223947 - Enhance bugzilla to use PAM authentication

Status: RESOLVED DUPLICATE of bug 208540

(Bugzilla :: User Accounts, enhancement, P3)

Description

[Alek Kowalczyk]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; PL; rv:1.5) Gecko/20030916
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; PL; rv:1.5) Gecko/20030916

Bugzilla 2.17.4 works great with LDAP module, but it requires the user have set
unix password. This is not always true - for instance in my company's network
user has only samba password set in LDAP database and authentication is made via
this password (not convertible nor compatible with unix one).

So Bugzilla::Auth::LDAP cannot authenticate such users, because they
do not have 'real' unix passwords in unixPassword LDAP field.

Reproducible: Always

Steps to Reproduce:
1. Configure Bugzilla, LDAP, Samba3 etc and import user accounts to LDAP
database from some other windows domain controller, set mail addresses etc.
2. Configure linux PAM to use samba passwords for authentication (one click in
RedHat 9)
3. Try to login to bugzilla

Actual Results:  
When user has only samba password (sambaNTPassword, sambaLMPassword fields in
LDAP)- authentication failed

When user has also unix password (unixPassword field) set - authentication granted

Expected Results:  
Access granted in both cases.

Here is quick&dirty workaround for 2.17.4 (I have posted it also on
netscape.public.mozilla.webtools newsgroup):

1) install Authen::PAM module
perl -MCPAN -e 'install Authen::PAM'

2) edit file <bugzilla-path>/Bugzilla/Auth/LDAP.pm :

2a) somewhere on top of file add use clause:
use Authen::PAM qw(:constants);

2b) comment out following lines:
# $mesg = $LDAPconn->bind( $userDN, password => $passwd);
# return (AUTH_LOGINFAILED) if $mesg->code;

2c) in the same place add following lines:

# PAM Password Authentication - by AlekK
sub ldap_pam_authfunc {
  my @res;
  while ( @_ ) {
    my $code = shift;
    my $msg = shift;
    my $ans = "";
    $ans = $username if ($code == PAM_PROMPT_ECHO_ON() );
    $ans = $passwd if ($code == PAM_PROMPT_ECHO_OFF() );
    push @res, (PAM_SUCCESS(), $ans);
  }
  push @res, PAM_SUCCESS();
  return @res;
}
my $pamh = new Authen::PAM("passwd", $username, \&ldap_pam_authfunc);
my $flags;
my $res;
ref($pamh) || die "Error code $pamh during PAM init!";
$res = $pamh->pam_authenticate($flags);
return (AUTH_LOGINFAILED) unless $res == PAM_SUCCESS();
#end of PAM password authentication

Comment 1

[Dave Miller [:justdave]]

As far as actually getting put into the Bugzilla distribution, it might be more
appropriate to have just a standalone PAM authenticator rather than a
combination LDAP+PAM.  The combination system would be kind of a special-case.

Comment 2

[Dave Miller [:justdave]]

I've talked about doing PAM auth many times in the past, but we apparently never
had a bug filed on it.  I guess this can become it. :)

Comment 3

[Dave Miller [:justdave]]

Martin: this would be a good place to upload your PAM auth module.

Comment 4

[Martin Y. Chiu]

Attachment: The PAM auth module for CGI login

I'd like to use bugzilla with exist user database but
    didn't find one. So I modified one from CGI.pm & Env.pm, which use
    Authen::PAM module to authenticate user. You could modify
    pam_login() for other auth method.

       With this login module, put the file in the 
    Bugzilla/Auth/Verify directory. you should modified your params
    'user_verify_class' to 'PAM,DB' with fallback to DB auth
    or use 'PAM' only, and 'emailsuffix' to '@your-email.host'.

       This file will use extern_id column in the profiles tables. 
    You can easily modified it to meet other private auth method.

Comment 5

[Vlad Dascalu]

Comment on attachment 206636 [details]
The PAM auth module for CGI login

    my $matched_userid    = '';
    my $matched_extern_id = '';

Here and in the rest of the places, I prefer row alignment over vertical alignment, because the row relationship is more important compared to the vertical one. Plus it's easy maintainance.

=head1 NAME

Bugzilla::Auth::Verify::PAM - another authentication for Bugzilla

The documentation is really lacking. Maybe a sentence or two about what PAM is, taken maybe from http://aplawrence.com/Basics/understandingpam.html .

    trick_taint($username);

We'll need a comment for this trick_taint in order to explain why it's safe (probably because we're using $username afterwards in placeholders only).

All these can be checkinable upon commit.

Comment 6

[Myk Melez [:myk] [@mykmelez]]

Max's Auth module work may need to incorporate this checkin.

Comment 7

[Max Kanat-Alexander]

(In reply to comment #6)
> Max's Auth module work may need to incorporate this checkin.

  Oh, darn. Yes, it will. I was hoping that there wouldn't be major changes like this while I was doing rearchitecture, but I suppose this is a valuable feature.

Comment 8

[Frédéric Buclin]

Comment on attachment 206636 [details]
The PAM auth module for CGI login

>    $sth = $dbh->prepare("SELECT userid, disabledtext " .
>        "FROM profiles WHERE extern_id=?");
>    $sth->execute($username);
>
>    my $fetched = $sth->fetch;
>    if ($fetched) {
>        $matched_userid = $fetched->[0];
>        $disabledtext   = $fetched->[1];
>    }

Write: my ($matched_userid, $disabledtext) = $dbh->selectrow_array("SELECT ...", undef, $username) instead. Moreover, please keep one whitespace around '=' in the SQL query.


>        $sth = $dbh->prepare("SELECT extern_id, userid, disabledtext " .
>            "FROM profiles WHERE " .
>            $dbh->sql_istrcmp('login_name', '?'));
>        $sth->execute($login_name);
>
>        $sth->execute();
>        my $fetched = $sth->fetch();
>        if ($fetched) {
>            ($matched_extern_id, $matched_userid, $disabledtext) = @{$fetched};
>        }

Same remark here.


>                $sth = $dbh->prepare("UPDATE profiles " .
>                    "SET extern_id=? WHERE userid=?");
>                $sth->execute($username, $matched_userid);

Write: $dbh->do("UPDATE ...", undef, $matched_userid);


>            # Need to create a new user with that pam login.  Note
>            # that cryptpassword has been filled in with '*', since the
>            # user has no DB password.
>            $sth = $dbh->prepare("INSERT INTO profiles ( " .
>                "login_name, cryptpassword, " .
>                "disabledtext, extern_id" .
>                ") VALUES ( ?, ?, '', ?)");
>            $sth->execute($login_name, '*', $username);
>            $matched_userid = $dbh->bz_last_key('profiles', 'userid');

Here is the reason of my r-: email settings are not set correctly. Look at how Bugzilla/Auth/Login/WWW/Env.pm works.

Comment 9

[Frédéric Buclin]

This bug is retargetted to Bugzilla 3.2 for one of the following reasons:

- it has no assignee (except the default one)
- we don't expect someone to fix it in the next two weeks (i.e. before we freeze the trunk to prepare Bugzilla 3.0 RC1)
- it's not a blocker

If you are working on this bug and you think you will be able to submit a patch in the next two weeks, retarget this bug to 3.0.

If this bug is something you would like to see implemented in 3.0 but you are not a developer or you don't think you will be able to fix this bug yourself in the next two weeks, please *do not* retarget this bug.

If you think this bug should absolutely be fixed before we release 3.0, either ask on IRC or use the "blocking3.0 flag".