Chris Halstead
2007-Apr-26 17:28 UTC
[Fedora-directory-users] Previous password still works?
Hi folks, I''ve been googling ''til my eyes bleed but I can''t find anything on this. We''re using FDS 1.0.2 and I recently used the admin console (logged in as myself, not as the admin account) to change my personal account password. The new password worked, so far so good. The problem is that my *old* password still worked as well. Everywhere. Login through PAM, login to the FDS admin console, you name it. After doing some testing I''ve found that if I change my password logged in as myself the old password will still work, yet if I change it logged in with our admin user account only the new one works. What am I missing? I was planning on putting together a web-form for user password changes (using the user''s credentials to bind), but if user password changes won''t invalidate old passwords I''m going to have to change my approach. -chris
Richard Megginson
2007-Apr-26 19:39 UTC
Re: [Fedora-directory-users] Previous password still works?
Chris Halstead wrote:> Hi folks, > > I''ve been googling ''til my eyes bleed but I can''t find anything on this. > > We''re using FDS 1.0.2 and I recently used the admin console (logged in > as myself, not as the admin account) to change my personal account > password. The new password worked, so far so good. The problem is > that my *old* password still worked as well. Everywhere. Login > through PAM, login to the FDS admin console, you name it.So, both old and new password work everywhere? pam too? Have you tried the command line ldapsearch?> > After doing some testing I''ve found that if I change my password > logged in as myself the old password will still work, yet if I change > it logged in with our admin user account only the new one works. What > am I missing? > > I was planning on putting together a web-form for user password > changes (using the user''s credentials to bind), but if user password > changes won''t invalidate old passwords I''m going to have to change my > approach. > > -chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Chris Halstead
2007-Apr-26 20:46 UTC
Re: [Fedora-directory-users] Previous password still works?
Richard Megginson wrote:> So, both old and new password work everywhere? pam too? Have you > tried the command line ldapsearch?Yep - PAM, httpd auth, FDS console login, passthru auth from LDAP-enabled apps all work with both old and new, but *only* when I''ve changed the password through the console while logged in as myself. If I change my password with passwd on a PAM-enabled system, or change it in the console logged in as an admin user, only the new one works. -chris
Richard Megginson
2007-Apr-26 20:56 UTC
Re: [Fedora-directory-users] Previous password still works?
Chris Halstead wrote:> Richard Megginson wrote: >> So, both old and new password work everywhere? pam too? Have you >> tried the command line ldapsearch? > > Yep - PAM, httpd auth, FDS console login, passthru auth from > LDAP-enabled apps all work with both old and new, but *only* when I''ve > changed the password through the console while logged in as myself. > If I change my password with passwd on a PAM-enabled system, or change > it in the console logged in as an admin user, only the new one works.So the following both work and produce the exact same result? ldapsearch -x -h ldaphost -p ldapport -D "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w oldpassword -b ou=people,dc=yourdomain,dc=com "(uid=chalstead)" and ldapsearch -x -h ldaphost -p ldapport -D "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w newpassword -b ou=people,dc=yourdomain,dc=com "(uid=chalstead)" ?> > -chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Stephen John Smoogen
2007-Apr-26 21:16 UTC
Re: [Fedora-directory-users] Previous password still works?
On 4/26/07, Richard Megginson <rmeggins@redhat.com> wrote:> Chris Halstead wrote: > > Richard Megginson wrote: > >> So, both old and new password work everywhere? pam too? Have you > >> tried the command line ldapsearch? > > > > Yep - PAM, httpd auth, FDS console login, passthru auth from > > LDAP-enabled apps all work with both old and new, but *only* when I''ve > > changed the password through the console while logged in as myself. > > If I change my password with passwd on a PAM-enabled system, or change > > it in the console logged in as an admin user, only the new one works. > So the following both work and produce the exact same result? > ldapsearch -x -h ldaphost -p ldapport -D > "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w oldpassword -b > ou=people,dc=yourdomain,dc=com "(uid=chalstead)" > and > ldapsearch -x -h ldaphost -p ldapport -D > "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w newpassword -b > ou=people,dc=yourdomain,dc=com "(uid=chalstead)" > ?Would nscd help cause this? -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"
Chris Halstead
2007-Apr-26 21:50 UTC
Re: [Fedora-directory-users] Previous password still works?
