Thanks for the report. > I also noticed that pwmod always bails out if no pwdmgr dn is configured, even > if it shouldn't be needed (ie. user changing own password). > > The following patches solve these problems by requiring the old password to be > supplied unless working as pwdmgr; by only allowing root to authc or pwmod as > pwdmgr (adapted from nss-pam-ldapd); and by silently skipping the pwdmgr check > if it's not configured. > > ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch
I think this patch is a bit off; it prevents root from supplying the old pwd. (Which it must do if changing its own.) > ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-only-allow-root-to-become-pwdmgr.patch > ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-allow-user-pwmod-without-pwdmgr-configured.patch -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
