Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Sep 2004 14:02:43 GMT
From:      Pawel Wieleba <wielebap@iem.pw.edu.pl>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/71287: [PATCH] pam_ldap passwd facility bug
Message-ID:  <200409021402.i82E2hlo054195@www.freebsd.org>
Resent-Message-ID: <200409021410.i82EAQeZ042621@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         71287
>Category:       ports
>Synopsis:       [PATCH] pam_ldap passwd facility bug
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 02 14:10:26 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Pawel Wieleba
>Release:        
>Organization:
>Environment:
FreeBSD server 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0
>Description:
Initially this problem was announced in PR#71202. I was asked by marcus to divde this PR and so I'm doing.

This problem was also submitted to PADL bugzilla: bug#177
(http://bugzilla.padl.com/show_bug.cgi?id=177).

This problem (and two others) is described in the article:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf

PAM_LDAP-169 cannot change passwords in the scenario:
-Platform: FreeBSD 5.2.1
-Configuration:
   - cat /etc/pam.d/passwd
     password required pam_unix.so no_warn try_first_pass nullok
     password required pam_ldap.so use_first_pass
   -rootbinddn is _not specified_ in ldap.conf
   -ldap.secret does _not exist_

Output:
%passwd
Changing local password for testuser
Old Password:<oldpass>
New Password:<newpass>
Retype New Password:<newpass>
LDAP password information update failed: Can't contact LDAP server
passwd: sorry

This line is the source of the problem:
pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass);
When it is invoked it sets rubish for curpass.

>How-To-Repeat:
Remember to change and rebuild passwd as written in the article to enable changing other password than NIS/local.
>Fix:
This patch was generated for a FreeBSD port (pam_ldap-171): security/pam_ldap

This patch is also available from:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/patch-ac1
--- pam_ldap.c.orig     Thu Sep  2 14:53:32 2004
+++ pam_ldap.c  Thu Sep  2 14:53:44 2004
@@ -3241,7 +3241,7 @@
          if (curpass == NULL)
            return PAM_MAXTRIES;        /* maximum tries exceeded */
          else
-           pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) curpass);
+           pam_set_item (pamh, PAM_OLDAUTHTOK, (void *) strdup(curpass));
        }
       else
        {

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409021402.i82E2hlo054195>