Learn more about these different git repos.
Other Git URLs
Description of problem:
Trying to do a password change as a LDAP user using pam_sss.so and entering
the wrong 'current' password results in: passwd: Authentication token
which can be interpreted by a end user as a system error rather then the hint
of a wrong password.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. configure ldap server with at least one user
2. configure sssd to use ldap as the id_provider, auth_provider and
3. set sss as provider in /etc/nsswitch.conf
4. enable pam_sss in system-auth-ac as per RHEL6 Deployment guide
5. login as the ldap user
6. issue a password change request by running passwd
7. enter a wrong 'current' password
Changing password for user ldapuser.
passwd: Authentication token manipulation error
More descriptive message like:
Authentication failed for user ldapuser
* The authentication failure is logged in /var/log/secure as
Jul 9 13:33:11 hostname passwd: pam_sss(passwd:chauthtok): Authentication failed for user ldapuser: 7 (Authentication failure)
* It looks like the pam module returns PAM_AUTHTOK_ERR instead of PAM_AUTH_ERR
* Similar behavior when using pam_unix with a local user
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=983028 (Red Hat Enterprise Linux 6)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=983028 983028]
I discussed the issue on IRC with Stephen. We came to the conclusion that we should add a quite generic message along the lines of "Old password not accepted". The reason for such a generic message is that it's not quite clear that all the scenarios where the bind with the old password would end up returning PAM_AUTH_ERROR would also mean that the old password was mistyped.
owner: somebody => mzidek
resolution: => fixed
status: new => closed
changelog: => When the user enters old password wrong during a password change, the SSSD now prints a more descriptive error message.
Metadata Update from @dpal:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.10.2
to comment on this ticket.