Gordon Messmer wrote:
Strange.Uno Engborg wrote:
Gordon Messmer wrote:
You normally don't need it, so I'd suggest that you use the included config tools to set up a working client configuration, and then decide whether or not you have a need for that option.
If you do that, the passwd command will not work, at least not for root.
I did that, and I can change any user's password as root, including the root user.
If I do "passwd uengborg" as root I get:
Enter login(LDAP) password: New UNIX password: Retype Unix password: LDAP password information update failed: Can't contact LDAP server
passwd: Permission denied
[root@herald ~]# passwd gordon Changing password for user gordon. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for gordon passwd: all authentication tokens updated successfully.
Isn't the rootbinddn in /etc/ldap.conf supposed to make it possible to map the
root unix user with a priviledge ldap dn that is given the rights to change anything
in the LDAP databaes, either being the ldap database manager user, or by ACL
settings.
If you can change the password of any user as root, without specifying a rootbinddn, that smells like you may have a security problem to me. Or does your system-config-authentication actually configure your rootbinddn and set up a ldap.secret file?
I was under the impression that users bind as themselves when they change passwords. Isn't that why we need a self write for the userPassword entry in the LDAP ACLs. If you can change
passwords as root that would imply that pam always connects to LDAP with LDAP manager permissions. Or perhaps I'm missing something.
I think the problems I am having may be related to bug 161437 <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161437> that is a problem with newlines
in ldap.secret.
/uno
