"passwd" by root for user fails with sssd,pam, ldap
Stephen Gallagher
sgallagh at redhat.com
Mon Jul 22 16:38:57 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/20/2013 08:43 AM, Augustin Wolf wrote:
> On 20 July 2013 10:52, William Brown <william at firstyear.id.au>
> wrote:
>>> For now, LDAP ACL was "turned off" - every user has manage
>>> permission,
>> Each user will have permission on their own ldap object they bind
>> to, to change their passwords. Root may not be able to bind to
>> ldap, or roots object doesn't have the acl to modify the password
>> attr on the user's object.
> It is not entirely true. With ACL as above, or commonly used ACL:
> to userPassword by self write by * auth it is true, but users tend
> to forgot their passwords, and You don't have to give them write
> permission to yserPassword attribute. Now there need to be some
> other way for administrator to reset users passwords. Command
> "passwd" is most common, and doesn't require admin to remember user
> DN.
>> What ldap server are you using? You may consider contacting thier
>> mailing lists for help. [root at ldap ~]# cat
>> /etc/openldap/ldap.conf |grep -ve "^#"|grep -ve "^$"
>>> Configs, logs, etc are in here: http://fpaste.org/26708/
> it is openldap. thanks, I will.
>> Sincerely, William
> Thanks for reply
>
This is intentional behavior. SSSD is designed not to allow root on
the local system to change the passwords of the centrally-managed
users. The reason for this is that we would have to store credentials
for an LDAP administrator on the system somewhere in plaintext, which
would mean that a rogue admin or attacker could easily gain access to
an administrator account.
If you need to admin reset an LDAP user's password, it's much wiser to
use ldappasswd instead, because this will force you to present admin
credentials (of course, if you're storing the password in
/etc/openldap/ldap.conf, you're vulnerable to the same local attack
compromising your infrastructure).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHtYCEACgkQeiVVYja6o6MPcQCdHPy9NS0McpuqAcskUsDLdBQ7
YicAn2jjVucoZja2DhJ+1YWyIXb8JiRc
=Rvz7
-----END PGP SIGNATURE-----
More information about the users
mailing list