On Thursday 11 December 2008 23:38, Orion Poplawski wrote: > I'm used to being able to change user's passwords as root using the > "passwd" command on my main server (this was with NIS and the master > shadow file kept on the server). Now with FDS, I get: > > # passwd orion > Changing password for user orion. > Enter login(LDAP) password: > > and I must enter the password for the user "orion". This gets tricky > when the user has forgotten their password. > > Is there a way to avoid this first check and allow root to force a > change of the password? I know it's possible, here is the way my setup (etch) works. It's likely a PAM issue. xxxfcst2:~# passwd ryantest New password: Re-enter new password: LDAP password information changed for ryantest passwd: password updated successfully xxxfcst2:~# grep ryantest /etc/passwd xxxfcst2:~# getent passwd|grep ryan ryantest:x:10058:5000:cfwx Account:/tmp/ryantest:/bin/bash ytrfcst2:/etc/pam.d# grep -v ^# common* common-account:account sufficient pam_ldap.so common-account:account required pam_unix.so common-auth:auth sufficient pam_ldap.so common-auth:auth required pam_unix.so nullok_secure use_first_pass common-password: common-password: common-password:password sufficient pam_ldap.so ignore_unknown_user common-password:password required pam_unix.so nullok obscure min=4 max=8 md5 common-password: common-password: common-session:session required pam_unix.so common-session:session optional pam_ldap.so xxxfcst2:/etc/pam.d# grep -v ^# passwd @include common-password xxxfcst2:/etc/pam.d# And lastly pam_ldap.conf xxxfcst2:/etc# grep -v ^# pam_ldap.conf |strings @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $ base dc=xxx,dc=ec,dc=gc,dc=ca uri ldap://xxxoff.isb.ec.gc.ca uri ldap://xxxoff0.isb.ec.gc.ca uri ldap://xxxoff1.isb.ec.gc.ca ldap_version 3 rootbinddn cn=directory manager pam_check_host_attr yes pam_password exop ssl start_tls tls_cacertdir /etc/ldap/cacerts
