[Date Prev][Date Next]
Re: (ITS#8080) nssov allows users to change anyone's password
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8080) nssov allows users to change anyone's password
- From: firstname.lastname@example.org
- Date: Mon, 16 Mar 2015 17:44:50 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Thanks for the report.
> I also noticed that pwmod always bails out if no pwdmgr dn is configured, even
> if it shouldn't be needed (ie. user changing own password).
> The following patches solve these problems by requiring the old password to be
> supplied unless working as pwdmgr; by only allowing root to authc or pwmod as
> pwdmgr (adapted from nss-pam-ldapd); and by silently skipping the pwdmgr check
> if it's not configured.
I think this patch is a bit off; it prevents root from supplying the old pwd. (Which it must do if changing its own.)
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/