On Wed, 2015-01-28 at 19:19 +0000, Jakub Hrozek wrote: > Here is the most important part of the log: > (Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [sdap_auth4chpass_done] > (0x0020): Changing shadow password attributes not implemented. > > The functionality you request is simply not implemented. Because shadow > attributes are inherently insecure and obsolete, I don't see us > implementing this functionality ourselves. Patches welcome, though! >
To clarify, the reason this isn't implemented is that it means that the password hashes have to be made available to the LDAP user from which SSSD connects. This means that anyone with root access on an SSSD client system would have access to all the password hashes on the server. This is a serious security hole. The password-policy extended operation is designed to solve this problem by requiring users to use their own credentials to change the password (through a mechanism that is also capable of applying security policy such as minimum password length). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1415545 Title: Cannot change LDAP password when ldap_pwd_policy=shadow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1415545/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
