ports/71202: [patch] pam_ldap - passwd bug and added new migrate facility during authentication
Paweł Wieleba
wielebap at iem.pw.edu.pl
Tue Aug 31 16:40:41 UTC 2004
>Number: 71202
>Category: ports
>Synopsis: [patch] pam_ldap - passwd bug and added new migrate facility during authentication
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Aug 31 16:40:41 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Paweł Wieleba
>Release: 5.2.1
>Organization:
>Environment:
FreeBSD server 5.2.1-RELEASE
>Description:
The problem is described in details in the article:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf
PAM_LDAP-169 cannot change passwords in the scenario:
-Platform: FreeBSD 5.2.1
-Configuration:
-cat /etc/pam.d/passwd
password required pam_unix.so no_warn try_first_pass nullok
password required pam_ldap.so use_first_pass
-rootbinddn is not specified in ldap.conf
-ldap.secret does not exist
Output:
%passwd
Changing local password for testuser
Old Password:
New Password:
Retype New Password:
LDAP password information update failed: Can't contact LDAP server
passwd: sorry
You have to change and recompile /usr/src/usr.bin/passwd to enable changing pam_ldap passwords. A patch:
%cd /usr/src/usr.bin/passwd
%diff -u passwd.c-OLD passwd.c
--- /usr/src/usr.bin/passwd/passwd.c Mon May 24 19:41:40 2004
+++ /usr/src/usr.bin/passwd/passwd.c Tue Aug 31 18:03:00 2004
@@ -121,8 +121,7 @@
break;
default:
/* XXX: Green men ought to be supported via PAM. */
- errx(1,
- "Sorry, `passwd' can only change passwords for local or NIS users.");
+ fprintf(stderr, "Now you can change LDAP passwordi via PAM\n");
}
#define pam_check(func) do { \
%make install
-------------
Another thing is a migrate facility which solves the problem in the example scenario:
-We want to use LDAP instead of /etc/passwd database.
-We use migration tools from PADL to copy records from /etc/passwd
to LDAP.
But, password schema used in our local database is different to
one used in LDAP. We cannot convert passwords as they are
hashed.
I implemented migration function which let you migrate/overwrite LDAP
userPassword field of the user being authenticated. The PAM and LDAP
usernames must be the same. It make "pam_ldap migrate" a bit similar to "pam_smbpass migrate".
A full description is in the article:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf
>How-To-Repeat:
>Fix:
This patch fixes the bug and enables "migrate", which is is a bit similar to "pam_smbpass migrate"
This patch is also available from:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/patch-ac
place this patch in /usr/ports/security/pam_ldap/files
%cat patch-ac
--- pam_ldap.c.orig Mon Aug 30 14:43:50 2004
+++ pam_ldap.c Mon Aug 30 14:44:02 2004
@@ -2927,7 +2927,7 @@
int rc;
const char *username;
char *p;
- int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0;
+ int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0;
int i;
pam_ldap_session_t *session = NULL;
const char *configFile = NULL;
@@ -2948,6 +2948,8 @@
;
else if (!strcmp (argv[i], "debug"))
;
+ else if (!strcmp (argv[i], "migrate"))
+ migrate = 1;
else
syslog (LOG_ERR, "illegal option %s", argv[i]);
}
@@ -2961,6 +2963,21 @@
return rc;
rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p);
+ // start of migrate facility in "pam_ldap authentication"
+ if (migrate==1 && rc==PAM_SUCCESS)
+ {
+ // check if specified username exists in LDAP
+ if (_get_user_info(session,username)==PAM_SUCCESS)
+ {
+ // overwrite old LDAP userPassword with a new password
+ // obtained during pam authentication process
+ // - rootbinddn and ldap.secret must be set
+ rc=_update_authtok(session,username,NULL,p);
+ //
+ return PAM_IGNORE;
+ }
+ }
+ // end of migrate facility in "pam_ldap authentication"
if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass))
{
rc = _do_authentication (session, username, p);
@@ -3227,7 +3244,7 @@
if (curpass == NULL)
return PAM_MAXTRIES; /* maximum tries exceeded */
else
- pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass);
+ pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass));
}
else
{
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list