From Bugzilla Helper: User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.4.9-12 i686) Description of problem: This is a bad interaction between several components. The "passwd" program calls pam_chauthtok(). On PAM_PRELIM_CHECK, pam_cracklib's pam_sm_chauthtok() does (essentially) nothing. Then pam_ldap's pam_sm_chauthtok() gets the old password and stores it in PADL_LDAP_AUTHTOK_DATA with pam_set_data() (but not in PAM_OLDAUTHTOK with pam_set_item()). Now pam_cracklib gets control again for the update, but it's looking for the old password in PAM_OLDAUTHTOK with pam_get_item() and can't find it. This disables certain checks such as simple(). Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Define an LDAP account. 2. As the LDAP user, change its password. 3. Enter 'qwerty' at the 'New UNIX password:' prompt. Actual Results: Retype new UNIX password: Expected Results: BAD PASSWORD: is too simple Additional info: pam_ldap.h:#define PADL_LDAP_OLDAUTHTOK_DATA "PADL-LDAP-OLDAUTHTOK-DATA" pam_modules.h:#define PAM_OLDAUTHTOK 7 /* The old authentication token */ This could be fixed by setting the PAM_OLDAUTHTOK item in pam_ldap or by changing pam_cracklib to retrieve a current password and save it in PAM_OLDAUTHTOK when not running as root.
Created attachment 40968 [details] patch to set PAM_OLDAUTHTOK item during prelim check
The patch I attached includes my fix for bug #56201.