pam_ldap and poppassd

Hi,

I'm having trouble getting pam_ldap to work with poppassd
(http://www.echelon.pl/pubs/poppassd.php) and I hoping that someone on
this list may be able to shed some light on the situation.  Basically
poppassd works fine with pam_unix.so and gives error with pam_ldap.so.
I'm using Gentoo Linux and under normal circumstances
/etc/pam.d/poppassd would simply "include" /etc/pam.d/system-auth.
However since things aren't working I'm now using a "simplified"
/etc/pam.d/poppassd file for testing.

Test .1.  poppassd and pam_unix.

Contents of /etc/pam.d/poppassd :

auth       required     pam_unix.so
account    required     pam_unix.so
password   required     pam_unix.so

poppassd session :

# poppassd
200 poppassd v1.8.5 hello, who are you?
user warrenlocal
200 Your password please.
pass <old_password_here>
200 Your new password please.
newpass <new_password_here>
200 Password changed, thank-you.
quit
200 Bye.
#

SUCCESSFUL!

Note : The user "warrenlocal" exists only in /etc/passwd and poppassd
will only prompt for the new password if the existing password is correct.

Test .2. poppassd and pam_ldap.

Contents of /etc/pam.d/poppassd :

auth       required     pam_ldap.so
account    required     pam_ldap.so
password   required     pam_ldap.so

poppassd session :

# poppassd
200 poppassd v1.8.5 hello, who are you?
user warren_h
200 Your password please.
pass <old_password_here>
200 Your new password please.
newpass <new_password_here>
500 PAM error: LDAP Password incorrect: try again
500 PAM error: LDAP Password incorrect: try again
500 PAM error: LDAP Password incorrect: try again
500 Server error, password not changed
#

FAILS!

Note : The user "warren_h" exists only in ldap and as before poppassd
will only prompt for the new password if the old password is correct, so
the old password therefore must have already been checked against ldap
once before poppassd tries changing it.

A grab from the system log shows :

