> On 06/09/2014 12:15 PM, Alon Bar-Lev wrote:
> >> From: "Martin Kosek" <mko...@redhat.com>

> >> Given all sort of issues we get, I am thinking we should just revert it
> >> unless
> >> there is a quick fix available.

> > The fix should be for the password modify to work within anonymous bind if
> > old password is specified. I am not sure why IPA enforces non anonymous
> > bind for this extended request.
> > 
> > Applications should also be modified to perform anonymous bind, exactly per
> > this reason.
> > 
> > Searching why IPA requires non anonymous bind is what led me to this bug...
> > :)
> Simo, do you know the historical reason why this is enforced in
> ipapwd_chpwop?

When we started we wanted to allow password changes using GSSAPI for bind 
instead of password based authentication, and we ended up not implementing the 
"old-password" based one at all...

> By quickly looking at the code it should not be difficult to fix, but devil
> is in details and we need to be very cautious in this function.

We just need to be careful about what operations are done, but indeed it 
shouldn't be difficult, I am just not sure it is quick enough for you.
I can take a look in a few.


Freeipa-devel mailing list

Reply via email to