ldap auth with nss_ldap on FC4
uno at webworks.se
Mon Jun 27 16:03:31 UTC 2005
Gordon Messmer wrote:
> Uno Engborg wrote:
>> Gordon Messmer wrote:
>>> You normally don't need it, so I'd suggest that you use the included
>>> config tools to set up a working client configuration, and then
>>> decide whether or not you have a need for that option.
>> If you do that, the passwd command will not work, at least not for root.
> I did that, and I can change any user's password as root, including
> the root user.
>> If I do "passwd uengborg" as root I get:
>> Enter login(LDAP) password:
>> New UNIX password:
>> Retype Unix password:
>> LDAP password information update failed: Can't contact LDAP server
>> passwd: Permission denied
> [root at herald ~]# passwd gordon
> Changing password for user gordon.
> Enter login(LDAP) password:
> New UNIX password:
> Retype new UNIX password:
> LDAP password information changed for gordon
> passwd: all authentication tokens updated successfully.
Isn't the rootbinddn in /etc/ldap.conf supposed to make it possible to
root unix user with a priviledge ldap dn that is given the rights to
in the LDAP databaes, either being the ldap database manager user, or by ACL
If you can change the password of any user as root, without specifying
a rootbinddn, that smells like you may have a security problem to me. Or
does your system-config-authentication actually configure your
rootbinddn and set up a ldap.secret file?
I was under the impression that users bind as themselves when they
change passwords. Isn't that why we need a self write for the
userPassword entry in the LDAP ACLs. If you can change
passwords as root that would imply that pam always connects to LDAP
with LDAP manager permissions. Or perhaps I'm missing something.
I think the problems I am having may be related to bug 161437
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161437> that is a
problem with newlines
More information about the users