ports/73449: [PATCH] nss_ldap - getpwnam does not return password hash when run as root

Pawel Wieleba P.Wieleba at iem.pw.edu.pl
Wed Nov 3 11:50:19 UTC 2004 

>Number:         73449
>Category:       ports
>Synopsis:       [PATCH] nss_ldap - getpwnam does not return password hash when run as root
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 03 11:50:19 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Pawel Wieleba
>Release:        FreeBSD  6.0-CURRENT
>Organization:
>Environment:
FreeBSD volt.iem.pw.edu.pl 6.0-CURRENT FreeBSD 6.0-CURRENT #0:
>Description:
A problem and the solution is described in the article:
www.iem.pw.edu.pl/~wielebap/ldap/nss_ldap/nss_ldap_doc.pdf

Used port net/nss_ldap version: 1.204_5
% cat /etc/nsswitch.conf
passwd: ldap files
group: ldap files

      Programmes which use getpwnam() to authenticate ldap users
(eg. cucipop) does not work on FreeBSD when users has a shadowAccount
objectClass. In a heterogenous environments (mixed Linux and FreeBSD)
objectClass shadowAccount is essential.

On FreeBSD and other BSD OS's getpwnam system function returns full
password hash in the passwd structure, when run as root.
>How-To-Repeat:
Just run getpwnam().
% cat test_nss.c
#include <sys/types.h>
#include <pwd.h>
#include <stdio.h>

int main(int argc,char *argv[]) {
  struct passwd *pass;
  if (argc >1) {
    pass=getpwnam(argv[1]);
  } else {
    printf("test_nss <ldap_username>\n");
  }
  if (pass != NULL) {
    printf("Username info:\n");
    printf("user:%s\n",pass->pw_name);
    printf("pass:%s\n",pass->pw_passwd);
    printf("dir:%s\n",pass->pw_dir);
    printf("shell:%s\n",pass->pw_shell);
  } else {
    printf("User not found.\n");
  }

  return 0;
}

>Fix:
You can download patch from:
www.iem.pw.edu.pl/~wielebap/ldap/nss_ldap/patch-ldap-pwd.c

The patch:
%cat /usr/ports/net/nss_ldap/files/patch-ldap-pwd.c
--- ldap-pwd.c.orig	Sat Oct 16 22:22:29 2004
+++ ldap-pwd.c	Sun Oct 17 12:45:08 2004
@@ -92,19 +92,19 @@
   size_t tmplen;
   char *tmp;
 
-  if (_nss_ldap_oc_check (ld, e, "shadowAccount") == NSS_SUCCESS)
-    {
-      /* don't include password for shadowAccount */
-      if (buflen < 3)
-	return NSS_TRYAGAIN;
-
-      pw->pw_passwd = buffer;
-      strcpy (buffer, "x");
-      buffer += 2;
-      buflen -= 2;
-    }
-  else
-    {
+/*  if (_nss_ldap_oc_check (ld, e, "shadowAccount") == NSS_SUCCESS)
+ *    {
+ */      /* don't include password for shadowAccount */
+/*      if (buflen < 3)
+ *	return NSS_TRYAGAIN;
+ *
+ *     pw->pw_passwd = buffer;
+ *     strcpy (buffer, "x");
+ *     buffer += 2;
+ *     buflen -= 2;
+ *   }
+ * else
+ */    {
       stat =
 	_nss_ldap_assign_userpassword (ld, e, AT (userPassword),
 				       &pw->pw_passwd, &buffer, &buflen);

If you apply the above patch getpwnam() will return password hash when ldap database is used. Now it would be tha same functionality as files or nis databases used.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list