Red Hat Bugzilla – Bug 56201
Password changing fails with message 'Strong authentication required.'
Last modified: 2008-05-01 11:38:01 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (Windows NT 5.0; U)
Description of problem:
Changing an expired password fails:
[jpdalbec@mail01 nss_ldap-172]$ su ...
You are required to change your password immediately (password aged)
You are required to change your LDAP password immediately.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Strong authentication required
su: incorrect password
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Install RH 7.1, upgrade bash, filesystem, setup, nss_ldap, db3, openssl, openldap, cyrus-sasl, readline, reiserfsprogs to 7.2.
2.Try to change password of LDAP account.
Actual Results: Password change fails.
Expected Results: All authentication tokens updated successfully.
It looks like pam_ldap is trying to perform the password change extended
operation while bound anonymously. At line 2301 of pam_ldap.c do you really
want to be checking the EUID? At line 1059 (and 2755) you only bind as the
rootdn if the real UID is 0.
Yes, I have the correct password in /etc/ldap.secret.
Password changing as root works. I will try changing geteuid() to getuid() and see whether that works. I don't understand the comment in that
section of the code. What configurations will allow bypassing password controls? Do you recommend not allowing users to change passwords
without binding as a special dn (not themselves)? Should I check that UID!=0 and EUID==0?
Created attachment 37603 [details]
This patch allows users to change passwords again.
Created attachment 37605 [details]
Revised - shadowLastChange wasn't updating
Changing geteuid to getuid allowed password changing (bound as user), but the
shadowLastChange field wasn't being updated because I didn't put that in my
ACL. I knew this used to work, so instead I tried changing getuid to geteuid in
the section that reads the rootbindpw. This seems to work, but am I creating a