|

»

»

Password aging requires rootdn write access to all passwords?

View: New views

3 Messages — Rating Filter: Alert me

	Password aging requires rootdn write access to all passwords? by Heiko Noordhof-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hello, While trying to setup an LDAP-server for user authentication on linux desktop-client PC's with pam_ldap I stumbeled upon the following issue: Password-aging only seems to work when a "rootdn" is configured and has write access to the userPassword attribute of all users. If the "rootdn" doesn't have write-access and I try to log in using an account with an expired password I do get the warning and the opportunity to change the password. But when submitting the new password I get: "LDAP password information update failed: insufficient access". We are planning to distribute the pam-ldap configuration (including /etc/ldap.secret) to at least a few hudreds of desktop client PC's. I know that the /etc/ldap.secret is read-only for non-root users, but it seems quite a big security issue to have a plain-text password in a file that will enable anybody with a live-CD to read the rootdn password. That means hacker skills are hardly required to wipe or change the password of all our account in LDAP in just a few minutes. While the file "LDAP-Permissions.txt" that ships with pam-ldap does mention this, I'm a bit puzzled why it needs to be like that: When for example "gdm" or the "login" program lets me change my aged password it already has asked my current password. So it seems to me pam-ldap should be able to re-bind as the user itsef in order to change his/her password. That way only the user account itself need write access to its own userPassword attribute. Am I mistaking, did I miss something, or is there a workaround? Could someone please show me wrong? Regards, Heiko Noordhof
	Re: Password aging requires rootdn write access to all passwords? by Heiko Noordhof-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Replying to myself to correct a typo: Heiko Noordhof wrote: > [...] I know that the /etc/ldap.secret is read-only for non-root > users, but it seems quite a big security issue to have a plain-text > password in a file that will enable anybody with [...] should read: "I know that the /etc/ldap.secret is unreadable for non-root users, [...]" sorry, Heiko
	Re: Password aging requires rootdn write access to all passwords? by Andreas Hasenack :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Heiko Noordhof wrote: > Hello, > > While trying to setup an LDAP-server for user authentication on linux > desktop-client PC's with pam_ldap I stumbeled upon the following issue: > > Password-aging only seems to work when a "rootdn" is configured and has > write access to the userPassword attribute of all users. If the "rootdn" > doesn't have write-access and I try to log in using an account with an > expired password I do get the warning and the opportunity to change the > password. But when submitting the new password I get: "LDAP password > information update failed: insufficient access". Sounds like an ACL issue on the server. Maybe you are not letting the user change his own password?