> On 06/09/2014 12:15 PM, Alon Bar-Lev wrote: > >> From: "Martin Kosek" <mko...@redhat.com>
> >> Given all sort of issues we get, I am thinking we should just revert it > >> unless > >> there is a quick fix available. > > The fix should be for the password modify to work within anonymous bind if > > old password is specified. I am not sure why IPA enforces non anonymous > > bind for this extended request. > > > > Applications should also be modified to perform anonymous bind, exactly per > > this reason. > > > > Searching why IPA requires non anonymous bind is what led me to this bug... > > :) > > Simo, do you know the historical reason why this is enforced in > ipapwd_chpwop? When we started we wanted to allow password changes using GSSAPI for bind instead of password based authentication, and we ended up not implementing the "old-password" based one at all... > By quickly looking at the code it should not be difficult to fix, but devil > is in details and we need to be very cautious in this function. We just need to be careful about what operations are done, but indeed it shouldn't be difficult, I am just not sure it is quick enough for you. I can take a look in a few. Simo. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel