[Freeipa-devel] Expired passwords cannot be changed via LDAP
Simo Sorce
simo at redhat.com
Mon Jun 9 12:51:17 UTC 2014
> On 06/09/2014 12:15 PM, Alon Bar-Lev wrote:
> >> From: "Martin Kosek" <mkosek at redhat.com>
> >> Given all sort of issues we get, I am thinking we should just revert it
> >> unless
> >> there is a quick fix available.
> > The fix should be for the password modify to work within anonymous bind if
> > old password is specified. I am not sure why IPA enforces non anonymous
> > bind for this extended request.
> >
> > Applications should also be modified to perform anonymous bind, exactly per
> > this reason.
> >
> > Searching why IPA requires non anonymous bind is what led me to this bug...
> > :)
>
> Simo, do you know the historical reason why this is enforced in
> ipapwd_chpwop?
When we started we wanted to allow password changes using GSSAPI for bind instead of password based authentication, and we ended up not implementing the "old-password" based one at all...
> By quickly looking at the code it should not be difficult to fix, but devil
> is in details and we need to be very cautious in this function.
We just need to be careful about what operations are done, but indeed it shouldn't be difficult, I am just not sure it is quick enough for you.
I can take a look in a few.
Simo.
More information about the Freeipa-devel
mailing list