> On 06/09/2014 12:15 PM, Alon Bar-Lev wrote:
> >> From: "Martin Kosek" <mko...@redhat.com>
> >> Given all sort of issues we get, I am thinking we should just revert it
> >> unless
> >> there is a quick fix available.
> > The fix should be for the password modify to work within anonymous bind if
> > old password is specified. I am not sure why IPA enforces non anonymous
> > bind for this extended request.
> > Applications should also be modified to perform anonymous bind, exactly per
> > this reason.
> > Searching why IPA requires non anonymous bind is what led me to this bug...
> > :)
> Simo, do you know the historical reason why this is enforced in
When we started we wanted to allow password changes using GSSAPI for bind
instead of password based authentication, and we ended up not implementing the
"old-password" based one at all...
> By quickly looking at the code it should not be difficult to fix, but devil
> is in details and we need to be very cautious in this function.
We just need to be careful about what operations are done, but indeed it
shouldn't be difficult, I am just not sure it is quick enough for you.
I can take a look in a few.
Freeipa-devel mailing list