From owner-freebsd-ports-bugs@FreeBSD.ORG  Tue Aug 31 16:40:41 2004
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9BB1F16A4D6
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 31 Aug 2004 16:40:41 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7E11643D45
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 31 Aug 2004 16:40:41 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i7VGefmO084788	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Tue, 31 Aug 2004 16:40:41 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7VGefki084787;
	Tue, 31 Aug 2004 16:40:41 GMT
	(envelope-from gnats)
Resent-Date: Tue, 31 Aug 2004 16:40:41 GMT
Resent-Message-Id: <200408311640.i7VGefki084787@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	"Pawe&#322; Wieleba" <wielebap@iem.pw.edu.pl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9A48516A4CE
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 31 Aug 2004 16:32:51 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 79CCF43D49
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 31 Aug 2004 16:32:51 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i7VGWoB7075142
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 31 Aug 2004 16:32:50 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i7VGWo79075135;
	Tue, 31 Aug 2004 16:32:50 GMT
	(envelope-from nobody)
Message-Id: <200408311632.i7VGWo79075135@www.freebsd.org>
Date: Tue, 31 Aug 2004 16:32:50 GMT
From: "Pawe&#322; Wieleba" <wielebap@iem.pw.edu.pl>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Subject: ports/71202: [patch] pam_ldap - passwd bug and added new migrate
	facility during authentication
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2004 16:40:41 -0000


>Number:         71202
>Category:       ports
>Synopsis:       [patch] pam_ldap - passwd bug and added new migrate facility during authentication
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 31 16:40:41 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Pawe&#322; Wieleba
>Release:        5.2.1
>Organization:
>Environment:
FreeBSD server 5.2.1-RELEASE
>Description:
The problem is described in details in the article:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf

PAM_LDAP-169 cannot change passwords in the scenario:
-Platform: FreeBSD 5.2.1
-Configuration:
   -cat /etc/pam.d/passwd
    password required pam_unix.so no_warn try_first_pass nullok
    password required pam_ldap.so use_first_pass

   -rootbinddn is not specified in ldap.conf
   -ldap.secret does not exist

Output:
%passwd
Changing local password for testuser
Old Password:
New Password:
Retype New Password:
LDAP password information update failed: Can't contact LDAP server
passwd: sorry


You have to change and recompile /usr/src/usr.bin/passwd to enable changing pam_ldap passwords. A patch:
%cd /usr/src/usr.bin/passwd
%diff -u passwd.c-OLD passwd.c
--- /usr/src/usr.bin/passwd/passwd.c    Mon May 24 19:41:40 2004
+++ /usr/src/usr.bin/passwd/passwd.c    Tue Aug 31 18:03:00 2004
@@ -121,8 +121,7 @@
                break;
        default:
                /* XXX: Green men ought to be supported via PAM. */
-               errx(1,
-         "Sorry, `passwd' can only change passwords for local or NIS users.");
+               fprintf(stderr, "Now you can change LDAP passwordi via PAM\n");
        }

 #define pam_check(func) do { \
%make install

-------------
Another thing is a migrate facility which solves the problem in the example scenario:
 -We want to use LDAP instead of /etc/passwd database.
 -We use migration tools from PADL to copy records from /etc/passwd
  to LDAP.
 But, password schema used in our local database is different to
 one used in LDAP. We cannot convert passwords as they are
 hashed.

I implemented migration function which let you migrate/overwrite LDAP
userPassword field of the user being authenticated. The PAM and LDAP
usernames must be the same. It make "pam_ldap migrate" a bit similar to "pam_smbpass migrate".
A full description is in the article:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf

>How-To-Repeat:

>Fix:
This patch fixes the bug and enables "migrate", which is is a bit similar to "pam_smbpass migrate"
This patch is also available from:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/patch-ac

place this patch in /usr/ports/security/pam_ldap/files
%cat patch-ac
--- pam_ldap.c.orig	Mon Aug 30 14:43:50 2004
+++ pam_ldap.c	Mon Aug 30 14:44:02 2004
@@ -2927,7 +2927,7 @@
   int rc;
   const char *username;
   char *p;
-  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0;
+  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0;
   int i;
   pam_ldap_session_t *session = NULL;
   const char *configFile = NULL;
@@ -2948,6 +2948,8 @@
 	;
       else if (!strcmp (argv[i], "debug"))
 	;
+      else if (!strcmp (argv[i], "migrate"))
+        migrate = 1;
       else
 	syslog (LOG_ERR, "illegal option %s", argv[i]);
     }
@@ -2961,6 +2963,21 @@
     return rc;
 
   rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p);
+  // start of migrate facility in "pam_ldap authentication"
+  if (migrate==1 && rc==PAM_SUCCESS)
+    {
+      // check if specified username exists in LDAP
+      if (_get_user_info(session,username)==PAM_SUCCESS)
+        {
+          // overwrite old LDAP userPassword with a new password
+          // obtained during pam authentication process
+          // - rootbinddn and ldap.secret must be set
+          rc=_update_authtok(session,username,NULL,p);
+          //
+          return PAM_IGNORE;
+        }
+    }
+  // end of migrate facility in "pam_ldap authentication"
   if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass))
     {
       rc = _do_authentication (session, username, p);
@@ -3227,7 +3244,7 @@
 	  if (curpass == NULL)
 	    return PAM_MAXTRIES;	/* maximum tries exceeded */
 	  else
-	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass);
+	    pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass));
 	}
       else
 	{

>Release-Note:
>Audit-Trail:
>Unformatted: