This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 52813 - Password changing fails with 'pam_password exop'.
Password changing fails with 'pam_password exop'.
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: nss_ldap (Show other bugs)
7.1
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-08-29 12:12 EDT by John Dalbec
Modified: 2007-04-18 12:36 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-08-29 15:57:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
This patch was sent to me just now. It fixes the 'change password as user' problem. The whitespace is probably broken. (555 bytes, patch)
2001-08-29 12:18 EDT, John Dalbec
no flags Details | Diff

  None (edit)
Description John Dalbec 2001-08-29 12:12:34 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (Windows NT 5.0; U)

Description of problem:
I installed the openldap errata packages.  I set up openldap using plain authentication because I know nothing about SASL.
I uncommented the 'pam_password exop' line in /etc/ldap.conf because passwd was storing the passwords in plaintext and this option was 
recommended as a solution on the openldap-software mailing list.
When I try to update a password as a user I get:
LDAP password information update failed: DSA is unwilling to perform.
When I try to update a password as root I get:
passwd: encode.c:328: ber_put_string: Assertion `str != ((void *)0)' failed.
Aborted

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Set up OpenLDAP server using plain authentication on host1 and run migrate_all_online.sh.
(Note: if you know how to set up OpenLDAP with SASL, please provide instructions!  Thanks.)
2. Set up LDAP with authconfig on host2.
3. Add 'rootbinddn' option to /etc/ldap.conf and store password in /etc/ldap.secret.
4. For some account in LDAP (but not in the host2 files) su to the account and run 'passwd'.
5. For the same account, su to root and run 'passwd <account>'.

Actual Results:  After the prompts, error messages appear (see above).  The password is not changed.

Expected Results:  The LDAP password should be changed.  Messages reporting success should appear.

Additional info:

When I try to update a password as a user I get:

From 'slapd -d255':
ber_dump: buf=0x0817f030 ptr=0x0817f032 end=0x0817f06c len=58
  0000:  80 29 75 69 64 3d 74 61  63 72 6f 73 73 2c 6f 75   .)uid=tacross,ou  
  0010:  3d 50 65 6f 70 6c 65 2c  64 63 3d 63 63 2c 64 63   =People,dc=cc,dc  
  0020:  3d 79 73 75 2c 64 63 3d  65 64 75 81 <old & new passwords omitted>
=ysu,dc=edu.  
  
slap_passwd_parse: OLD not allowed.
==> ldbm_back_exop_passwd: ""
send_ldap_extended 53: (0)
send_ldap_response: msgid=6 tag=120 err=53
ber_flush: 45 bytes to sd 14
  0000:  30 2b 02 01 06 78 26 0a  01 35 04 00 04 1f 75 73   0+...x&..5....us  
  0010:  65 20 62 69 6e 64 20 74  6f 20 76 65 72 69 66 79   e bind to verify  
  0020:  20 6f 6c 64 20 70 61 73  73 77 6f 72 64             old password     

It looks like pam_ldap.so needs to be updated to use 'bind' to verify the old password.

When I try to update a password as root I get:

GDB backtrace:
#4  0x404b4c63 in ber_put_string () from /lib/liblber.so.2
#5  0x404b5921 in ber_printf () from /lib/liblber.so.2
#6  0x40476a7b in _update_authtok (session=0x805fb40, 
    user=0x8079b88 "tacross", old_password=0x0, 
    new_password=0x807a2f0 "<omitted>") at pam_ldap.c:2101
#7  0x4047794d in pam_sm_chauthtok (pamh=0x805b588, flags=8192, argc=1, 
    argv=0x80792e0) at pam_ldap.c:2634
#8  0x40027b92 in _pam_dispatch_aux () from /lib/libpam.so.0
#9  0x40027e5d in _pam_dispatch () from /lib/libpam.so.0
#10 0x4038f59b in pam_sm_chauthtok () from /lib/security/pam_stack.so
#11 0x4038eccd in pam_sm_chauthtok () from /lib/security/pam_stack.so
#12 0x40027b92 in _pam_dispatch_aux () from /lib/libpam.so.0
#13 0x40027e5d in _pam_dispatch () from /lib/libpam.so.0
#14 0x400297cd in pam_chauthtok () from /lib/libpam.so.0
#15 0x08049645 in pwdb_entry_delete ()
#16 0x4009a177 in __libc_start_main (main=0x8049430 <pwdb_entry_delete+1848>, 
    argc=2, ubp_av=0xbffffaf4, init=0x8048a58 <_init>, fini=0x804a54c <_fini>, 
    rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffffaec)
    at ../sysdeps/generic/libc-start.c:129

It looks like pam_ldap.so needs to be updated to allow for a NULL old password.  Perhaps the other update would fix this issue too.
Comment 1 John Dalbec 2001-08-29 12:18:58 EDT
Created attachment 30074 [details]
This patch was sent to me just now.  It fixes the 'change password as user' problem.  The whitespace is probably broken.
Comment 2 John Dalbec 2001-08-29 15:57:02 EDT
OK, the patch fixes both problems and the whitespace in it is definitely
broken.  I did a cut-and-paste from an email message so the last (blank) line is
missing.

Note You need to log in before you can comment on or make changes to this bug.