ports/71202: [patch] pam_ldap - passwd bug and added new migrate facility during authentication

Tue Aug 31 16:40:41 UTC 2004

>Number:         71202
>Category:       ports
>Synopsis:       [patch] pam_ldap - passwd bug and added new migrate facility during authentication
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 31 16:40:41 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Paweł Wieleba
>Release:        5.2.1
>Organization:
>Environment:
FreeBSD server 5.2.1-RELEASE
>Description:
The problem is described in details in the article:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf

PAM_LDAP-169 cannot change passwords in the scenario:
-Platform: FreeBSD 5.2.1
-Configuration:
   -cat /etc/pam.d/passwd
    password required pam_unix.so no_warn try_first_pass nullok
    password required pam_ldap.so use_first_pass

   -rootbinddn is not specified in ldap.conf
   -ldap.secret does not exist

Output:
%passwd
Changing local password for testuser
Old Password:
New Password:
Retype New Password:
LDAP password information update failed: Can't contact LDAP server
passwd: sorry


You have to change and recompile /usr/src/usr.bin/passwd to enable changing pam_ldap passwords. A patch:
%cd /usr/src/usr.bin/passwd
%diff -u passwd.c-OLD passwd.c

--- /usr/src/usr.bin/passwd/passwd.c    Mon May 24 19:41:40 2004
+++ /usr/src/usr.bin/passwd/passwd.c    Tue Aug 31 18:03:00 2004
@@ -121,8 +121,7 @@
                break;
        default:
                /* XXX: Green men ought to be supported via PAM. */
-               errx(1,
-         "Sorry, `passwd' can only change passwords for local or NIS users.");
+               fprintf(stderr, "Now you can change LDAP passwordi via PAM\n");
        }

 #define pam_check(func) do { \
%make install

-------------
Another thing is a migrate facility which solves the problem in the example scenario:
 -We want to use LDAP instead of /etc/passwd database.
 -We use migration tools from PADL to copy records from /etc/passwd
  to LDAP.
 But, password schema used in our local database is different to
 one used in LDAP. We cannot convert passwords as they are
 hashed.

I implemented migration function which let you migrate/overwrite LDAP
userPassword field of the user being authenticated. The PAM and LDAP
usernames must be the same. It make "pam_ldap migrate" a bit similar to "pam_smbpass migrate".
A full description is in the article:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf

>How-To-Repeat:

>Fix:
This patch fixes the bug and enables "migrate", which is is a bit similar to "pam_smbpass migrate"
This patch is also available from:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/patch-ac

place this patch in /usr/ports/security/pam_ldap/files
%cat patch-ac
--- pam_ldap.c.orig	Mon Aug 30 14:43:50 2004
+++ pam_ldap.c	Mon Aug 30 14:44:02 2004
@@ -2927,7 +2927,7 @@
   int rc;
   const char *username;
   char *p;
-  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0;
+  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0;
   int i;
   pam_ldap_session_t *session = NULL;
   const char *configFile = NULL;
@@ -2948,6 +2948,8 @@
 	;
       else if (!strcmp (argv[i], "debug"))
 	;
+      else if (!strcmp (argv[i], "migrate"))
+        migrate = 1;
       else
 	syslog (LOG_ERR, "illegal option %s", argv[i]);
     }
@@ -2961,6 +2963,21 @@
     return rc;
 
   rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p);
+  // start of migrate facility in "pam_ldap authentication"
+  if (migrate==1 && rc==PAM_SUCCESS)
+    {
+      // check if specified username exists in LDAP
+      if (_get_user_info(session,username)==PAM_SUCCESS)
+        {
+          // overwrite old LDAP userPassword with a new password
+          // obtained during pam authentication process
+          // - rootbinddn and ldap.secret must be set
+          rc=_update_authtok(session,username,NULL,p);
+          //
+          return PAM_IGNORE;
+        }
+    }
+  // end of migrate facility in "pam_ldap authentication"
   if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass))
     {
       rc = _do_authentication (session, username, p);
@@ -3227,7 +3244,7 @@
 	  if (curpass == NULL)
 	    return PAM_MAXTRIES;	/* maximum tries exceeded */
 	  else
-	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass);
+	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass));
 	}
       else
 	{

>Release-Note:
>Audit-Trail:
>Unformatted:

