$NetBSD: patch-ab,v 1.9 2010/11/16 09:53:50 adam Exp $

--- pam_ldap.c.orig	2010-11-08 00:58:44.000000000 +0000
+++ pam_ldap.c
@@ -3411,7 +3411,7 @@ pam_sm_authenticate (pam_handle_t * pamh
   int rc;
   const char *username;
   char *p;
-  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0;
+  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0;
   int i;
   pam_ldap_session_t *session = NULL;
   const char *configFile = NULL;
@@ -3432,6 +3432,8 @@ pam_sm_authenticate (pam_handle_t * pamh
 	;
       else if (!strcmp (argv[i], "debug"))
 	;
+      else if (!strcmp (argv[i], "migrate"))
+        migrate = 1;
       else
 	syslog (LOG_ERR, "illegal option %s", argv[i]);
     }
@@ -3445,6 +3447,22 @@ pam_sm_authenticate (pam_handle_t * pamh
     return rc;
 
   rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p);
+  /* start of migrate facility in "pam_ldap authentication" */
+  if (migrate==1 && rc==PAM_SUCCESS)
+    {
+      /* check if specified username exists in LDAP */
+      if (_get_user_info(session,username)==PAM_SUCCESS)
+        {
+          /*
+             overwrite old LDAP userPassword with a new password
+             obtained during pam authentication process
+             - rootbinddn and ldap.secret must be set
+          */
+          rc=_update_authtok(pamh,session,username,NULL,p);
+          return PAM_IGNORE;
+        }
+    }
+  /* end of migrate facility in "pam_ldap authentication" */
   if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass))
     {
       rc = _do_authentication (pamh, session, username, p);
@@ -3721,7 +3739,7 @@ pam_sm_chauthtok (pam_handle_t * pamh, i
 	  if (curpass == NULL)
 	    return PAM_MAXTRIES;	/* maximum tries exceeded */
 	  else
-	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass);
+	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass));
 	}
       else
 	{