From nobody@FreeBSD.org  Thu Sep  2 14:55:12 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9D65E16A4CF
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  2 Sep 2004 14:55:12 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 91A3C43D1D
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  2 Sep 2004 14:55:12 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i82EtCSA065571
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 2 Sep 2004 14:55:12 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i82EtCiA065570;
	Thu, 2 Sep 2004 14:55:12 GMT
	(envelope-from nobody)
Message-Id: <200409021455.i82EtCiA065570@www.freebsd.org>
Date: Thu, 2 Sep 2004 14:55:12 GMT
From: Pawel Wieleba <wielebap@iem.pw.edu.pl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] passwd cannot change passwords other than NIS/local (e.g. via pam_ldap)
X-Send-Pr-Version: www-2.3

>Number:         71290
>Category:       bin
>Synopsis:       [patch] passwd(1) cannot change passwords other than NIS/local (e.g. via pam_ldap)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    des
>State:          suspended
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 02 15:00:37 GMT 2004
>Closed-Date:    
>Last-Modified:  Sat May 24 20:44:23 UTC 2008
>Originator:     Pawel Wieleba
>Release:        FreeBSD 5.2.1
>Organization:
>Environment:
FreeBSD server 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0:
>Description:
Initially this problem was announced in PR#71202. I was asked by marcus to divde this PR and so I'm doing.

This problem (and two others) is described in the article:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf

You can also check PR #71287(pam_ldap).

Description
I cannot change passwords LDAP users passwords via pam_ldap. Why it is prohibited??? Are there any security problems??? 

Please let me know,
CU
Pawel Wieleba

Example config:
% cat /etc/pam.d/passwd
password sufficient pam_unix.so no_warn try_first_pass nullok
password sufficient pam_ldap.so use_first_pass

>How-To-Repeat:
      
>Fix:
You have to change and recompile /usr/src/usr.bin/passwd to enable changing pam_ldap passwords (I use this patch).
A patch:
%diff -u passwd.c.orig passwd.c
--- /usr/src/usr.bin/passwd/passwd.c.orig  Mon May 24 19:41:40 2004
+++ /usr/src/usr.bin/passwd/passwd.c       Tue Aug 31 18:03:00 2004
@@ -121,8 +121,7 @@
                break;
        default:
                /* XXX: Green men ought to be supported via PAM. */
-               errx(1,
-         "Sorry, `passwd' can only change passwords for local or NIS users.");
+               fprintf(stderr, "Now you can change LDAP passwordi via PAM\n");
        }

 #define pam_check(func) do { \
>Release-Note:
>Audit-Trail:

From: Christian Marg <marg@rz.tu-clausthal.de>
To: bug-followup@FreeBSD.org,  wielebap@iem.pw.edu.pl
Cc:  
Subject: Re: bin/71290: [PATCH] passwd cannot change passwords other than
 NIS/local (e.g. via pam_ldap)
Date: Mon, 24 Jul 2006 18:40:27 +0200

 This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
 --------------enigE16969CBF150AF4AC42296C1
 Content-Type: multipart/mixed;
  boundary="------------020109090606060001060108"
 
 This is a multi-part message in MIME format.
 --------------020109090606060001060108
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 Hello...
 
 Since I also want to use pam_ldap to change Passwords in LDAP, I
 stumbled about this problem. And after looking into the sources I found
 this comment in <pwd.h>:
 
 ---------------------
 /* XXX These flags are bogus.  With nsswitch, there are many
  * possible sources and they cannot be represented in a small integer.
  */
 #define _PWF_SOURCE	0x3000
 #define _PWF_FILES	0x1000
 #define _PWF_NIS	0x2000
 #define _PWF_HESIOD	0x3000
 ---------------------
 
 So, if the flags are Bogus, why are they tested in passwd.c?
 Just to select which string is printed. Yes, the test has no real purpose=
 =2E
 
 Attached is my patch - just strip the select statement that is purely
 cosmetic but hinders people to use passwd.
 
