Red Hat Bugzilla – Bug 79198
root can't set users password when using LDAP
Last modified: 2015-01-07 19:02:08 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003
Description of problem:
When not using LDAP, root can set/reset a users password without having to know
the existing password. It will skip the prompt for the old password.
If you use LDAP for accounts and authentication you get a prompt which states,
"Enter login(LDAP) password:" in which it is basically asking for the existing
password. It requires knowledge of the existing password. If you actually know
the password and then enter it, it will allow you to change the password. If
you try to <enter> past it, use a fake password, or even the root password, you
won't be able to set the users password.
The passwd program functions normally under other circumstances. IE, a user can
change their own password.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Use authconfig and choose to authenticate to an LDAP server which has accounts.
2.sign in as root
3.run 'passwd USERNAME'
Actual Results: You will get the following text:
"Changing password for user USERNAME.
Enter login(LDAP) password:"
In which you must provide the actual existing password.
Expected Results: I would expect the following sequence:
Changing password for user USERNAME.
Retype new password:
LDAP password information changed for USERNAME
passwd: all authentication tokens updated successfully."
No, this is by design.
You can have one LDAP server providing authentication to many client
machines with different people as roots on these machines. You don't
want to allow root on the client machine to change just any password
on the LDAP server. To change passwords on LDAP server without knowing
the old one you have to have admin access to the LDAP server.