Date: Thu, 2 Sep 2004 14:02:43 GMT From: Pawel Wieleba <wielebap@iem.pw.edu.pl> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/71287: [PATCH] pam_ldap passwd facility bug Message-ID: <200409021402.i82E2hlo054195@www.freebsd.org> Resent-Message-ID: <200409021410.i82EAQeZ042621@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 71287 >Category: ports >Synopsis: [PATCH] pam_ldap passwd facility bug >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Sep 02 14:10:26 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Pawel Wieleba >Release: >Organization: >Environment: FreeBSD server 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0 >Description: Initially this problem was announced in PR#71202. I was asked by marcus to divde this PR and so I'm doing. This problem was also submitted to PADL bugzilla: bug#177 (http://bugzilla.padl.com/show_bug.cgi?id=177). This problem (and two others) is described in the article: http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf PAM_LDAP-169 cannot change passwords in the scenario: -Platform: FreeBSD 5.2.1 -Configuration: - cat /etc/pam.d/passwd password required pam_unix.so no_warn try_first_pass nullok password required pam_ldap.so use_first_pass -rootbinddn is _not specified_ in ldap.conf -ldap.secret does _not exist_ Output: %passwd Changing local password for testuser Old Password:<oldpass> New Password:<newpass> Retype New Password:<newpass> LDAP password information update failed: Can't contact LDAP server passwd: sorry This line is the source of the problem: pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass); When it is invoked it sets rubish for curpass. >How-To-Repeat: Remember to change and rebuild passwd as written in the article to enable changing other password than NIS/local. >Fix: This patch was generated for a FreeBSD port (pam_ldap-171): security/pam_ldap This patch is also available from: http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/patch-ac1 --- pam_ldap.c.orig Thu Sep 2 14:53:32 2004 +++ pam_ldap.c Thu Sep 2 14:53:44 2004 @@ -3241,7 +3241,7 @@ if (curpass == NULL) return PAM_MAXTRIES; /* maximum tries exceeded */ else - pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass); + pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass)); } else { >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409021402.i82E2hlo054195>