Ubuntu
shadow package

passwd -e does not work for LDAP users

Bug #774580 reported by Enrique
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
shadow (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

 I am trying to set the password of a LDAP user as expired using option -e of command passwd.
 However, I get the following message:
#passwd -e testldap
passwd: user 'testldap' does not exist in /etc/passwd

 However, command
#passwd testldap
 works flawlessly, so the user is found in the LDAP database (and indeed can login).

 BTW, the following command also gives the same problem:
chage -d 0 testldap

 I am using Lucid with the following package versions:
ii passwd 1:4.1.4.2-1ubuntu2.2
ii libpam0g 1.1.1-2ubuntu5
ii libpam-modules 1.1.1-2ubuntu5
ii debianutils 3.2.2
ii libselinux1 2.0.89-4
ii libc6 2.11.1-0ubuntu7.8

 Regards

Revision history for this message
Mei (ddouthitt) wrote :

This bug remains. Is it possible that the password aging sequence is not using PAM?

# passwd -e foo
passwd: user 'foo' does not exist in /etc/passwd
# passwd foo
Password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
LDAP password information changed for snagoor
passwd: password updated successfully
# cat /etc/*ease
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION="Ubuntu 10.04.3 LTS"
# dpkg -l | grep -E "(passwd|pam|debian|libsel|libc6)"
ii auth-client-config 0.9 pam and NSS profile switcher
ii base-passwd 3.5.22 Debian base system master password and group files
ii debianutils 3.2.2 Miscellaneous utilities specific to Debian
ii libc6 2.11.1-0ubuntu7.8 Embedded GNU C Library: Shared libraries
ii libc6-i686 2.11.1-0ubuntu7.8 GNU C Library: Shared libraries [i686 optimized]
ii libpam-cracklib 1.1.1-2ubuntu5.4 PAM module to enable cracklib support
ii libpam-ldap 184-8.2ubuntu1 Pluggable Authentication Module for LDAP
ii libpam-modules 1.1.1-2ubuntu5.4 Pluggable Authentication Modules for PAM
ii libpam-runtime 1.1.1-2ubuntu5.4 Runtime support for the PAM library
ii libpam0g 1.1.1-2ubuntu5.4 Pluggable Authentication Modules library
ii libparse-debianchangelog-perl 1.1.1-2ubuntu2 parse Debian changelogs and output them in other formats
ii libparted0debian1 2.2-5ubuntu5.2 The GNU Parted disk partitioning shared library
ii libselinux1 2.0.89-4 SELinux runtime shared libraries
ii odbcinst1debian1 2.2.11-21 Support library for accessing odbc ini files
ii passwd 1:4.1.4.2-1ubuntu2.2 change and administer password and group data

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in shadow (Ubuntu):
status: New → Confirmed
Revision history for this message
Mei (ddouthitt) wrote :

This is behavior present in passwd; the passwd binary is not part of the shadow package.

Revision history for this message
Mei (ddouthitt) wrote :

Looking at the strace (and ltrace) output from passwd, it looks like it opens /etc/passwd and /etc/shadow directly instead of using PAM or getent or other method.

Revision history for this message
Nicolas François (nekral-lists) wrote :

It is the expected behavior.

passwd uses PAM to change password, but there are no API to expire a password.
(I have no idea whether there would be such feature in a LDAP user database; if this exist, then some LDAP tools are needed)

What could be done is to document in the manpages the options which require a /etc/shadow storage.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.