ITS#8903 - Add option to bind early in ldappasswd

ldappasswd is slightly different from a standard passwd workflow in that it
requests an old password, then a new password, then the old password
again.  This confuses people who are used to the unix passwd tool as
well as people who use password manager.  I've seen quite a few people
who have generated a new password, overwriting the old one, and then
need a password reset because they still need to bind to modify their
password.

This patch adds an option to bind at the beginning of the process so
that you can pass '-E' to ldappasswd and it will bind early in the
process so that the process is the same as the standard passwd.  All it
does is run the bind towards the beginning of the process instead of the
end.

The attached patch file is derived from OpenLDAP Software. All of
the modifications to OpenLDAP Software represented in the following
patch(es) were developed by Randall Mason randall@mason.ch. I have not
assigned rights and/or interest in this work to any party.

I, Randall Mason, hereby place the following modifications to
OpenLDAP Software (and only these modifications) into the public domain.
Hence, these modifications may be freely used and/or redistributed for
any purpose with or without attribution and/or other notice.

diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c
index 6ba2a824ae6447302df16ce52e4975f81c51670a..daa71fb3a9b18817786592bd66eaad76b5c3a67b 100644 (file)
--- a/clients/tools/ldappasswd.c
+++ b/clients/tools/ldappasswd.c
@@ -56,6 +56,7 @@
 static struct berval newpw = { 0, NULL };
 static struct berval oldpw = { 0, NULL };
 
+static int   want_bindearly = 0;
 static int   want_newpw = 0;
 static int   want_oldpw = 0;
 
@@ -69,6 +70,7 @@ usage( void )
        fprintf( stderr,_("usage: %s [options] [user]\n"), prog);
        fprintf( stderr, _("  user: the authentication identity, commonly a DN\n"));
        fprintf( stderr, _("Password change options:\n"));
+       fprintf( stderr, _("  -E         bind early\n"));
        fprintf( stderr, _("  -a secret  old password\n"));
        fprintf( stderr, _("  -A         prompt for old password\n"));
        fprintf( stderr, _("  -t file    read file for old password\n"));
@@ -80,7 +82,7 @@ usage( void )
 }
 
 
-const char options[] = "a:As:St:T:"
+const char options[] = "Ea:As:St:T:"
        "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
 
 int
@@ -117,6 +119,11 @@ handle_private_option( int i )
                }
 #endif
 
+       case 'E':       /* bind to the LDAP server before other actions */
+               want_bindearly++;
+               break;
+
+
        case 'a':       /* old password (secret) */
                oldpw.bv_val = strdup( optarg );
                {
@@ -195,6 +202,13 @@ main( int argc, char *argv[] )
                user = NULL;
        }
 
+       if( want_bindearly ) {
+               /* bind */
+               ld = tool_conn_setup( 0, 0 );
+
+               tool_bind( ld );
+       }
+
        if( oldpwfile ) {
                rc = lutil_get_filed_password( oldpwfile, &oldpw );
                if( rc ) {
@@ -245,9 +259,12 @@ main( int argc, char *argv[] )
                newpw.bv_len = strlen( newpw.bv_val );
        }
 
-       ld = tool_conn_setup( 0, 0 );
+       if( ! want_bindearly ) {
+               /* bind */
+               ld = tool_conn_setup( 0, 0 );
 
-       tool_bind( ld );
+               tool_bind( ld );
+       }
 
        if( user != NULL || oldpw.bv_val != NULL || newpw.bv_val != NULL ) {
                /* build the password modify request data */