Comment 2 for bug 1415545
Revision history for this message
| Stephen Gallagher (stephen-gallagherhome) wrote Re: [Bug 1415545] Re: Cannot change LDAP password when ldap_pwd_policy=shadow | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
On Wed, 2015-01-28 at 19:19 +0000, Jakub Hrozek wrote:
> Here is the most important part of the log:
> (Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [sdap_auth4chpa
>
> The functionality you request is simply not implemented. Because shadow
> attributes are inherently insecure and obsolete, I don't see us
> implementing this functionality ourselves. Patches welcome, though!
>
To clarify, the reason this isn't implemented is that it means that the
password hashes have to be made available to the LDAP user from which
SSSD connects. This means that anyone with root access on an SSSD client
system would have access to all the password hashes on the server. This
is a serious security hole.
The password-policy extended operation is designed to solve this problem
by requiring users to use their own credentials to change the password
(through a mechanism that is also capable of applying security policy
such as minimum password length).