Ryan Tandy wrote: > On Mon, Mar 16, 2015 at 05:44:50PM +0000, [email protected] wrote: >>> ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch >>> >> >> I think this patch is a bit off; it prevents root from supplying the >> old pwd. (Which it must do if changing its own.) > > I don't follow, sorry. If root is the pwdmgr, then the current code > already omits the old password, even if the request includes it, and > passwd_extop() seems to be fine with that.
True. > And if root auths as a DN > different from the pwdmgr DN, then it's a normal self-change and the old > password is checked. Did I get some part of that wrong? > > You could argue that we should always check the old password if > provided, even when working as pwdmgr. I would agree with that. It's not > what the current code does, though. Right, I think if we're in here anyway we should fix that. > And on my systems at least, passwd running as root never asks for the > current password, even when changing root's own password. (Of course > that might be different elsewhere.) Admittedly, it's been a long time since I've changed a root password, since I just use ssh keys most of the time. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
