#8 lpasswd can't change a user's password as ldap admin
Closed: Fixed None Opened 9 years ago by ruben.

Right now, lpasswd binds as the user for which the password has to be changed.
To reset a password, an ldap admin has to know the user's old password.

It would be great if lpasswd could bind as the admin user defined in /etc/libuser.conf.


Thanks for your report.

lpasswd actually binds as uid=current_login_name,..., and you can override the bind DN in libuser.conf.

But before binding to LDAP, lpasswd performs a PAM authentication as the target user (see
https://bugzilla.redhat.com/show_bug.cgi?id=497333 ).

Is that the problem you are encountering, or is it specifically related to the bind DN in some other way?

Yes, I believe it's pam:
{{{
[root@ldap1a ~]# gdb -q --args lpasswd ruben
Reading symbols from /usr/sbin/lpasswd...Reading symbols from /usr/lib/debug/usr/sbin/lpasswd.debug...done.
done.
(gdb) b lu_authenticate_unprivileged
Breakpoint 1 at 0x403d30: file apps/apputil.c, line 557.
(gdb) r
Starting program: /usr/sbin/lpasswd ruben

Breakpoint 1, lu_authenticate_unprivileged (user=0x7fffffffe978 "ruben", appname=0x40457a "passwd") at apps/apputil.c:557
557 {
(gdb) n
591 conv.conv = misc_conv;
(gdb)
592 conv.appdata_ptr = NULL;
(gdb)
591 conv.conv = misc_conv;
(gdb)
595 if (is_selinux_enabled() > 0) {
(gdb)
597 if (getuid() == 0 && check_access(user, PASSWD__CHFN) != 0) {
(gdb)
612 if (!lu_util_fscreate_from_file("/etc/passwd", NULL)) {
(gdb)
622 if (pam_start(appname, user, &conv, &pamh) != PAM_SUCCESS) {
(gdb)
}}}

Changeset [f105137faf05] drops the PAM check for LDAP.

Fix released in libuser-0.57.

Metadata Update from @mitr:
- Issue assigned to mitr

2 years ago

Login to comment on this ticket.

Metadata