I had to set my bind credentials using ''cn'' instead of ''uid'' to get ldapsearch to work, but anyway... After setting my password logged into console as myself I get identical ldapsearch results with both old and new passwords. After setting via ''passwd'' only the new password works. I can send you the ldapsearch output offline if you''d like. -chris Richard Megginson wrote:> So the following both work and produce the exact same result? > ldapsearch -x -h ldaphost -p ldapport -D > "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w oldpassword -b > ou=people,dc=yourdomain,dc=com "(uid=chalstead)" > and > ldapsearch -x -h ldaphost -p ldapport -D > "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w newpassword -b > ou=people,dc=yourdomain,dc=com "(uid=chalstead)" > ?
Chris Halstead
2007-Apr-26 21:55 UTC
Re: [Fedora-directory-users] Previous password still works?
That was actually the first thing I checked. ;-) -chris Stephen John Smoogen wrote:> > Would nscd help cause this? >
Richard Megginson
2007-Apr-26 21:59 UTC
Re: [Fedora-directory-users] Previous password still works?
Chris Halstead wrote:> I had to set my bind credentials using ''cn'' instead of ''uid'' to get > ldapsearch to work, but anyway... > > After setting my password logged into console as myself I get > identical ldapsearch results with both old and new passwords. After > setting via ''passwd'' only the new password works. I can send you the > ldapsearch output offline if you''d like.Do you have two values for the userPassword attribute in your entry?> > -chris > > Richard Megginson wrote: >> So the following both work and produce the exact same result? >> ldapsearch -x -h ldaphost -p ldapport -D >> "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w oldpassword -b >> ou=people,dc=yourdomain,dc=com "(uid=chalstead)" >> and >> ldapsearch -x -h ldaphost -p ldapport -D >> "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w newpassword -b >> ou=people,dc=yourdomain,dc=com "(uid=chalstead)" >> ? > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Chris Halstead
2007-Apr-26 22:13 UTC
Re: [Fedora-directory-users] Previous password still works?
userPassword has no value at all. -chris Richard Megginson wrote:> Do you have two values for the userPassword attribute in your entry?
Nathan Kinder
2007-Apr-26 22:18 UTC
Re: [Fedora-directory-users] Previous password still works?
Chris Halstead wrote:> userPassword has no value at all.Are you searching as "cn=Directory Manager" when you check for userPassword?> > -chris > > Richard Megginson wrote: >> Do you have two values for the userPassword attribute in your entry? > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Chris Halstead
2007-Apr-26 23:30 UTC
Re: [Fedora-directory-users] Previous password still works?
OK, It took me a while to get there (had to figure out what our equivalent of ''cn=Directory Manager'' was), but there are indeed two entries for userPassword after I change the password logged in as myself to the console. When I reset the password using PAM-enabled passwd there is only one. -chris Nathan Kinder wrote:> Chris Halstead wrote: >> userPassword has no value at all. > Are you searching as "cn=Directory Manager" when you check for > userPassword? >> >> -chris >> >> Richard Megginson wrote: >>> Do you have two values for the userPassword attribute in your entry? >>
Nathan Kinder
2007-Apr-26 23:33 UTC
Re: [Fedora-directory-users] Previous password still works?
Chris Halstead wrote:> OK, It took me a while to get there (had to figure out what our > equivalent of ''cn=Directory Manager'' was), but there are indeed two > entries for userPassword after I change the password logged in as > myself to the console.How are you changing the password through the console? A second value for userPassword is getting added instead of doing a replace of the existing password for some reason. -NGK> > When I reset the password using PAM-enabled passwd there is only one. > > -chris > > Nathan Kinder wrote: >> Chris Halstead wrote: >>> userPassword has no value at all. >> Are you searching as "cn=Directory Manager" when you check for >> userPassword? >>> >>> -chris >>> >>> Richard Megginson wrote: >>>> Do you have two values for the userPassword attribute in your entry? >>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Chris Halstead
2007-Apr-27 15:45 UTC
Re: [Fedora-directory-users] Previous password still works?
Pretty straightforward: - run /opt/fedora-ds/startconsole and log in as myself - go the the ''Users and Groups'' tab - search on my uid - double-click my account entry - enter a new password in the ''Password'' and ''Confirm Password'' inputs - click OK When I do the exact same procedure while logged in as an administrator only one userPassword value results. -chris Nathan Kinder wrote:> Chris Halstead wrote: >> OK, It took me a while to get there (had to figure out what our >> equivalent of ''cn=Directory Manager'' was), but there are indeed two >> entries for userPassword after I change the password logged in as >> myself to the console. > How are you changing the password through the console? A second value > for userPassword is getting added instead of doing a replace of the > existing password for some reason. > > -NGK