reassign 380078 libnss-ldap
found 380078 251-1
tags 380078 -patch
thanks

On Thu, Jul 27, 2006 at 01:42:37PM +0200, Bruno Treguier wrote:
> Package: libpam-modules
> Version: 0.79-3.1
> Severity: important
> Tags: patch

> Since version 246, a change has been made to libnss_ldap, whose
> functions getspnam() and getspnam_r() now return "*" instead
> of "x" previously, in the sp_pwdp member of a spwd struct.

> This introduces an incompatibility with the present version of
> libpam-modules, as the "*" case is not handled by the code in
> "support.c" (line 741), thus resulting in the helper program
> "unix_chkpwd" never being called.

> As a consequence, all the programs relying on libpam-modules to
> authenticate a user in an LDAP environment may fail. "kcheckpass" is an
> example of such a program.

I don't agree that this is a PAM bug.  The behavior of pam_unix is
well-established, and is inherited from the 'shadow' suite which did the
same thing for years before it.  A '*' in the password field (I guess you
mean passwd->pw_passwd, not spwd->sp_pwdp, since this code doesn't handle
the latter) means that the account has no valid password; if that's not what
libnss-ldap means to communicate, then it should not use this value for the
password field.

So I'm reassigning this bug report to libnss-ldap; if this bug is still
present in the current version (sorry Rick, I haven't checked), then it
should be fixed there.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
[EMAIL PROTECTED]                                     [EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to