Re: Change password as root
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Change password as root
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: Change password as root
- Date: Thu, 27 May 2010 20:35:04 +0200
On Thu, 2010-05-27 at 12:45 +0100, Mark Olliver wrote:
> I have switched to this ldap module to work around the ssl issue in
> ubuntu with the standard libnss-ldap module. However how can i allow
> root (or another user via sudo) to change another users password
> without prompting for the users ldap password.
Currently, that isn't supported. The nslcd daemon must receive a
complete request, including credentials, for password modification.
Requests to nslcd are otherwise unauthenticated and any user on the
system may make these requests so the daemon should be extra careful not
to perform any action that modifies anything without proper
authentication.
For some requests nslcd checks if the caller is the root user, but I'm
not 100% sure that is sufficient for password modification
because /usr/bin/passwd is commonly suid root (and all requests would be
made as root). There could be some corner case where nslcd may think
that it should modify a user's password as admin when in fact it
shouldn't. Also, detecting the user id of the caller is currently not
very portable (does not work on all operating systems).
This issue needs some more investigation and thinking through all corner
cases before implementing because it has security implications. Tested
patches for this are welcome though.
> Also do i need to run nscd as it has been seen to be very unstable, we
> had been working around this with unscd but ideally i would like to
> not use either.
>
Running nscd is not required but doing caching is recommended for larger
networks to ensure your LDAP servers aren't overloaded with repeated
requests. I haven't seen stability issues with nscd myself for some
time now.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users