Bug 79198 - root can't set users password when using LDAP
root can't set users password when using LDAP
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
8.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-06 18:56 EST by J. Lucha
Modified: 2015-01-07 19:02 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-27 04:25:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description J. Lucha 2002-12-06 18:56:36 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
When not using LDAP, root can set/reset a users password without having to know
the existing password.  It will skip the prompt for the old password.

If you use LDAP for accounts and authentication you get a prompt which states,
"Enter login(LDAP) password:" in which it is basically asking for the existing
password.  It requires knowledge of the existing password.  If you actually know
the password and then enter it, it will allow you to change the password.  If
you try to <enter> past it, use a fake password, or even the root password, you
won't be able to set the users password.

The passwd program functions normally under other circumstances.  IE, a user can
change their own password.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Use authconfig and choose to authenticate to an LDAP server which has accounts.
2.sign in as root
3.run 'passwd USERNAME'
	

Actual Results:  You will get the following text:
"Changing password for user USERNAME.
Enter login(LDAP) password:"

In which you must provide the actual existing password.

Expected Results:  I would expect the following sequence:
"
Changing password for user USERNAME.
New password:
Retype new password:
LDAP password information changed for USERNAME
passwd: all authentication tokens updated successfully."

Additional info:
Comment 1 Tomas Mraz 2004-10-27 04:25:57 EDT
No, this is by design.
You can have one LDAP server providing authentication to many client
machines with different people as roots on these machines. You don't
want to allow root on the client machine to change just any password
on the LDAP server. To change passwords on LDAP server without knowing
the old one you have to have admin access to the LDAP server.

Note You need to log in before you can comment on or make changes to this bug.