Ralf Haferkamp wrote:
Hi,
I did some testing of pam_sss and the LDAP backend's password policy
features and ran into some issue. One of the being the getuid() == 0
checks in pam_sss when checking whether the user needs to be prompted for
the old password before changing the password.
I guess the idention of those checks is that "root" should be able to
change a users password without being prompted for the old password.
There are however some issues with that:
- Most PAM clients run with a real uid of root(0), so that check will not
work correctly in many cases. A notable exception being the passwd
command. But with password policies in place password changes can be
triggered from almost every PAM client.
- When using the LDAP backend even root would need to somehow
authenticate against the LDAP Server to be able to change a users
password.
Find a patch attached that tries to fix the former issue by checking for
the PWEXP_FLAG that is set when pam_sm_authenticate returned
PAM_NEW_AUTHTOK_REQD. I am not sure if this is really the best fix for
the problem. I am open for suggestions.
I haven't started looking for a solution for the latter issue yet.
Regardless of the outcome it would be nice to have a ticket open about
the issue.
------------------------------------------------------------------------
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/