From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003 Description of problem: When not using LDAP, root can set/reset a users password without having to know the existing password. It will skip the prompt for the old password. If you use LDAP for accounts and authentication you get a prompt which states, "Enter login(LDAP) password:" in which it is basically asking for the existing password. It requires knowledge of the existing password. If you actually know the password and then enter it, it will allow you to change the password. If you try to <enter> past it, use a fake password, or even the root password, you won't be able to set the users password. The passwd program functions normally under other circumstances. IE, a user can change their own password. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Use authconfig and choose to authenticate to an LDAP server which has accounts. 2.sign in as root 3.run 'passwd USERNAME' Actual Results: You will get the following text: "Changing password for user USERNAME. Enter login(LDAP) password:" In which you must provide the actual existing password. Expected Results: I would expect the following sequence: " Changing password for user USERNAME. New password: Retype new password: LDAP password information changed for USERNAME passwd: all authentication tokens updated successfully." Additional info:
No, this is by design. You can have one LDAP server providing authentication to many client machines with different people as roots on these machines. You don't want to allow root on the client machine to change just any password on the LDAP server. To change passwords on LDAP server without knowing the old one you have to have admin access to the LDAP server.