rpms/nss_ldap/devel pam_ldap-183-rebind_control.patch, NONE, 1.1 pam_ldap-184-referral-passwd.patch, NONE, 1.1

[Nalin Somabhai Dahyabhai (nalin)]

Author: nalin

Update of /cvs/pkgs/rpms/nss_ldap/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5942

Added Files:
	pam_ldap-183-rebind_control.patch 
	pam_ldap-184-referral-passwd.patch 
Log Message:
patches for upstream #232 and our #300251, in which referrals in combination
with expired passwords indicated using server controls tends to fail, first
by not attempting to bind to the master with a password, and then because it
denies us due to the password having expired


pam_ldap-183-rebind_control.patch:

--- NEW FILE pam_ldap-183-rebind_control.patch ---
The rebind_proc is expected to return LDAP, not PAM error codes.  (Fallout from
the fix for upstream #210).

We check for password expiration controls when rebinding, and ignore a
password-expired error if we appear to be in the middle of a password change
attempt.  Attached to upstream #232.

diff -up pam_ldap-176/pam_ldap.c pam_ldap-176/pam_ldap.c
--- pam_ldap-176/pam_ldap.c	2007-10-04 10:51:18.000000000 -0400
+++ pam_ldap-176/pam_ldap.c	2007-10-04 10:51:25.000000000 -0400
@@ -207,6 +207,8 @@ static void _cleanup_data (pam_handle_t 
 static void _cleanup_authtok_data (pam_handle_t * pamh, void *data,
 				   int error_status);
 static int _alloc_config (pam_ldap_config_t ** presult);
+static int _get_password_policy_response_value (struct berval *response_value,
+						pam_ldap_session_t * session);
 #ifdef YPLDAPD
 static int _ypldapd_read_config (pam_ldap_config_t ** presult);
 #endif
@@ -1592,7 +1594,10 @@ _rebind_proc (LDAP * ld, LDAP_CONST char
   pam_ldap_session_t *session = global_session;
 #endif
   char *who, *cred;
-  int rc;
+  struct timeval timeout;
+  int rc, parserc;
+  LDAPMessage *result;
+  LDAPControl **controls;
 
   if (session->info != NULL && session->info->bound_as_user == 1)
     {
@@ -1620,11 +1626,79 @@ _rebind_proc (LDAP * ld, LDAP_CONST char
         {
           syslog (LOG_ERR, "pam_ldap: ldap_starttls_s: %s",
                   ldap_err2string (rc));
-          return PAM_AUTHINFO_UNAVAIL;
+          return LDAP_OPERATIONS_ERROR;
         }
     }
 
+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
   return ldap_simple_bind_s (ld, who, cred);
+#else
+  msgid = ldap_simple_bind (ld, who, cred);
+  if (msgid == -1)
+    {
+      syslog (LOG_ERR, "pam_ldap: ldap_simple_bind %s",
+              ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
+      return LDAP_OPERATIONS_ERROR;
+    }
+
+  timeout.tv_sec = session->conf->bind_timelimit;
+  timeout.tv_usec = 0;
+  result = NULL;
+  rc = ldap_result (ld, msgid, FALSE, &timeout, &result);
+  if (rc == -1 || rc == 0)
+    {
+      syslog (LOG_ERR, "pam_ldap: ldap_result %s",
+              ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
+      ldap_msgfree (result);
+      return LDAP_OPERATIONS_ERROR;
+    }
+
+  controls = NULL;
+  parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE);
+  if (parserc != LDAP_SUCCESS)
+    {
+      syslog (LOG_ERR, "pam_ldap: ldap_parse_result %s",
+              ldap_err2string (parserc));
+      _pam_overwrite (session->info->userpw);
+      _pam_drop (session->info->userpw);
+      return PAM_SERVICE_ERR;
+    }
+  if (controls != NULL)
+    {
+      LDAPControl **ctlp;
+      for (ctlp = controls; *ctlp != NULL; ctlp++)
+        {
+          if (!strcmp ((*ctlp)->ldctl_oid, LDAP_CONTROL_PWEXPIRED))
+            {
+              if (session->info->policy_error == POLICY_ERROR_SUCCESS)
+                session->info->policy_error = POLICY_ERROR_PASSWORD_EXPIRED;
+            }
+          else if (!strcmp ((*ctlp)->ldctl_oid, LDAP_CONTROL_PASSWORDPOLICYRESPONSE))
+            _get_password_policy_response_value (&(*ctlp)->ldctl_value,
+                                                 session);
+        }
+      ldap_controls_free (controls);
+      /* suppress a failure due to password expiration or needs-changing if we
+       * appear to be in the middle of changing a password */
+      switch (request)
+        {
+        case LDAP_REQ_MODIFY:
+        case LDAP_REQ_EXTENDED:
+          switch (session->info->policy_error)
+            {
+            case POLICY_ERROR_PASSWORD_EXPIRED:
+            case POLICY_ERROR_CHANGE_AFTER_RESET:
+              rc = LDAP_SUCCESS;
+              break;
+            default:
+              break;
+            }
+        default:
+          break;
+        }
+    }
+    return rc;
+#endif
 }
 #else
 #if LDAP_SET_REBIND_PROC_ARGS == 3

pam_ldap-184-referral-passwd.patch:

--- NEW FILE pam_ldap-184-referral-passwd.patch ---
We need to hang on to the user's (old) password when the policy error is
change-after-reset or password-expired, because at password-change time,
we may need it to chase a referral during the update operation.  Attached
to upstream #232.

--- pam_ldap-184/pam_ldap.c	2005-12-08 12:04:43.000000000 -0600
+++ pam_ldap-184/pam_ldap.c	2005-12-08 12:09:12.000000000 -0600
@@ -2087,7 +2087,14 @@
       return PAM_AUTH_ERR;
     }
 
-  if (session->info->policy_error != POLICY_ERROR_SUCCESS)
+  /*
+   * the above hack to get to acct_mgmt when passwd is expired requires
+   * us to preserve the userpw for subsequent binds to a master server
+   * in case we're doing referrals
+   */
+  if ((session->info->policy_error != POLICY_ERROR_SUCCESS) &&
+      (session->info->policy_error != POLICY_ERROR_PASSWORD_EXPIRED) &&
+      (session->info->policy_error != POLICY_ERROR_CHANGE_AFTER_RESET))
     {
       _pam_overwrite (session->info->userpw);
       _pam_drop (session->info->userpw);