Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
pam_ldap patch not applied correctly in 9.1 and 9.2
  • From: "Prakash Velayutham" <Prakash.Velayutham@xxxxxxxxx>
  • Date: Mon, 21 Mar 2005 11:04:41 -0500
  • Message-id: <s23ea999.069@xxxxxxxxxxxxxxxxxx>
Hi All,

I have several SuSE Pro 9.0, 9.1 and 9.2 systems. One of these systems
is running openldap2 server and the other systems are clients of this
LDAP server and authenticate against it. I use pam_ldap and nss_ldap on
the clients.
Recently I realized that my users are able to change their LDAP
passwords using "passwd" utility only from the 9.0 clients and not from
the 9.1 and 9.2 clients. The error is something like:

user@hostname:~> passwd
Changing password for user.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Can't contact LDAP server
use bind to verify old password
Password changed.

In the clients warn logs I see something like "pam_ldap:
ldap_extended_operation_s Server is unwilling to perform".
After googling and searcing around for almost 2 days, I discovered that
SuSE did not apply a patch to pam_ldap.c file from the pam_ldap
distribution on the recent systems (at least on the 9.1 source RPM I did
not see the change suggested by PADL). Here it is if anyone wants it.

ber_printf (ber, "{");
ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_ID,
session->info->userdn);
- ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_OLD,
old_password);
+/* ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_OLD,
old_password);*/
ber_printf (ber, "ts", LDAP_TAG_EXOP_X_MODIFY_PASSWD_NEW,
new_password);
ber_printf (ber, "N}");

In 9.1 sources, I saw this instead.
ber_printf (ber, "{");
ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_ID,
session->info->userdn);
/* this doesn't appear to be necessary anymore */
ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_OLD,
old_password);
ber_printf (ber, "ts", LDAP_TAG_EXOP_MODIFY_PASSWD_NEW,
new_password);
ber_printf (ber, "N}");

Once I commented out the necessary line, and rebuilt the RPM I could use
"passwd" to change the user password in LDAP.

Regards,
Prakash

< Previous Next >
This Thread
  • No further messages