ldap auth with nss_ldap on FC4

[Uno Engborg]

Gordon Messmer wrote:

> Uno Engborg wrote:
>
>> Gordon Messmer wrote:
>>
>>>
>>> You normally don't need it, so I'd suggest that you use the included 
>>> config tools to set up a working client configuration, and then 
>>> decide whether or not you have a need for that option.
>>
>>
>> If you do that, the passwd command will not work, at least not for root.
>
>
> I did that, and I can change any user's password as root, including 
> the root user.
>
>> If I do "passwd uengborg" as root I get:
>>
>> Enter login(LDAP) password:
>> New UNIX password:
>> Retype Unix password:
>> LDAP password information update failed: Can't contact LDAP server
>>
>> passwd: Permission denied
>
>
> [root at herald ~]# passwd gordon
> Changing password for user gordon.
> Enter login(LDAP) password:
> New UNIX password:
> Retype new UNIX password:
> LDAP password information changed for gordon
> passwd: all authentication tokens updated successfully.
>
Strange.
Isn't the rootbinddn in /etc/ldap.conf supposed to make it possible to 
map the
root unix user with a priviledge ldap dn that is given the rights to 
change anything
in the LDAP databaes, either being the ldap database manager user, or by ACL
settings. 

If you can change the password of  any user as root,  without specifying 
a rootbinddn, that smells like you may have a security problem to me. Or 
does your system-config-authentication actually configure your 
rootbinddn and set up a ldap.secret file?

I was under the impression that users bind as themselves when they 
change passwords. Isn't that why we need  a self write for the 
userPassword entry in the LDAP ACLs. If you can change
passwords as root that would imply that  pam always connects to LDAP 
with LDAP manager permissions.  Or perhaps I'm missing something.

I think the problems I am having may be related to bug 161437 
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161437> that is a 
problem with newlines
in ldap.secret.

/uno