From nobody@FreeBSD.org  Wed Nov  3 11:38:09 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6FA1216A4D0
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  3 Nov 2004 11:38:09 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 452FA43D3F
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  3 Nov 2004 11:38:09 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id iA3Bc6tx035719
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 3 Nov 2004 11:38:06 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id iA3Bc66t035718;
	Wed, 3 Nov 2004 11:38:06 GMT
	(envelope-from nobody)
Message-Id: <200411031138.iA3Bc66t035718@www.freebsd.org>
Date: Wed, 3 Nov 2004 11:38:06 GMT
From: Pawel Wieleba <P.Wieleba@iem.pw.edu.pl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] nss_ldap - getpwnam does not return password hash when run as root
X-Send-Pr-Version: www-2.3

>Number:         73448
>Category:       ports
>Synopsis:       [PATCH] nss_ldap - getpwnam does not return password hash when run as root
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 03 11:40:28 GMT 2004
>Closed-Date:    Wed May 24 10:53:23 GMT 2006
>Last-Modified:  Wed May 24 10:53:23 GMT 2006
>Originator:     Pawel Wieleba
>Release:        FreeBSD  6.0-CURRENT
>Organization:
>Environment:
FreeBSD volt.iem.pw.edu.pl 6.0-CURRENT FreeBSD 6.0-CURRENT #0:
>Description:
A problem and the solution is described in the article:
www.iem.pw.edu.pl/~wielebap/ldap/nss_ldap/nss_ldap_doc.pdf

Used port net/nss_ldap version: 1.204_5
% cat /etc/nsswitch.conf
passwd: ldap files
group: ldap files

      Programmes which use getpwnam() to authenticate ldap users
(eg. cucipop) does not work on FreeBSD when users has a shadowAccount
objectClass. In a heterogenous environments (mixed Linux and FreeBSD)
objectClass shadowAccount is essential.

On FreeBSD and other BSD OS's getpwnam system function returns full
password hash in the passwd structure, when run as root.
>How-To-Repeat:
Just run getpwnam().
% cat test_nss.c
#include <sys/types.h>
#include <pwd.h>
#include <stdio.h>

int main(int argc,char *argv[]) {
  struct passwd *pass;
  if (argc >1) {
    pass=getpwnam(argv[1]);
  } else {
    printf("test_nss <ldap_username>\n");
  }
  if (pass != NULL) {
    printf("Username info:\n");
    printf("user:%s\n",pass->pw_name);
    printf("pass:%s\n",pass->pw_passwd);
    printf("dir:%s\n",pass->pw_dir);
    printf("shell:%s\n",pass->pw_shell);
  } else {
    printf("User not found.\n");
  }

  return 0;
}

>Fix:
You can download patch from:
www.iem.pw.edu.pl/~wielebap/ldap/nss_ldap/patch-ldap-pwd.c

The patch:
%cat /usr/ports/net/nss_ldap/files/patch-ldap-pwd.c
--- ldap-pwd.c.orig	Sat Oct 16 22:22:29 2004
+++ ldap-pwd.c	Sun Oct 17 12:45:08 2004
@@ -92,19 +92,19 @@
   size_t tmplen;
   char *tmp;
 
-  if (_nss_ldap_oc_check (ld, e, "shadowAccount") == NSS_SUCCESS)
-    {
-      /* don't include password for shadowAccount */
-      if (buflen < 3)
-	return NSS_TRYAGAIN;
-
-      pw->pw_passwd = buffer;
-      strcpy (buffer, "x");
-      buffer += 2;
-      buflen -= 2;
-    }
-  else
-    {
+/*  if (_nss_ldap_oc_check (ld, e, "shadowAccount") == NSS_SUCCESS)
+ *    {
+ */      /* don't include password for shadowAccount */
+/*      if (buflen < 3)
+ *	return NSS_TRYAGAIN;
+ *
+ *     pw->pw_passwd = buffer;
+ *     strcpy (buffer, "x");
+ *     buffer += 2;
+ *     buflen -= 2;
+ *   }
+ * else
+ */    {
       stat =
 	_nss_ldap_assign_userpassword (ld, e, AT (userPassword),
 				       &pw->pw_passwd, &buffer, &buflen);

If you apply the above patch getpwnam() will return password hash when ldap database is used. Now it would be tha same functionality as files or nis databases used.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->nectar 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Nov 4 17:30:17 GMT 2004 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73448 
Responsible-Changed-From-To: nectar->freebsd-ports-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Mar 24 05:47:09 UTC 2006 
Responsible-Changed-Why:  
Reset assignee; nectar is away from FreeBSD work at the moment. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73448 
State-Changed-From-To: open->feedback 
State-Changed-By: vd 
State-Changed-When: Wed Apr 12 14:21:08 UTC 2006 
State-Changed-Why:  
Pawel, since this PR is quite old - can you check if the patch 
to the port is still actual and whether it should be committed? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73448 

From: Sergey Matveychuk <sem@FreeBSD.org>
To: bug-followup@FreeBSD.org,  P.Wieleba@iem.pw.edu.pl
Cc:  
Subject: Re: ports/73448: [PATCH] nss_ldap - getpwnam does not return password
 hash when run as root
Date: Sun, 16 Apr 2006 23:26:08 +0400

 I'm not sure it's correct.
 How does it work in Linux world?
 
 Have you discussed it with nss_ldap developers?
 -- 
 Dixi.
 Sem.

From: Pawel Wieleba <P.Wieleba@iem.pw.edu.pl>
To: Sergey Matveychuk <sem@FreeBSD.org>
Cc: bug-followup@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, vd@FreeBSD.org
Subject: Re: ports/73448: [PATCH] nss_ldap - getpwnam does not return password hash when run as root
Date: Sun, 16 Apr 2006 22:45:20 +0200

 On Sun, Apr 16, 2006 at 11:26:08PM +0400, Sergey Matveychuk wrote:
 > I'm not sure it's correct.
 > How does it work in Linux world?
 
 On Linux there is a function getspnam which returns password hash 
  and on FreeBSD there is no such a function. However on FreeBSD
  a function getpwnam when run as root returns user's password hash.
 
 Pawel Wieleba
 
 ps
 To make it clear I'm keen on PAM, but some software does not work with it.
  The question is do we really need the present passwd structure.
  Maybe we should resign from 'pw_passwd' and 'pw_class' fields
  as they are not compatible with broadly used LDAP posixAccount and shadowAccount objectClasses.
State-Changed-From-To: feedback->suspended 
State-Changed-By: sem 
State-Changed-When: Sat May 20 20:27:45 UTC 2006 
State-Changed-Why:  
The problem should be decided by developers. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73448 
State-Changed-From-To: suspended->closed 
State-Changed-By: anray 
State-Changed-When: Wed May 24 10:53:21 UTC 2006 
State-Changed-Why:  
Now this bug is fixed by new maintainer. Update port. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73448 
>Unformatted:
