@ handle_private_option( int i )
 		}
 #endif
 
 +	case 'E':	/* bind to the LDAP server before other actions */
 +		want_bindearly++;
 +		break;
 +
 +
 	case 'a':	/* old password (secret) */
 		oldpw.bv_val = strdup( optarg );
 		{
 @@ -195,6 +202,13 @@ main( int argc, char *argv[] )
 		user = NULL;
 	}
 
 +	if( want_bindearly ) {
 +    /* bind */
 +    ld = tool_conn_setup( 0, 0 );
 +
 +    tool_bind( ld );
 +  }
 +
 	if( oldpwfile ) {
 		rc = lutil_get_filed_password( oldpwfile, &oldpw );
 		if( rc ) {
 @@ -245,9 +259,12 @@ main( int argc, char *argv[] )
 		newpw.bv_len = strlen( newpw.bv_val );
 	}
 
 -	ld = tool_conn_setup( 0, 0 );
 +	if( ! want_bindearly ) {
 +    /* bind */
 +    ld = tool_conn_setup( 0, 0 );
 
 -	tool_bind( ld );
 +    tool_bind( ld );
 +  }
 
 	if( user != NULL || oldpw.bv_val != NULL || newpw.bv_val != NULL ) {
 		/* build the password modify request data */
 -- 
 2.18.0
	From d55d963af8f42fe4caa4dac1d39968aad7864437 Mon Sep 17 00:00:00 2001
	From: Randall Mason <[email protected]>
	Date: Mon, 20 Aug 2018 19:16:32 -0500
	Subject: [PATCH] Add option to bind early in ldappasswd

	ldappasswd is slightly different from a standard passwd workflow in that it
	requests an old password, then a new password, then the old password
	again. This confuses people who are used to the unix passwd tool as
	well as people who use password manager. I've seen quite a few people
	who have generated a new password, overwriting the old one, and then
	need a password reset because they still need to bind to modify their
	password.

	This patch adds an option to bind at the beginning of the process so
	that you can pass '-E' to ldappasswd and it will bind early in the
	process so that the process is the same as the standard passwd. All it
	does is run the bind towards the beginning of the process instead of the
	end.

	The attached patch file is derived from OpenLDAP Software. All of
	the modifications to OpenLDAP Software represented in the following
	patch(es) were developed by Randall Mason [email protected]. I have not
	assigned rights and/or interest in this work to any party.

	I, Randall Mason, hereby place the following modifications to
	OpenLDAP Software (and only these modifications) into the public domain.
	Hence, these modifications may be freely used and/or redistributed for
	any purpose with or without attribution and/or other notice.
	---
	clients/tools/ldappasswd.c \| 23 ++++++++++++++++++++---
	1 file changed, 20 insertions(+), 3 deletions(-)

	diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c
	index 501d0bad5..231cb8e10 100644
	--- a/clients/tools/ldappasswd.c
	+++ b/clients/tools/ldappasswd.c
	@@ -56,6 +56,7 @@
	static struct berval newpw = { 0, NULL };
	static struct berval oldpw = { 0, NULL };

	+static int want_bindearly = 0;
	static int want_newpw = 0;
	static int want_oldpw = 0;

	@@ -69,6 +70,7 @@ usage( void )
	fprintf( stderr,_("usage: %s [options] [user]\n"), prog);
	fprintf( stderr, _(" user: the authentication identity, commonly a DN\n"));
	fprintf( stderr, _("Password change options:\n"));
	+ fprintf( stderr, _(" -E bind early\n"));
	fprintf( stderr, _(" -a secret old password\n"));
	fprintf( stderr, _(" -A prompt for old password\n"));
	fprintf( stderr, _(" -t file read file for old password\n"));
	@@ -80,7 +82,7 @@ usage( void )
	}


	-const char options[] = "a:As:St:T:"
	+const char options[] = "Ea:As:St:T:"
	"d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";

	int
	@@ -117,6 +119,11 @@ handle_private_option( int i )
	}
	#endif

	+ case 'E': /* bind to the LDAP server before other actions */
	+ want_bindearly++;
	+ break;
	+
	+
	case 'a': /* old password (secret) */
	oldpw.bv_val = strdup( optarg );
	{
	@@ -195,6 +202,13 @@ main( int argc, char *argv[] )
	user = NULL;
	}

	+ if( want_bindearly ) {
	+ /* bind */
	+ ld = tool_conn_setup( 0, 0 );
	+
	+ tool_bind( ld );
	+ }
	+
	if( oldpwfile ) {
	rc = lutil_get_filed_password( oldpwfile, &oldpw );
	if( rc ) {
	@@ -245,9 +259,12 @@ main( int argc, char *argv[] )
	newpw.bv_len = strlen( newpw.bv_val );
	}

	- ld = tool_conn_setup( 0, 0 );
	+ if( ! want_bindearly ) {
	+ /* bind */
	+ ld = tool_conn_setup( 0, 0 );

	- tool_bind( ld );
	+ tool_bind( ld );
	+ }

	if( user != NULL \|\| oldpw.bv_val != NULL \|\| newpw.bv_val != NULL ) {
	/* build the password modify request data */
	--
	2.18.0