ports/71289: [PATCH] adds pam_ldap migrate facility - it enables to migrate passwords to LDAP

Thu Sep 2 14:40:14 UTC 2004

>Number:         71289
>Category:       ports
>Synopsis:       [PATCH] adds pam_ldap migrate facility - it enables to migrate passwords to LDAP
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 02 14:40:13 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Pawel Wieleba
>Release:        FreeBSD 5.2.1
>Organization:
>Environment:
FreeBSD server 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0:
>Description:
Initially this problem was announced in PR#71202. I was asked by marcus to divde this PR and to make proper comments and so I'm doing.

This problem was also submitted to PADL bugzilla: bug#178
(http://bugzilla.padl.com/show_bug.cgi?id=178).

This problem (and two others) is described in the article:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf

Description:
I implemented a "migrate" facility that let you migrate/overwrite LDAP
userPassword field of the user being authenticated. The PAM and LDAP
usernames must be the same.
It makes "pam_ldap migrate" a bit similar to "pam_smbpass migrate".

It solves the problem in the example scenario:
 -We want to use LDAP instead of /etc/passwd database.
 -We use migration tools from PADL to copy records from /etc/passwd
  to LDAP.
 But, password schema used in our local database is different to
 one used in LDAP. We cannot convert passwords as they are
 hashed. Now we can use "pam_ldap migrate".

Sample safe config:
%cat /etc/pam.d/login|grep auth
auth requisite pam_unix.so no_warn try_first_pass nullok
auth optional pam_ldap.so migrate use_first_pass

Remember about requisite in first line (not required, not sufficient).


>How-To-Repeat:
      
>Fix:
This patch was generated for a FreeBSD port (pam_ldap-171): security/pam_ldap
This patch is also available from:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/patch-ac2

server% cat /usr/ports/security/pam_ldap/patch-ac2

--- pam_ldap.c.orig     Thu Sep  2 14:49:18 2004
+++ pam_ldap.c  Thu Sep  2 14:51:00 2004
@@ -2941,7 +2941,7 @@
   int rc;
   const char *username;
   char *p;
-  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0;
+  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0;
   int i;
   pam_ldap_session_t *session = NULL;
   const char *configFile = NULL;
@@ -2962,6 +2962,8 @@
        ;
       else if (!strcmp (argv[i], "debug"))
        ;
+      else if (!strcmp (argv[i], "migrate"))
+        migrate = 1;
       else
        syslog (LOG_ERR, "illegal option %s", argv[i]);
     }
@@ -2975,6 +2977,22 @@
     return rc;

   rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p);
+  /* start of migrate facility in "pam_ldap authentication" */
+  if (migrate==1 && rc==PAM_SUCCESS)
+    {
+      /* check if specified username exists in LDAP */
+      if (_get_user_info(session,username)==PAM_SUCCESS)
+        {
+          /*
+             overwrite old LDAP userPassword with a new password
+             obtained during pam authentication process
+             - rootbinddn and ldap.secret must be set
+          */
+          rc=_update_authtok(session,username,NULL,p);
+          return PAM_IGNORE;
+        }
+    }
+  /* end of migrate facility in "pam_ldap authentication" */
   if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass))
     {
       rc = _do_authentication (session, username, p);



>Release-Note:
>Audit-Trail:
>Unformatted:

