Bug 79198 - root can't set users password when using LDAP
Summary: root can't set users password when using LDAP
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam
Version: 8.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
Depends On:
TreeView+ depends on / blocked
Reported: 2002-12-06 23:56 UTC by J. Lucha
Modified: 2015-01-08 00:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2004-10-27 08:25:57 UTC

Attachments (Terms of Use)

Description J. Lucha 2002-12-06 23:56:36 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
When not using LDAP, root can set/reset a users password without having to know
the existing password.  It will skip the prompt for the old password.

If you use LDAP for accounts and authentication you get a prompt which states,
"Enter login(LDAP) password:" in which it is basically asking for the existing
password.  It requires knowledge of the existing password.  If you actually know
the password and then enter it, it will allow you to change the password.  If
you try to <enter> past it, use a fake password, or even the root password, you
won't be able to set the users password.

The passwd program functions normally under other circumstances.  IE, a user can
change their own password.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Use authconfig and choose to authenticate to an LDAP server which has accounts.
2.sign in as root
3.run 'passwd USERNAME'

Actual Results:  You will get the following text:
"Changing password for user USERNAME.
Enter login(LDAP) password:"

In which you must provide the actual existing password.

Expected Results:  I would expect the following sequence:
Changing password for user USERNAME.
New password:
Retype new password:
LDAP password information changed for USERNAME
passwd: all authentication tokens updated successfully."

Additional info:

Comment 1 Tomas Mraz 2004-10-27 08:25:57 UTC
No, this is by design.
You can have one LDAP server providing authentication to many client
machines with different people as roots on these machines. You don't
want to allow root on the client machine to change just any password
on the LDAP server. To change passwords on LDAP server without knowing
the old one you have to have admin access to the LDAP server.

Note You need to log in before you can comment on or make changes to this bug.