[Fedora-directory-users] userPassword is base64 encoded
Rich Megginson
rmeggins at redhat.com
Thu Jun 9 01:16:05 UTC 2005
Sævaldur Gunnarsson wrote:
>
>> The question is more on the line of why does it need the user's
>> current password? It's the DS admin who is performing the change.
>>
>> It's the same situation if /bin/passwd, when run as root in order to
>> change the password of a local user, asked for the local user's
>> current password.
>>
>> I guess it's some sort of policy that DS is implementing.
>
>
> And can I change this somewhere ?
Does the program supply the old password and the new password? If not,
then I think I know what the problem is.
Take a look at
http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/slapd/passwd_extop.c
lines 310-350. It rejects operations which do not have both the old
password and the new password. The RFC however allows this -
http://www.ietf.org/rfc/rfc3062.txt. It should be pretty easy to change
the server to handle a missing old password - just ensure the current
BIND identity is valid and has a valid password (or some other stronger
auth). I'm not sure what to do about a missing new password - does AD
generate a new one (as allowed but not required by the RFC)? How about
OpenLDAP? It would be nice to be compatible with them, but the RFC
allows an error to be returned if there is no new password. "In absence
of a client provided newPasswd, the server SHALL either generate a
password on behalf of the client or return a non-success result code."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050608/1966b3af/attachment.bin>
More information about the Fedora-directory-users
mailing list