Re: "passwd" by root for user fails with sssd,pam, ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/20/2013 08:43 AM, Augustin Wolf wrote:
> On 20 July 2013 10:52, William Brown <william@xxxxxxxxxxxxxxx>
> wrote:
>>> For now, LDAP ACL was "turned off" - every user has manage
>>> permission,
>> Each user will have permission on their own ldap object they bind
>> to, to change their passwords. Root may not be able to bind to
>> ldap, or roots object doesn't have the acl to modify the password
>> attr on the user's object.
> It is not entirely true. With ACL as above, or commonly used ACL: 
> to userPassword by self write by * auth it is true, but users tend
> to forgot their passwords, and You don't have to give them write
> permission to yserPassword attribute. Now there need to be some
> other way for administrator to reset users passwords. Command
> "passwd" is most common, and doesn't require admin to remember user
> DN.
>> What ldap server are you using? You may consider contacting thier
>> mailing lists for help. [root@ldap ~]# cat
>> /etc/openldap/ldap.conf |grep -ve "^#"|grep -ve "^$"
>>> Configs, logs, etc are in here: http://fpaste.org/26708/
> it is openldap. thanks, I will.
>> Sincerely, William
> Thanks for reply
> 


This is intentional behavior. SSSD is designed not to allow root on
the local system to change the passwords of the centrally-managed
users. The reason for this is that we would have to store credentials
for an LDAP administrator on the system somewhere in plaintext, which
would mean that a rogue admin or attacker could easily gain access to
an administrator account.

If you need to admin reset an LDAP user's password, it's much wiser to
use ldappasswd instead, because this will force you to present admin
credentials (of course, if you're storing the password in
/etc/openldap/ldap.conf, you're vulnerable to the same local attack
compromising your infrastructure).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHtYCEACgkQeiVVYja6o6MPcQCdHPy9NS0McpuqAcskUsDLdBQ7
YicAn2jjVucoZja2DhJ+1YWyIXb8JiRc
=Rvz7
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux