On 22 July 2013 18:38, Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote: Thanks for participating. > This is intentional behavior. SSSD is designed not to allow root on > the local system to change the passwords of the centrally-managed > users. The reason for this is that we would have to store credentials > for an LDAP administrator on the system somewhere in plaintext, which > would mean that a rogue admin or attacker could easily gain access to > an administrator account. > > If you need to admin reset an LDAP user's password, it's much wiser to > use ldappasswd instead, because this will force you to present admin > credentials (of course, if you're storing the password in > /etc/openldap/ldap.conf, you're vulnerable to the same local attack > compromising your infrastructure). Okay, it isn't safe to store root password in a file. By all my administrator heart I agree. But I don't see why you have to store it in a plain text file. Could you please expand on that? You can point what user is SSSD using, by customizing "ldap_default_bind_dn", there's also password for LDAP Manager in "ldap_default_authtok" - as far as I understand this is the user that is performing all the actions via LDAP server. It does work when I'm changing password as a user using "passwd", right? So it might as well change all users passwords. How using command "passwd" to change user password differs when used by root? Btw. plain-text passwords: There's option "ldap_sasl_authid", that from what It seems is using Kerberos keytab (which is encrypted). (Unfortunately using it in my case it didn't help at all.) There are also other plain text password vulnerabilities: [root@ldap ~]# grep bindpw /etc/* /etc/nslcd.conf:bindpw somesecretpass /etc/pam_ldap.conf:bindpw somesecretpass /etc/sudo-ldap.conf:bindpw somesecretpass and: /etc/ldap.secret Despite it - having logged in to root account gives full control over system. One can change "rootpw" in /etc/openldap/slapd.conf (or olc* directory style config) and change users password using ldappasswd using admin DN and skipping ACL. I'm heading to using LDAP as an backend database for Kerberos. As far as I got all users are in LDAP, different branches of LDAP directory and I'm having great trouble to find comfortable way of managing them. Wouldn't be possible ask root for administrative password before changing user password, and don't store it anywhere ? Just like this is done while unprivileged user is changing password? -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org