[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8080) nssov allows users to change anyone's password

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8080) nssov allows users to change anyone's password
From: hyc@symas.com
Date: Mon, 16 Mar 2015 17:44:50 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Thanks for the report.

> I also noticed that pwmod always bails out if no pwdmgr dn is configured, even
> if it shouldn't be needed (ie. user changing own password).
>
> The following patches solve these problems by requiring the old password to be
> supplied unless working as pwdmgr; by only allowing root to authc or pwmod as
> pwdmgr (adapted from nss-pam-ldapd); and by silently skipping the pwdmgr check
> if it's not configured.
>
> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch

I think this patch is a bit off; it prevents root from supplying the old pwd. (Which it must do if changing its own.)

> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-only-allow-root-to-become-pwdmgr.patch
> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-allow-user-pwmod-without-pwdmgr-configured.patch

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#8080) nssov allows users to change anyone's password
Next by Date: Re: (ITS#8080) nssov allows users to change anyone's password
Index(es):
- Chronological
- Thread