[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8080) nssov allows users to change anyone's password
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8080) nssov allows users to change anyone's password
- From: hyc@symas.com
- Date: Mon, 16 Mar 2015 17:44:50 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Thanks for the report.
> I also noticed that pwmod always bails out if no pwdmgr dn is configured, even
> if it shouldn't be needed (ie. user changing own password).
>
> The following patches solve these problems by requiring the old password to be
> supplied unless working as pwdmgr; by only allowing root to authc or pwmod as
> pwdmgr (adapted from nss-pam-ldapd); and by silently skipping the pwdmgr check
> if it's not configured.
>
> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch
I think this patch is a bit off; it prevents root from supplying the old pwd. (Which it must do if changing its own.)
> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-only-allow-root-to-become-pwdmgr.patch
> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-allow-user-pwmod-without-pwdmgr-configured.patch
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/