Fedora directory users - Dec 2008 - Allow root to change user's passwords

I''m used to being able to change user''s passwords as root
using the
"passwd" command on my main server (this was with NIS and the master 
shadow file kept on the server).  Now with FDS, I get:

# passwd orion
Changing password for user orion.
Enter login(LDAP) password:

and I must enter the password for the user "orion".  This gets tricky 
when the user has forgotten their password.

Is there a way to avoid this first check and allow root to force a 
change of the password?

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  orion@cora.nwra.com
Boulder, CO 80301              http://www.cora.nwra.com

I use a program called LDAP Administration Tool (available in debian apt
repo, name = ''lat'') which is a gtk app that allows LDAP
administration.
Simply connect as ''directory manager'' and you can change
passwords
through the interface without needing to know the previous password.

Ryan Manikowski

System Administrator
2ergo Americas Inc.
 
:703.677.8499:
www.2ergo.com
Arlington, Virginia

 
This message (including attachments) is confidential and may be legally
privileged. The content and views expressed are those of the sender and not
necessarily the 2ergo Group. If you are not the intended recipient, you must not
disclose, copy or use any part of it.  Please delete all copies immediately and
notify the sender. 2ergo Americas Inc. was formerly known as Proteus Inc.



Orion Poplawski wrote:
> I''m used to being able to change user''s passwords as root
using the
> "passwd" command on my main server (this was with NIS and the
master
> shadow file kept on the server).  Now with FDS, I get:
>
> # passwd orion
> Changing password for user orion.
> Enter login(LDAP) password:
>
> and I must enter the password for the user "orion".  This gets
tricky
> when the user has forgotten their password.
>
> Is there a way to avoid this first check and allow root to force a
> change of the password?
>

Orion Poplawski wrote:
> I''m used to being able to change user''s passwords as root
using the
> "passwd" command on my main server (this was with NIS and the
master
> shadow file kept on the server).  Now with FDS, I get:
>
> # passwd orion
> Changing password for user orion.
> Enter login(LDAP) password:
>
> and I must enter the password for the user "orion".  This gets
tricky
> when the user has forgotten their password.
>
> Is there a way to avoid this first check and allow root to force a 
> change of the password?
I don''t think so.  "root" usually does not exist in LDAP,
only in
/etc/passwd, so "root" is not really an LDAP user.  I suppose you
could
use ldappasswd and bind as "cn=directory manager" instead if you know 
the user is an LDAP user.

You could also use the console (export $DISPLAY etc.)
 
http://directory.fedoraproject.org/
 
''... Graphical console for all facets of user, group, and server
management ...''
 
It''s been a while since I''ve looked at it, but, you may want
to investigate the
Directory Server Gateway DSGW
 
http://www.directory.fedora.redhat.com/wiki/DSGW_Install_Guide
 
Lastly, does anyone have an interesting application that allows users to request
a new password via a Web interface and a subsequent Email ?
 
Cheers, Dave
--------> Date: Thu, 11 Dec 2008 16:53:21 -0700> From:
rmeggins@redhat.com> To: fedora-directory-users@redhat.com> Subject: Re:
[Fedora-directory-users] Allow root to change user''s passwords> >
Orion Poplawski wrote:> > I''m used to being able to change
user''s passwords as root using the > > "passwd" command
on my main server (this was with NIS and the master > > shadow file kept
on the server). Now with FDS, I get:> >> > # passwd orion> >
Changing password for user orion.> > Enter login(LDAP) password:>
>> > and I must enter the password for the user "orion". This
gets tricky > > when the user has forgotten their password.> >>
> Is there a way to avoid this first check and allow root to force a >
> change of the password?> I don''t think so. "root"
usually does not exist in LDAP, only in > /etc/passwd, so "root" is
not really an LDAP user. I suppose you could > use ldappasswd and bind as
"cn=directory manager" instead if you know > the user is an LDAP
user.
_________________________________________________________________

On Thursday 11 December 2008 23:38, Orion Poplawski
wrote:
> I''m used to being able to change user''s passwords as root
using the
> "passwd" command on my main server (this was with NIS and the
master
> shadow file kept on the server).  Now with FDS, I get:
>
> # passwd orion
> Changing password for user orion.
> Enter login(LDAP) password:
>
> and I must enter the password for the user "orion".  This gets
tricky
> when the user has forgotten their password.
>
> Is there a way to avoid this first check and allow root to force a
> change of the password?
I know it''s possible,  here is the way my setup (etch) works. 
It''s likely a
PAM issue.  


xxxfcst2:~# passwd ryantest
New password:
Re-enter new password:
LDAP password information changed for ryantest
passwd: password updated successfully
xxxfcst2:~# grep ryantest /etc/passwd
xxxfcst2:~# getent passwd|grep ryan
ryantest:x:10058:5000:cfwx Account:/tmp/ryantest:/bin/bash


ytrfcst2:/etc/pam.d# grep -v ^# common*
common-account:account sufficient       pam_ldap.so
common-account:account  required        pam_unix.so
common-auth:auth        sufficient      pam_ldap.so
common-auth:auth        required        pam_unix.so nullok_secure 
use_first_pass
common-password:
common-password:
common-password:password   sufficient pam_ldap.so ignore_unknown_user
common-password:password   required   pam_unix.so nullok obscure min=4 max=8 
md5
common-password:
common-password:
common-session:session  required        pam_unix.so
common-session:session optional pam_ldap.so

xxxfcst2:/etc/pam.d# grep -v ^# passwd

@include common-password

xxxfcst2:/etc/pam.d#  

And lastly pam_ldap.conf

xxxfcst2:/etc# grep -v ^# pam_ldap.conf |strings
 @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
base dc=xxx,dc=ec,dc=gc,dc=ca
uri ldap://xxxoff.isb.ec.gc.ca
uri ldap://xxxoff0.isb.ec.gc.ca
uri ldap://xxxoff1.isb.ec.gc.ca
ldap_version 3
rootbinddn cn=directory manager
pam_check_host_attr yes
pam_password exop
ssl start_tls
tls_cacertdir /etc/ldap/cacerts

Orion Poplawski wrote:
> I''m used to being able to change user''s passwords as root
using the
> "passwd" command on my main server (this was with NIS and the
master
> shadow file kept on the server).  Now with FDS, I get:
>
> # passwd orion
> Changing password for user orion.
> Enter login(LDAP) password:
>
> and I must enter the password for the user "orion".  This gets
tricky
> when the user has forgotten their password.
>
> Is there a way to avoid this first check and allow root to force a
> change of the password?
>
The answer is to set rootbinddn in /etc/ldap.conf and put the directory 
manager password into /etc/ldap.secret.

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users