Simo Sorce wrote:
Although we were properly checking that the user successfully
authenticated (either through a password bind or a GSSAPI bind) we were
not enforcing the requirement to provide us with the old password, and
this is better security hygiene.
Tested and works for me.
Properly requires old password for self password changes. Do not require
it for admin password changes.
ack, pushed to master and ipa-2-1
Freeipa-devel mailing list