Right now, lpasswd binds as the user for which the password has to be changed. To reset a password, an ldap admin has to know the user's old password.
It would be great if lpasswd could bind as the admin user defined in /etc/libuser.conf.
Thanks for your report.
lpasswd actually binds as uid=current_login_name,..., and you can override the bind DN in libuser.conf.
But before binding to LDAP, lpasswd performs a PAM authentication as the target user (see https://bugzilla.redhat.com/show_bug.cgi?id=497333 ).
Is that the problem you are encountering, or is it specifically related to the bind DN in some other way?
Yes, I believe it's pam: {{{ [root@ldap1a ~]# gdb -q --args lpasswd ruben Reading symbols from /usr/sbin/lpasswd...Reading symbols from /usr/lib/debug/usr/sbin/lpasswd.debug...done. done. (gdb) b lu_authenticate_unprivileged Breakpoint 1 at 0x403d30: file apps/apputil.c, line 557. (gdb) r Starting program: /usr/sbin/lpasswd ruben
Breakpoint 1, lu_authenticate_unprivileged (user=0x7fffffffe978 "ruben", appname=0x40457a "passwd") at apps/apputil.c:557 557 { (gdb) n 591 conv.conv = misc_conv; (gdb) 592 conv.appdata_ptr = NULL; (gdb) 591 conv.conv = misc_conv; (gdb) 595 if (is_selinux_enabled() > 0) { (gdb) 597 if (getuid() == 0 && check_access(user, PASSWD__CHFN) != 0) { (gdb) 612 if (!lu_util_fscreate_from_file("/etc/passwd", NULL)) { (gdb) 622 if (pam_start(appname, user, &conv, &pamh) != PAM_SUCCESS) { (gdb) }}}
Changeset [f105137faf05] drops the PAM check for LDAP.
Fix released in libuser-0.57.
Metadata Update from @mitr: - Issue assigned to mitr
Login to comment on this ticket.