Bug#844665: marked as done (libpam-ldap returns user provided case sensitive data instead of server provided data)

Debian Bug Tracking System Tue, 28 Feb 2023 07:17:05 -0800

Your message dated Tue, 28 Feb 2023 15:13:40 +0000
with message-id <[email protected]>
and subject line Bug#1032123: Removed package(s) from unstable
has caused the Debian Bug report #844665,
regarding libpam-ldap returns user provided case sensitive data instead of 
server provided data
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
844665: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844665
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libpam-ldap
Version: 184-8.7+b1
Severity: normal

Dear Maintainer,

This is a related follow up to bug #842202, in which I reported thatlightdm exhibited issues when users logged in, via pam_ldap stack, usingmixed case usernames (eg: Bkroth instead of bkroth).

As noted there, the LDAP schemas allow for the uid attribute to matchvia case insensitive "equality" matches.

However, the issue is that pam_ldap then (somewhat naturally) returnsthe user provided data (it did successfully return a search after all)to the application rather than the server provided uid ldap attributeresponse.

Some applications perform their own NSS based lookup and ignore the dataprovided by pam, but others (eg: lightdm) just use the data returned bypam.

The following patch basically backports the fixed behavior fromlibpam-ldap-186 to have pam return the authoritative server datainstead. Additionally, it includes the optimization of only fetchingthe necessary attributes in the ldap call rather than all of themassociated with the user.

Alternatively, one could just backport 186 for jessie/wheezy, but thatpackage as it stands in stretch currently has an issue with the defaultldap conf file location (which I'll get to in a moment).


Let me know if you have any questions.

Thanks,
Brian


-- System Information:
Debian Release: 8.6
 APT prefers stable
 APT policy: (500, 'stable'), (120, 'testing'), (110, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libpam-ldap depends on:
ii  debconf [debconf-2.0]  1.5.56
ii  libc6                  2.19-18+deb8u6
ii  libldap-2.4-2          2.4.40+dfsg-1+deb8u2
ii  libpam-runtime         1.1.8-3.1+deb8u1
ii  libpam0g               1.1.8-3.1+deb8u1+b1

libpam-ldap recommends no packages.

Versions of packages libpam-ldap suggests:
ii  libnss-ldap  265-3+b1

-- debconf information excluded

diff -u -ruN libpam-ldap-184/debian/changelog libpam-ldap-184.cae/debian/changelog
--- libpam-ldap-184/debian/changelog	2016-11-17 15:42:41.000000000 -0600
+++ libpam-ldap-184.cae/debian/changelog	2016-11-17 15:47:30.976030991 -0600
@@ -1,3 +1,13 @@
+libpam-ldap (184-8.7+b1+caejessie1) cae-jessie-backports; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport a few features from libpam-ldap-186:
+  * Noramlize username by returning server provided attribute instead of user
+    provided attribute.
+  * Also limit the attributes fetched from the LDAP server.
+
+ -- Brian Kroth <[email protected]>  Thu, 17 Nov 2016 15:32:37 -0600
+
 libpam-ldap (184-8.7) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -u -ruN libpam-ldap-184/debian/patches/limit_fetched_attrs libpam-ldap-184.cae/debian/patches/limit_fetched_attrs
--- libpam-ldap-184/debian/patches/limit_fetched_attrs	1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-184.cae/debian/patches/limit_fetched_attrs	2016-11-17 15:31:19.997366146 -0600
@@ -0,0 +1,32 @@
+--- a/pam_ldap.c
++++ b/pam_ldap.c
+@@ -2560,6 +2560,20 @@
+   return ret;
+ }
+ 
++static char *_pam_ldap_attrs[] = {
++  "host",
++  "authorizedService",
++  "shadowExpire",
++  "shadowFlag",
++  "shadowInactive",
++  "shadowLastChange",
++  "shadowMax",
++  "shadowMin",
++  "shadowWarning",
++  "uidNumber",
++  NULL
++};
++
+ static int
+ _get_user_info (pam_ldap_session_t * session, const char *user)
+ {
+@@ -2618,7 +2632,7 @@
+     }
+ 
+   rc = ldap_search_s (session->ld, ssd->base, ssd->scope,
+-		      filter, NULL, 0, &res);
++		      filter, _pam_ldap_attrs, 0, &res);
+ 
+   if (rc != LDAP_SUCCESS &&
+       rc != LDAP_TIMELIMIT_EXCEEDED && rc != LDAP_SIZELIMIT_EXCEEDED)
diff -u -ruN libpam-ldap-184/debian/patches/normalize_username libpam-ldap-184.cae/debian/patches/normalize_username
--- libpam-ldap-184/debian/patches/normalize_username	1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-184.cae/debian/patches/normalize_username	2016-11-17 15:29:58.724472042 -0600
@@ -0,0 +1,45 @@
+--- a/pam_ldap.c
++++ b/pam_ldap.c
+@@ -2652,7 +2652,13 @@
+       return PAM_BUF_ERR;
+     }
+ 
+-  session->info->username = strdup (user);
++  rc = _get_string_value (session->ld, msg, session->conf->userattr,
++                    &session->info->username);
++  if (rc != PAM_SUCCESS)
++    {
++      session->info->username = strdup (user);
++    }
++
+   if (session->info->username == NULL)
+     {
+       ldap_msgfree (res);
+@@ -3333,6 +3339,13 @@
+ 		pam_set_item (pamh, PAM_USER,
+ 			      (void *) session->info->tmpluser);
+ 	    }
++          else if (rc == PAM_SUCCESS && session->info->username != NULL)
++            {
++              (void) pam_set_data (pamh, PADL_LDAP_AUTH_DATA,
++                                  (void *) strdup (session->info->username),
++                                  _cleanup_data);
++              rc = pam_set_item (pamh, PAM_USER, (void *) session->info->username);
++            }
+ 	  return rc;
+ 	}
+     }
+@@ -3363,6 +3376,13 @@
+ 			   _cleanup_data);
+       rc = pam_set_item (pamh, PAM_USER, (void *) session->info->tmpluser);
+     }
++  else if (rc == PAM_SUCCESS && session->info->username != NULL)
++    {
++      (void) pam_set_data (pamh, PADL_LDAP_AUTH_DATA,
++                          (void *) strdup (session->info->username),
++                          _cleanup_data);
++      rc = pam_set_item (pamh, PAM_USER, (void *) session->info->username);
++    }
+ 
+   return rc;
+ }
diff -u -ruN libpam-ldap-184/debian/patches/series libpam-ldap-184.cae/debian/patches/series
--- libpam-ldap-184/debian/patches/series	2016-11-17 15:42:41.000000000 -0600
+++ libpam-ldap-184.cae/debian/patches/series	2016-11-17 15:31:42.933618188 -0600
@@ -2,3 +2,5 @@
 chsh_ldap_conf
 log_shadowlastchange_failure
 username_for_memberuid
+normalize_username
+limit_fetched_attrs

--- End Message ---

--- Begin Message ---

Version: 186-4.1+rm

Dear submitter,

as the package libpam-ldap has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1032123

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---

Bug#844665: marked as done (libpam-ldap returns user provided case sensitive data instead of server provided data)

Reply via email to