Re: [Fedora-directory-users] Allow root to change user's passwords
On Thursday 11 December 2008 23:38, Orion Poplawski wrote:
I'm used to being able to change user's passwords as root
using the
"passwd" command on my main server (this was with NIS and the master
shadow file kept on the server). Now with FDS, I get:
# passwd orion
Changing password for user orion.
Enter login(LDAP) password:
and I must enter the password for the user "orion". This gets tricky
when the user has forgotten their password.
Is there a way to avoid this first check and allow root to force a
change of the password?
I know it's possible, here is the way my setup (etch) works. It's likely a
PAM issue.
xxxfcst2:~# passwd ryantest
New password:
Re-enter new password:
LDAP password information changed for ryantest
passwd: password updated successfully
xxxfcst2:~# grep ryantest /etc/passwd
xxxfcst2:~# getent passwd|grep ryan
ryantest:x:10058:5000:cfwx Account:/tmp/ryantest:/bin/bash
ytrfcst2:/etc/pam.d# grep -v ^# common*
common-account:account sufficient pam_ldap.so
common-account:account required pam_unix.so
common-auth:auth sufficient pam_ldap.so
common-auth:auth required pam_unix.so nullok_secure
use_first_pass
common-password:
common-password:
common-password:password sufficient pam_ldap.so ignore_unknown_user
common-password:password required pam_unix.so nullok obscure min=4 max=8
md5
common-password:
common-password:
common-session:session required pam_unix.so
common-session:session optional pam_ldap.so
xxxfcst2:/etc/pam.d# grep -v ^# passwd
@include common-password
xxxfcst2:/etc/pam.d#
And lastly pam_ldap.conf
xxxfcst2:/etc# grep -v ^# pam_ldap.conf |strings
@(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
base dc=xxx,dc=ec,dc=gc,dc=ca
uri ldap://xxxoff.isb.ec.gc.ca
uri ldap://xxxoff0.isb.ec.gc.ca
uri ldap://xxxoff1.isb.ec.gc.ca
ldap_version 3
rootbinddn cn=directory manager
pam_check_host_attr yes
pam_password exop
ssl start_tls
tls_cacertdir /etc/ldap/cacerts