Aug 14 15:02:14 [slapd] conn=2012 op=0 RESULT tag=97 err=0 text=_
Aug 14 15:02:14 [slapd] conn=2012 op=1 SRCH base="dc=naturesoft,dc=net"
scope=2 deref=0 filter="(&(objectClass=posixAccount
)(uid=warren_h))"_
Aug 14 15:02:14 [slapd] conn=2012 op=1 SRCH attr=uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos des
cription objectClass_
Aug 14 15:02:14 [slapd] conn=2012 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=_
Aug 14 15:02:21 [slapd] conn=1590 op=148 SRCH
base="dc=naturesoft,dc=net" scope=2 deref=0
filter="(&(objectClass=posixAccou
nt)(uidNumber=1014))"_
Aug 14 15:02:21 [slapd] conn=1590 op=148 SRCH attr=uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos d
escription objectClass_
Aug 14 15:02:21 [slapd] conn=1590 op=148 SEARCH RESULT tag=101 err=0
nentries=1 text=_
Aug 14 15:02:21 [slapd] conn=1590 op=149 SRCH
base="dc=naturesoft,dc=net" scope=2 deref=0
filter="(&(objectClass=posixAccou
nt)(uidNumber=1017))"_
Aug 14 15:02:21 [slapd] conn=1590 op=149 SRCH attr=uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos d
escription objectClass_
Aug 14 15:02:21 [slapd] conn=1590 op=149 SEARCH RESULT tag=101 err=0
nentries=1 text=_
Aug 14 15:02:21 [slapd] conn=1590 op=150 SRCH
base="dc=naturesoft,dc=net" scope=2 deref=0
filter="(&(objectClass=posixAccou
nt)(uidNumber=1019))"_
Aug 14 15:02:21 [slapd] conn=1590 op=150 SRCH attr=uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos d
escription objectClass_
Aug 14 15:02:21 [slapd] conn=1590 op=150 SEARCH RESULT tag=101 err=0
nentries=1 text=_
Aug 14 15:02:21 [slapd] conn=2011 op=4 BIND dn="" method=128_
Aug 14 15:02:21 [slapd] conn=2011 op=4 RESULT tag=97 err=0 text=_
Aug 14 15:02:21 [slapd] conn=2011 op=5 SRCH base="dc=naturesoft,dc=net"
scope=2 deref=0 filter="(&(objectClass=posixAccount
)(objectClass=posixAccount)(uid=warren_h))"_
Aug 14 15:02:21 [slapd] conn=2011 op=5 SEARCH RESULT tag=101 err=0
nentries=1 text=_
Aug 14 15:02:21 [slapd] conn=2011 op=6 BIND
dn="uid=warren_h,dc=naturesoft,dc=net" method=128_
Aug 14 15:02:21 [slapd] conn=2011 op=6 RESULT tag=97 err=49 text=_
Aug 14 15:02:21 [poppassd] pam_ldap: error trying to bind as user
"uid=warren_h,dc=naturesoft,dc=net" (Invalid credentials)
Aug 14 15:02:21 [slapd] conn=2011 op=7 BIND dn="" method=128_
Aug 14 15:02:21 [slapd] conn=2011 op=7 RESULT tag=97 err=0 text=_
Aug 14 15:02:21 [poppassd] PAM error: LDAP Password incorrect: try again
Aug 14 15:02:21 [slapd] conn=2011 op=8 BIND dn="" method=128_
Aug 14 15:02:21 [slapd] conn=2011 op=8 RESULT tag=97 err=0 text=_
Aug 14 15:02:21 [poppassd] PAM error: LDAP Password incorrect: try again
Aug 14 15:02:21 [slapd] conn=2011 op=9 BIND dn="" method=128_
Aug 14 15:02:21 [slapd] conn=2011 op=9 RESULT tag=97 err=0 text=_
Aug 14 15:02:21 [poppassd] PAM error: LDAP Password incorrect: try again
Aug 14 15:02:21 [slapd] conn=2011 fd=140 closed (connection lost)_
Aug 14 15:02:21 [slapd] conn=2012 fd=141 closed (connection lost)_


So I'm pretty much stuck.  I would like to use this program, poppassd,
to setup a "change your password" web page.  It doesn't look as though
it's going to do the trick.  Anyway, I'm hoping someone on this list
might have a few suggestions for me to try.

Thanks,


Warren.

Yes, in all other respects and other tests binding as
dn="uid=warren_h,dc=naturesoft,dc=net" works fine.  It appears to me that
either poppassd handles pam_unix differently to pam_ldap or that pam_ldap
behaves differnetly to pam_unix.

> BTW  - there are smarter ways to make a password changer web page that
> don't involve connecting to a network service. Eg. perl Authen::PAM
> http://search.cpan.org/search?query=authen%3A%3Apam&mode=all
> Just be sure to untaint all your variables first if using it in CGI.
> Poppassd is really only useful to Eudora mail clients.
>

As you suggest I think I'll need to look into some of the other password
change options out there.  I choose poppassd because there was a password
change plugin available for squirrelmail that used poppassd and the
version of poppassd I was testing runs as an unprivileged user and
supports pam and cracklib.  So it looked like a neat solution.

> Regards,
> Wade.
>

Thanks for the advice.

Regards,


Warren.

On 08/15/2006 07:10 AM, Wade Fitzpatrick wrote: Just an update for the record.  The problem was in poppassd.c.  In it is
one function that manages the "conversation" with pam and it was passing
the new password to pam_ldap when pam_ldap was expecting the old
password.  A C programming colleague at work made the changes to
poppassd.c to get it working with pam_ldap, and I've sent those changes
to the author of the program.

Popassd runs as root and only listens on localhost, password changes are
done through a plug-in for Squirrelmail that is running on the same
host.  In this way httpd process is separated from the password change
process and there are no SUID bits required.  Cracklib is included in
the pam stack and poppassd is handling that too.


Regards,


Warren.