rootpwmoddn/rootpwmodpw testing

["Kollar, Thaddeus J. (GRC-V000)[DB Consulting Group, Inc.]" <thaddeus.j.kollar [at] nasa.gov>]

Hi Arthur,

I was trying out the rootpwmoddn/rootpwmodpw implementation in r1316 and ran 
into two issues that prevented it from working as intended. The first was that 
nslcd_pam_authc() in nslcd/pam.c would always write a failure code for 
authc/authz in its response even if try_bind() succeeded. The fix for that is 
easy:

Index: nslcd/pam.c
===================================================================
--- nslcd/pam.c (revision 1316)
+++ nslcd/pam.c (working copy)
@@ -187,8 +187,8 @@
   /* map result code */
   switch(rc)
   {
-    case LDAP_SUCCESS:             rc=NSLCD_PAM_SUCCESS;
-    case LDAP_INVALID_CREDENTIALS: rc=NSLCD_PAM_AUTH_ERR;
+    case LDAP_SUCCESS:             rc=NSLCD_PAM_SUCCESS; break;
+    case LDAP_INVALID_CREDENTIALS: rc=NSLCD_PAM_AUTH_ERR; break;
     default:                       rc=NSLCD_PAM_AUTH_ERR;
   }
   /* write response */


The other issue is that, because try_bind() uses lookup_dn2uid(), the LDAP 
admin entry has to belong to the posixAccount object class or lookup_dn2uid() 
will return null (since there is no uid) and try_bind() will fail. My admin 
entry didn't use posixAccount, and I suspect many others' won't either... the 
workaround is easy, just add and populate posixAccount for admin. But that's 
not really desirable since it creates an unnecessary Unix account. The better 
solution is probably to add some logic to try_bind() that, when lookup_dn2uid() 
returns null but rc == LDAP_SUCCESS, tests for this case before returning 
failure.

Using the above patch and the workaround does allow rootpwmoddn/rootpwmodpw to 
function.

Tad
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users