RSS feed

Re: Support for pam_ldap configuration

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Support for pam_ldap configuration

On Mon, 2012-07-09 at 18:22 -0700, Ted Cheng wrote:
> Not sure why we would need "nopasswd", "userpasswd", and "rootpasswd"
> config.
> The kind of (old) password required for changing password depends on
> client-side (who initiates the password change) and on server-side
> (admin/pwdmgr dn & admin/pwdmgr pwd) configurations, not just
> server-side configuration:

The problem is that only the server side can decide whether the change
is allowed. You cannot leave this up to the client side because any
process on the system can make nslcd requests (also unprivileged ones).

If running as root changing someone else's password, the current PAM
module tries to authenticate with an empty username and password first
(to see whether both rootpwmoddn and rootpwmodpw are set), then prompt
for the administrator password and try with an empty username and the
supplied password. In normal cases the user's old password is prompted
for. This is a bit of a hack in the authentication call.

Another option would be to query the server for the rootpwmoddn and
rootpwmodpw options but that would unnecessarily expose information to a
process that doesn't really need this information.

> If an end-user changes another user's password, the target user's
> password should be queried. So far, this option does not seem to be 
> supported, e.g.,
>    testuser1$  passwd testuser2
>    passwd: You may not view or modify password information for testuser2

The current nss-pam-ldapd PAM module should prompt for the administrator
password but this isn't supported in the passwd command.

> The ppolicy configuration should probably be supported/tested as well.

Can you provide some info for that? How should that work? I thought this
was only used when doing authentication and was used to provide the
authorisation part in the authentication response.


-- arthur - - --
To unsubscribe send an email to or see