From 93fd46699d6691f14928ec71e638a9b99445f1f9 Mon Sep 17 00:00:00 2001 From: "Jiadong.Jiang" Date: Mon, 1 Jul 2024 13:46:52 +0800 Subject: [PATCH] Add allow empty password config for login success when password is empty --- ldap.conf | 5 +++++ pam_ldap.c | 11 +++++++++++ pam_ldap.h | 2 ++ 3 files changed, 18 insertions(+) diff --git a/ldap.conf b/ldap.conf index 0f43d47..c8c746e 100644 --- a/ldap.conf +++ b/ldap.conf @@ -285,3 +285,8 @@ base dc=padl,dc=com # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5 + +# PAM authentication mechanism +# Use this, you can authentication success when password is empty (on/off) +# Defaulf is off +#allow_empty_password off \ No newline at end of file diff --git a/pam_ldap.c b/pam_ldap.c index b468ad0..1c9cdbb 100644 --- a/pam_ldap.c +++ b/pam_ldap.c @@ -686,6 +686,7 @@ _alloc_config (pam_ldap_config_t ** presult) result->logdir = NULL; result->sasl_mechanism = NULL; result->debug = 0; + result->allow_empty_password = 0; return PAM_SUCCESS; } @@ -1119,6 +1120,10 @@ _read_config (const char *configFile, pam_ldap_config_t ** presult) else if (!strcasecmp (k, "debug")) { result->debug = atol (v); + } + else if (!strcasecmp (k, "allow_empty_password")) + { + result->allow_empty_password = !strcasecmp (v, "on"); } } @@ -2036,7 +2041,13 @@ _connect_as_user (pam_handle_t * pamh, pam_ldap_session_t * session, const char /* avoid binding anonymously with a DN but no password */ if (password == NULL || password[0] == '\0') + { + if(session->conf->allow_empty_password) + { + return PAM_SUCCESS; + } return PAM_AUTH_ERR; + } /* this shouldn't ever happen */ if (session->info == NULL) diff --git a/pam_ldap.h b/pam_ldap.h index 554a635..614445a 100644 --- a/pam_ldap.h +++ b/pam_ldap.h @@ -140,6 +140,8 @@ typedef struct pam_ldap_config int debug; /* SASL mechanism */ char *sasl_mechanism; + /* allow empty password */ + int allow_empty_password; } pam_ldap_config_t;