 Maybe someone considers to commit the patch, so that this bug can be
 closed after a year... :|
 
 bye
 
 Christian
 
 
 --=20
 Christian Marg                    mail: mailto:marg@rz.tu-clausthal.de
 Rechenzentrum TU Clausthal        web : http://www.rz.tu-clausthal.de
 D-38678 Clausthal-Zellerfeld      fon : 05323/72-2043
 Germany                           ICQ : <on request>
 
 --------------020109090606060001060108
 Content-Type: text/plain;
  name="passwd-patch.txt"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline;
  filename="passwd-patch.txt"
 
 diff -u passwd.c passwd.c.orig
 --- /usr/src/usr.bin/passwd/passwd.c.orig       Mon Jul 24 17:40:16 2006
 +++ /usr/src/usr.bin/passwd/passwd.c    Mon Jul 24 17:54:16 2006
 @@ -109,21 +109,7 @@
         if (uid !=3D 0 && uid !=3D pwd->pw_uid)
                 errx(1, "permission denied");
 
 -       /* check where the user's from */
 -       switch (pwd->pw_fields & _PWF_SOURCE) {
 -       case _PWF_FILES:
 -               fprintf(stderr, "Changing local password for %s\n",
 -                   pwd->pw_name);
 -               break;
 -       case _PWF_NIS:
 -               fprintf(stderr, "Changing NIS password for %s\n",
 -                   pwd->pw_name);
 -               break;
 -       default:
 -               /* XXX: Green men ought to be supported via PAM. */
 -               errx(1,
 -         "Sorry, `passwd' can only change passwords for local or NIS use=
 rs.");
 -       }
 +       fprintf(stderr, "Changing password for %s\n", pwd->pw_name);
 
  #define pam_check(func) do { \
         if (pam_err !=3D PAM_SUCCESS) { \
 
 
 --------------020109090606060001060108--
 
 --------------enigE16969CBF150AF4AC42296C1
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: OpenPGP digital signature
 Content-Disposition: attachment; filename="signature.asc"
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.4 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
 iD8DBQFExPgAXwu7mUb3ymMRAjdmAKCAjhcc9LtPaMJXvoDPoxEOCpgHNACcCFWk
 XtOdN8E39Zh3mAnYoaq9iOg=
 =H+iT
 -----END PGP SIGNATURE-----
 
 --------------enigE16969CBF150AF4AC42296C1--
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: remko 
Responsible-Changed-When: Sun Dec 9 13:23:39 UTC 2007 
Responsible-Changed-Why:  
This sounds that this might be something for you Dag-Erling, 
can you have a look please? otherwise please reassign it to me 
and I'll look for a possible candidate :) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71290 

From: linimon@lonesome.com (Mark Linimon)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/71290: [PATCH] passwd cannot change passwords other than NIS/local (e. g. via pam_ldap)
Date: Mon, 28 Jan 2008 00:47:49 -0600

 ----- Forwarded message from Dag-Erling Smrgrav <des@des.no> -----
 
 From: Dag-Erling Smrgrav <des@des.no>
 To: Mark Linimon <linimon@lonesome.com>
 
 The solution isn't as simple as the messages in the audit trail claim:
 
  1) the current (admittedly gnarly) implementation attempts to preserve
     pre-existing functionality - the ability to change only the local
     password - which we probably will have to reimplement in some way or
     another.
 
  2) applying the proposed patch as-is will leave a trail of dead code,
     non-functional command line options and outdated documentation, all
     of which needs to be cleaned up.
 
  3) changing passwd(1) in this manner will expose code in our PAM
     modules which previously hasn't been used much (or at all), and
     which may contain surprises.
 
 We should probably look at what NetBSD did when they implemented PAM.
 
 (for suitable values of "we")
 
 DES
 -- 
 Dag-Erling Smrgrav - des@des.no
 
 ----- End forwarded message -----
State-Changed-From-To: open->suspended 
State-Changed-By: linimon 
State-Changed-When: Mon Jan 28 06:51:07 UTC 2008 
State-Changed-Why:  
Mark this as suspended for now, for reasons detailed in des' followup 
in the Audit-Trail. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71290 
>Unformatted:
