[Fedora-directory-users] Allow root to change user's passwords
Ryan Braun [ADS]
ryan.braun at ec.gc.ca
Fri Dec 12 15:01:24 UTC 2008
On Thursday 11 December 2008 23:38, Orion Poplawski wrote:
> I'm used to being able to change user's passwords as root using the
> "passwd" command on my main server (this was with NIS and the master
> shadow file kept on the server). Now with FDS, I get:
>
> # passwd orion
> Changing password for user orion.
> Enter login(LDAP) password:
>
> and I must enter the password for the user "orion". This gets tricky
> when the user has forgotten their password.
>
> Is there a way to avoid this first check and allow root to force a
> change of the password?
I know it's possible, here is the way my setup (etch) works. It's likely a
PAM issue.
xxxfcst2:~# passwd ryantest
New password:
Re-enter new password:
LDAP password information changed for ryantest
passwd: password updated successfully
xxxfcst2:~# grep ryantest /etc/passwd
xxxfcst2:~# getent passwd|grep ryan
ryantest:x:10058:5000:cfwx Account:/tmp/ryantest:/bin/bash
ytrfcst2:/etc/pam.d# grep -v ^# common*
common-account:account sufficient pam_ldap.so
common-account:account required pam_unix.so
common-auth:auth sufficient pam_ldap.so
common-auth:auth required pam_unix.so nullok_secure
use_first_pass
common-password:
common-password:
common-password:password sufficient pam_ldap.so ignore_unknown_user
common-password:password required pam_unix.so nullok obscure min=4 max=8
md5
common-password:
common-password:
common-session:session required pam_unix.so
common-session:session optional pam_ldap.so
xxxfcst2:/etc/pam.d# grep -v ^# passwd
@include common-password
xxxfcst2:/etc/pam.d#
And lastly pam_ldap.conf
xxxfcst2:/etc# grep -v ^# pam_ldap.conf |strings
@(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
base dc=xxx,dc=ec,dc=gc,dc=ca
uri ldap://xxxoff.isb.ec.gc.ca
uri ldap://xxxoff0.isb.ec.gc.ca
uri ldap://xxxoff1.isb.ec.gc.ca
ldap_version 3
rootbinddn cn=directory manager
pam_check_host_attr yes
pam_password exop
ssl start_tls
tls_cacertdir /etc/ldap/cacerts
More information about the 389-users
mailing list