Sævaldur Gunnarsson wrote:
The question is more on the line of why does it need the user's current password? It's the DS admin who is performing the change.It's the same situation if /bin/passwd, when run as root in order to change the password of a local user, asked for the local user's current password.I guess it's some sort of policy that DS is implementing.And can I change this somewhere ?
Does the program supply the old password and the new password? If not, then I think I know what the problem is.
Take a look at http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/slapd/passwd_extop.c lines 310-350. It rejects operations which do not have both the old password and the new password. The RFC however allows this - http://www.ietf.org/rfc/rfc3062.txt. It should be pretty easy to change the server to handle a missing old password - just ensure the current BIND identity is valid and has a valid password (or some other stronger auth). I'm not sure what to do about a missing new password - does AD generate a new one (as allowed but not required by the RFC)? How about OpenLDAP? It would be nice to be compatible with them, but the RFC allows an error to be returned if there is no new password. "In absence of a client provided newPasswd, the server SHALL either generate a password on behalf of the client or return a non-success result code."
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
