Date: Tue, 31 Aug 2004 16:32:50 GMT From: "Paweł Wieleba" <wielebap@iem.pw.edu.pl> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/71202: [patch] pam_ldap - passwd bug and added new migrate facility during authentication Message-ID: <200408311632.i7VGWo79075135@www.freebsd.org> Resent-Message-ID: <200408311640.i7VGefki084787@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 71202 >Category: ports >Synopsis: [patch] pam_ldap - passwd bug and added new migrate facility during authentication >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Aug 31 16:40:41 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Paweł Wieleba >Release: 5.2.1 >Organization: >Environment: FreeBSD server 5.2.1-RELEASE >Description: The problem is described in details in the article: http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf PAM_LDAP-169 cannot change passwords in the scenario: -Platform: FreeBSD 5.2.1 -Configuration: -cat /etc/pam.d/passwd password required pam_unix.so no_warn try_first_pass nullok password required pam_ldap.so use_first_pass -rootbinddn is not specified in ldap.conf -ldap.secret does not exist Output: %passwd Changing local password for testuser Old Password: New Password: Retype New Password: LDAP password information update failed: Can't contact LDAP server passwd: sorry You have to change and recompile /usr/src/usr.bin/passwd to enable changing pam_ldap passwords. A patch: %cd /usr/src/usr.bin/passwd %diff -u passwd.c-OLD passwd.c --- /usr/src/usr.bin/passwd/passwd.c Mon May 24 19:41:40 2004 +++ /usr/src/usr.bin/passwd/passwd.c Tue Aug 31 18:03:00 2004 @@ -121,8 +121,7 @@ break; default: /* XXX: Green men ought to be supported via PAM. */ - errx(1, - "Sorry, `passwd' can only change passwords for local or NIS users."); + fprintf(stderr, "Now you can change LDAP passwordi via PAM\n"); } #define pam_check(func) do { \ %make install ------------- Another thing is a migrate facility which solves the problem in the example scenario: -We want to use LDAP instead of /etc/passwd database. -We use migration tools from PADL to copy records from /etc/passwd to LDAP. But, password schema used in our local database is different to one used in LDAP. We cannot convert passwords as they are hashed. I implemented migration function which let you migrate/overwrite LDAP userPassword field of the user being authenticated. The PAM and LDAP usernames must be the same. It make "pam_ldap migrate" a bit similar to "pam_smbpass migrate". A full description is in the article: http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf >How-To-Repeat: >Fix: This patch fixes the bug and enables "migrate", which is is a bit similar to "pam_smbpass migrate" This patch is also available from: http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/patch-ac place this patch in /usr/ports/security/pam_ldap/files %cat patch-ac --- pam_ldap.c.orig Mon Aug 30 14:43:50 2004 +++ pam_ldap.c Mon Aug 30 14:44:02 2004 @@ -2927,7 +2927,7 @@ int rc; const char *username; char *p; - int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0; + int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0; int i; pam_ldap_session_t *session = NULL; const char *configFile = NULL; @@ -2948,6 +2948,8 @@ ; else if (!strcmp (argv[i], "debug")) ; + else if (!strcmp (argv[i], "migrate")) + migrate = 1; else syslog (LOG_ERR, "illegal option %s", argv[i]); } @@ -2961,6 +2963,21 @@ return rc; rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p); + // start of migrate facility in "pam_ldap authentication" + if (migrate==1 && rc==PAM_SUCCESS) + { + // check if specified username exists in LDAP + if (_get_user_info(session,username)==PAM_SUCCESS) + { + // overwrite old LDAP userPassword with a new password + // obtained during pam authentication process + // - rootbinddn and ldap.secret must be set + rc=_update_authtok(session,username,NULL,p); + // + return PAM_IGNORE; + } + } + // end of migrate facility in "pam_ldap authentication" if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass)) { rc = _do_authentication (session, username, p); @@ -3227,7 +3244,7 @@ if (curpass == NULL) return PAM_MAXTRIES; /* maximum tries exceeded */ else - pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass); + pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass)); } else { >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408311632.i7VGWo79075135>