Bug 71289 - [PATCH] adds pam_ldap migrate facility - it enables to migrate passwords to LDAP
Summary: [PATCH] adds pam_ldap migrate facility - it enables to migrate passwords to LDAP
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Joe Marcus Clarke
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-02 15:40 UTC by Paweł Wieleba
Modified: 2004-09-02 20:26 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Wieleba 2004-09-02 15:40:13 UTC 
Initially this problem was announced in PR#71202. I was asked by marcus to divde this PR and to make proper comments and so I'm doing.

This problem was also submitted to PADL bugzilla: bug#178
(http://bugzilla.padl.com/show_bug.cgi?id=178).

This problem (and two others) is described in the article:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/pam_ldap_doc.pdf

Description:
I implemented a "migrate" facility that let you migrate/overwrite LDAP
userPassword field of the user being authenticated. The PAM and LDAP
usernames must be the same.
It makes "pam_ldap migrate" a bit similar to "pam_smbpass migrate".

It solves the problem in the example scenario:
 -We want to use LDAP instead of /etc/passwd database.
 -We use migration tools from PADL to copy records from /etc/passwd
  to LDAP.
 But, password schema used in our local database is different to
 one used in LDAP. We cannot convert passwords as they are
 hashed. Now we can use "pam_ldap migrate".

Sample safe config:
%cat /etc/pam.d/login|grep auth
auth requisite pam_unix.so no_warn try_first_pass nullok
auth optional pam_ldap.so migrate use_first_pass

Remember about requisite in first line (not required, not sufficient).

Fix: This patch was generated for a FreeBSD port (pam_ldap-171): security/pam_ldap
This patch is also available from:
http://www.iem.pw.edu.pl/~wielebap/ldap/pam_ldap/patch-ac2

server% cat /usr/ports/security/pam_ldap/patch-ac2


rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p);
+  /* start of migrate facility in "pam_ldap authentication" */
+  if (migrate==1 && rc==PAM_SUCCESS)
+    {
+      /* check if specified username exists in LDAP */
+      if (_get_user_info(session,username)==PAM_SUCCESS)
+        {
+          /*
+             overwrite old LDAP userPassword with a new password
+             obtained during pam authentication process
+             - rootbinddn and ldap.secret must be set
+          */
+          rc=_update_authtok(session,username,NULL,p);
+          return PAM_IGNORE;
+        }
+    }
+  /* end of migrate facility in "pam_ldap authentication" */
   if (rc == PAM_SUCCESS && (use_first_pass || try_first_pass))
     {
       rc = _do_authentication (session, username, p);--4BNnzpaityoS2PEdxiKQCKJ7zNkvo1FgvGrOLaBxRMSL3d5x
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

--- pam_ldap.c.orig     Thu Sep  2 14:49:18 2004
+++ pam_ldap.c  Thu Sep  2 14:51:00 2004
@@ -2941,7 +2941,7 @@
   int rc;
   const char *username;
   char *p;
-  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0;
+  int use_first_pass = 0, try_first_pass = 0, ignore_flags = 0, migrate = 0;
   int i;
   pam_ldap_session_t *session = NULL;
   const char *configFile = NULL;
@@ -2962,6 +2962,8 @@
        ;
       else if (!strcmp (argv[i], "debug"))
        ;
+      else if (!strcmp (argv[i], "migrate"))
+        migrate = 1;
       else
        syslog (LOG_ERR, "illegal option %s", argv[i]);
     }
@@ -2975,6 +2977,22 @@
     return rc;
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2004-09-02 18:08:49 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->marcus

Over to maintainer.
Comment 2 Joe Marcus Clarke freebsd_committer freebsd_triage 2004-09-02 20:26:17 UTC 
State Changed
From-To: open->closed

Committed, thanks!