Bug 79198

Summary: root can't set users password when using LDAP
Product: [Retired] Red Hat Linux Reporter: J. Lucha <jim>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: j, srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-27 08:25:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description J. Lucha 2002-12-06 23:56:36 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
When not using LDAP, root can set/reset a users password without having to know
the existing password.  It will skip the prompt for the old password.

If you use LDAP for accounts and authentication you get a prompt which states,
"Enter login(LDAP) password:" in which it is basically asking for the existing
password.  It requires knowledge of the existing password.  If you actually know
the password and then enter it, it will allow you to change the password.  If
you try to <enter> past it, use a fake password, or even the root password, you
won't be able to set the users password.

The passwd program functions normally under other circumstances.  IE, a user can
change their own password.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Use authconfig and choose to authenticate to an LDAP server which has accounts.
2.sign in as root
3.run 'passwd USERNAME'

Actual Results:  You will get the following text:
"Changing password for user USERNAME.
Enter login(LDAP) password:"

In which you must provide the actual existing password.

Expected Results:  I would expect the following sequence:
Changing password for user USERNAME.
New password:
Retype new password:
LDAP password information changed for USERNAME
passwd: all authentication tokens updated successfully."

Additional info:

Comment 1 Tomas Mraz 2004-10-27 08:25:57 UTC
No, this is by design.
You can have one LDAP server providing authentication to many client
machines with different people as roots on these machines. You don't
want to allow root on the client machine to change just any password
on the LDAP server. To change passwords on LDAP server without knowing
the old one you have to have admin access to the LDAP server.