Red Hat Bugzilla – Bug 52813
Password changing fails with 'pam_password exop'.
Last modified: 2007-04-18 12:36:43 EDT
From Bugzilla Helper: User-Agent: Mozilla/4.78 [en] (Windows NT 5.0; U) Description of problem: I installed the openldap errata packages. I set up openldap using plain authentication because I know nothing about SASL. I uncommented the 'pam_password exop' line in /etc/ldap.conf because passwd was storing the passwords in plaintext and this option was recommended as a solution on the openldap-software mailing list. When I try to update a password as a user I get: LDAP password information update failed: DSA is unwilling to perform. When I try to update a password as root I get: passwd: encode.c:328: ber_put_string: Assertion `str != ((void *)0)' failed. Aborted Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Set up OpenLDAP server using plain authentication on host1 and run migrate_all_online.sh. (Note: if you know how to set up OpenLDAP with SASL, please provide instructions! Thanks.) 2. Set up LDAP with authconfig on host2. 3. Add 'rootbinddn' option to /etc/ldap.conf and store password in /etc/ldap.secret. 4. For some account in LDAP (but not in the host2 files) su to the account and run 'passwd'. 5. For the same account, su to root and run 'passwd <account>'. Actual Results: After the prompts, error messages appear (see above). The password is not changed. Expected Results: The LDAP password should be changed. Messages reporting success should appear. Additional info: When I try to update a password as a user I get: From 'slapd -d255': ber_dump: buf=0x0817f030 ptr=0x0817f032 end=0x0817f06c len=58 0000: 80 29 75 69 64 3d 74 61 63 72 6f 73 73 2c 6f 75 .)uid=tacross,ou 0010: 3d 50 65 6f 70 6c 65 2c 64 63 3d 63 63 2c 64 63 =People,dc=cc,dc 0020: 3d 79 73 75 2c 64 63 3d 65 64 75 81 <old & new passwords omitted> =ysu,dc=edu. slap_passwd_parse: OLD not allowed. ==> ldbm_back_exop_passwd: "" send_ldap_extended 53: (0) send_ldap_response: msgid=6 tag=120 err=53 ber_flush: 45 bytes to sd 14 0000: 30 2b 02 01 06 78 26 0a 01 35 04 00 04 1f 75 73 0+...x&..5....us 0010: 65 20 62 69 6e 64 20 74 6f 20 76 65 72 69 66 79 e bind to verify 0020: 20 6f 6c 64 20 70 61 73 73 77 6f 72 64 old password It looks like pam_ldap.so needs to be updated to use 'bind' to verify the old password. When I try to update a password as root I get: GDB backtrace: #4 0x404b4c63 in ber_put_string () from /lib/liblber.so.2 #5 0x404b5921 in ber_printf () from /lib/liblber.so.2 #6 0x40476a7b in _update_authtok (session=0x805fb40, user=0x8079b88 "tacross", old_password=0x0, new_password=0x807a2f0 "<omitted>") at pam_ldap.c:2101 #7 0x4047794d in pam_sm_chauthtok (pamh=0x805b588, flags=8192, argc=1, argv=0x80792e0) at pam_ldap.c:2634 #8 0x40027b92 in _pam_dispatch_aux () from /lib/libpam.so.0 #9 0x40027e5d in _pam_dispatch () from /lib/libpam.so.0 #10 0x4038f59b in pam_sm_chauthtok () from /lib/security/pam_stack.so #11 0x4038eccd in pam_sm_chauthtok () from /lib/security/pam_stack.so #12 0x40027b92 in _pam_dispatch_aux () from /lib/libpam.so.0 #13 0x40027e5d in _pam_dispatch () from /lib/libpam.so.0 #14 0x400297cd in pam_chauthtok () from /lib/libpam.so.0 #15 0x08049645 in pwdb_entry_delete () #16 0x4009a177 in __libc_start_main (main=0x8049430 <pwdb_entry_delete+1848>, argc=2, ubp_av=0xbffffaf4, init=0x8048a58 <_init>, fini=0x804a54c <_fini>, rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffffaec) at ../sysdeps/generic/libc-start.c:129 It looks like pam_ldap.so needs to be updated to allow for a NULL old password. Perhaps the other update would fix this issue too.
Created attachment 30074 [details] This patch was sent to me just now. It fixes the 'change password as user' problem. The whitespace is probably broken.
OK, the patch fixes both problems and the whitespace in it is definitely broken. I did a cut-and-paste from an email message so the last (blank) line is missing.